search

pnp / pnpframework

PnP Framework is a .NET library targeting Microsoft 365 containing the PnP Provisioning engine and a ton of other useful extensions
https://pnp.github.io/pnpframework/
MIT License
208 stars 144 forks source link

Token not refreshing with AuthenticationManager OBO #644

Open HappyDump opened 2 years ago

HappyDump commented 2 years ago

Hi, I am currently facing a problem using the AuthenticationManager with OnbehalfOf in order to index a Sharepoint site so the task can take several hours and we are currently facing a token refreshing issue.

The AuthenticationManager instance is created as follow:

_authenticationManager = AuthenticationManager.CreateWithOnBehalfOf(clientId,
                                                                                clientSecret,
                                                                                _assertion,
                                                                                tenantId,
                                                                                azureEnvironment);

and the context is retrieved with the following method:

context = _authenticationManager.GetContext(siteUrl);

It appears that the token is never refreshed since after running a task for 70 to 90 minutes I get an exception from MSAL prompting that the token has expired:

Microsoft.Identity.Client.MsalUiRequiredException:AADSTS500133: Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: 2022-04-15T07:44:55.1649335Z, expiry time of assertion 2022-04-15T07:44:07.0000000Z.

and with the following stacktrace:

async Task<AuthenticationResult> Microsoft.Identity.Client.Internal.Requests.RequestBase.HandleTokenRefreshErrorAsync(MsalServiceException e, MsalAccessTokenCacheItem cachedAccessTokenItem)|async Task<AuthenticationResult> Microsoft.Identity.Client.Internal.Requests.OnBehalfOfRequest.ExecuteAsync(CancellationToken cancellationToken)|async Task<AuthenticationResult> Microsoft.Identity.Client.Internal.Requests.RequestBase.RunAsync(CancellationToken cancellationToken)|async Task<AuthenticationResult> Microsoft.Identity.Client.ApiConfig.Executors.ConfidentialClientExecutor.ExecuteAsync(AcquireTokenCommonParameters commonParameters, AcquireTokenOnBehalfOfParameters onBehalfOfParameters, CancellationToken cancellationToken)|async Task<ClientContext> PnP.Framework.AuthenticationManager.GetContextAsync(string siteUrl, CancellationToken cancellationToken)|ClientContext PnP.Framework.AuthenticationManager.GetContext(string siteUrl)|ClientContext s.cor.MicrosoftGraph.SharePoint.SharePointCsomService.CreateAzureAdAppOnlyAuthenticatedContext(string siteUrl) in SharePointCsomService.cs:99

I haven't found in the framework a way to refresh the token.

Is this a bug? If not, I haven't found any information to help me with that situation if this is working as intended intended.

I am using version 1.9.0

Thanks for your help :)

HappyDump commented 2 years ago

After some investigation, it appears that the account retrieved while using msal's confidentialClientApplication.AcquireTokenOnBehalfOf is never cached.

confidentialClientApplication.GetAccountsAsync() always returns null.

HappyDump commented 2 years ago

After more digging there are two new methods used to handle long running processes with OBO that were added to MSAL.