acquireTokenSilent doesn't renew the id-token

[janandreschweiger]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.18.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

Hi Micrsoft communiy,

We have a react app, which implements your library as described below. We only use it to get an id-token for validating the Microsoft account on our server. Unfortunately, after an hour the id-tokens that are returned by the acquireTokenSilent function are expired.

We have tried to set tokenRenewalOffsetSeconds to 300, but this doesn't resolve the issue. If we logout, clear the cache or refresh the site a few times, we get a valid token again. But this is unfortunately, very unpleasant for our users.

We get a lot of customer complaints on a daily basis, because of this issue. Please help us. We are thankful for any suggestions. Thanks!!

Error Message

No response

Msal Logs

Here are some logs. Please ignore the "DEBUG" in front of the messages.:

DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:handleRedirectStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : [5c24a3aa-1095-42c9-85a2-d71a097390a4] : msal.js.browser@2.18.0 : Info - handleRedirectPromise called but there is no interaction in progress, returning null. log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:handleRedirectEnd log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:08:42 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10

// we get an expired id-token

// we refresh the page

// we get the same logs as above and get an expired id-token

// we refresh the page again

DEBUG | Message: [Mon, 01 Nov 2021 16:09:53 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:handleRedirectStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:53 GMT] : [2e893bd0-832f-4730-8cae-22e5108dada7] : msal.js.browser@2.18.0 : Info - handleRedirectPromise called but there is no interaction in progress, returning null. log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:53 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:handleRedirectEnd log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:53 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenFromNetworkStart log.js:16:10
Some cookies are misusing the recommended “SameSite“ attribute 2
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenStart log.js:16:10
DEBUG | Message: [Mon, 01 Nov 2021 16:09:54 GMT] : @azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenSuccess

// we suddenly get a valid id-token and everything works again as expected

MSAL Configuration

{
    auth: {
      authority: 'https://login.microsoftonline.com/common',
      clientId: <client-id>,
      postLogoutRedirectUri: window.location.origin,
      redirectUri,
      validateAuthority: true,
      navigateToLoginRequestUrl: false,
    },

    system: {
      loggerOptions: {
        loggerCallback: (level, message, containsPii) => {
          console.log(message);
        },
        piiLoggingEnabled: false  // disables personal information
      },
      windowHashTimeout: 60000,
      iframeHashTimeout: 10000,
      loadFrameTimeout: 0,
      // I also tried: tokenRenewalOffsetSeconds: 300
    },

    cache: {
      cacheLocation: 'localStorage',
      storeAuthStateInCookie: true
    }
}

Relevant Code Snippets

const msalScopes = [ 'openid', 'User.Read' ];
const graphScopes = [ ];
const config = ... // see above
const msalClient = new PublicClientApplication(config);

// login (not essential):
const login = async () => {
  const accounts = msalClient.getAllAccounts();
  if (accounts || accounts.length < 1) {
    let tokenResponse = await msalClient.handleRedirectPromise();
    const accountObj = tokenResponse
      ? tokenResponse.account
      : msalClient.getAllAccounts()[0];

    if (!tokenResponse) {
      if (accountObj) {
        // User has logged in, but no tokens:
        try {
          tokenResponse = await msalClient.acquireTokenSilent({
            account: msalClient.getAllAccounts()[0],
            scopes: msalScopes,
          });
        } catch (err) {
          await msalClient.acquireTokenRedirect({ scopes: msalScopes });
        }
      } else {
        // No accountObject or tokenResponse present. User must now login:
        await msalClient.loginRedirect({ scopes: msalScopes });
      }
    }
  }
}

// get id-token (here is the problem):
async getIdToken(scopes=null) {
  const accounts = msalClient.getAllAccounts();
  
  const { idToken } = await msalClient.acquireTokenSilent({
    account: accounts[0],
    scopes: (scopes ? scopes : [...msalScopes, ...graphScopes]).filter(onlyUnique)
  });
  return idToken;
}

Reproduction Steps

1. Implement the code above
2. login
3. get an id-token
4. wait 1 hour
5. get another id-token, which is expired

Expected Behavior

The id-token should be refreshed before it expires.

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox

Regression

No response

Source

External (Customer)

[nils-tahler]

I experience the exact same issue. Could you please have a look on this one @tnorling?

[tnorling]

What happens if you provide forceRefresh: true on the acquireTokenSilent request object?

[janandreschweiger]

Thanks for your answer @tnorling.

This would probably resolve the issue, as I get the following additional log:

@azure/msal-browser@2.18.0 : Info - Emitting event: msal:acquireTokenFromNetworkStart

This issues normally occurs after 1h, so we would have to wait. But please have a look at my logs posted above. The issue is resolved once the acquireTokenFromNetworkStart log indicates that a new token is fetched.

[tnorling]

I suspect this is happening when the access token has a longer validity than the id token, if that's the case we'll need to re-evaluate how we do cache lookups today. We currently only check the access token validity because we made a naive assumption that the cached idToken would always have at least as much time left as the access token.

If setting forceRefresh resolves this please use that as a workaround for now until we're able to put out a fix.

@hectormmg will follow up as the current on call engineer