[BUG] Refresh tokens are not supported in MGT

[sebastienlevert]

Describe the bug After a long moment where a browser goes idle for instance, MGT stops working. It's probably related to refresh tokens and the way they are handled. I was wondering if these were supported and if yes, what is the expected behavior?

To Reproduce Steps to reproduce the behavior:

1. Use any app you have
2. Add a mgt-person component on the page
3. Login
4. Leave the page inactive for 1+ hour
5. Come back and the person-card will not be working

Expected behavior I would expect that on a future call, if Graph returns a 404, we should use the refresh token and try again with a new access token

Environment (please complete the following information):

• OS: Windows
• Browser: Edge
• Framework: None
• Context: Microsoft Teams
• Version: mgt@next

[waldekmastykarz]

This is by design. Since the browser is a public client, refresh tokens should not be stored in it. That said: the client should have all the information necessary to obtain a new access token if the one it had previously expired. I'd therefore suggest we rename this issue to refer to MGT not obtaining valid access token after them expiring.

[sebastienlevert]

Yeah, that definitely makes sense to me!

[nmetulev]

I suspect this is a TeamsProvider issue and does not apply to MsalProvider. In the TeamsProvider, we use msal under the covers to handle the new tokens, but I wonder if that requires a redirect to do that and that's why it's failing since we need to use the auth popup for the redirect.

@sebastienlevert, did you see any console errors that can help narrow down why a new access token is not retrieved?

[sebastienlevert]

This is what I am getting. Basically waited for 65 minutes and then I can't use the people card (that was not open before that specific moment).

Might be related to the was the Teams Provider handles the challenge? I feels like it wants to iframe something here...

[waldekmastykarz]

Could this line be the cause of this behavior? https://github.com/microsoftgraph/microsoft-graph-toolkit/blob/0252b1febed38fc617f6427b00ca211661126256/packages/providers/mgt-teams-provider/src/TeamsProvider.ts#L349-L359

Notice line 355 that doesn't yield auth prompt but rather returns null.

[nmetulev]

I think you are right. We need to open up the auth popup here and signal to it fetch a new token. We'd likely need to also update the handleAuth method to go down a refresh token path instead of the signin path in that case.

[gavinbarron]

Closing as it's related to a deprecated provider