OBO flow not using refresh tokens

[aleknik]

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.14.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Confidential

Description

When acquiring tokens using obo flow, they are not refreshed before expiry (offline_access scope is included).
Since MSAL is not exposing refresh tokens it should handle refresh on its own.
What happens is that when the oboAssertion expires we are not able to get the token anymore.

Based on the documentation I was under the impressions that all refresh tokens are handled by MSAL library.

Error Message

Failed to execute exchange request: StatusCodeError: 400 - "{"error":"invalid_grant","error_description":"AADSTS500133: Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: 2022-10-20T21:20:43.1843767Z, expiry time of assertion 2022-10-20T21:20:43.0000000Z.\r\nTrace ID: 0c81f3ab-9374-4d33-aac8-584f1a4b5000\r\nCorrelation ID: 442b6065-3c34-483f-98a9-e8ed6b993a24\r\nTimestamp: 2022-10-20 21:20:43Z","error_codes":[500133],"timestamp":"2022-10-20 21:20:43Z","trace_id":"0c81f3ab-9374-4d33-aac8-584f1a4b5000","correlation_id":"442b6065-3c34-483f-98a9-e8ed6b993a24","error_uri":"https://login.microsoftonline.com/error?code=500133\"}"

Msal Logs

No response

MSAL Configuration

const config: Configuration = {
                auth: {
                    clientId: clientId,
                    clientCertificate: {
                        privateKey: cert.privateRSAKey,
                        thumbprint: Buffer.from(thumbprint, 'base64').toString('hex'),
                        x5c: cert.publicCER.asPEM()
                    }
                },
                system: {
                    networkClient: new CustomHttpsNetworkModule()
                }
            };

Relevant Code Snippets

const response = await msalClient.acquireTokenOnBehalfOf({
            scopes: request.scopes,
            authority: `https://${request.authorityHostname}/${request.tenantId}`,
            oboAssertion: request.oboAssertion
        });

Reproduction Steps

1. Request token using obo flow
2. When obo assertion expired request the token again
3. Error: Assertion is not within its valid time range.

Expected Behavior

MSAL should refresh the obo token proactively using the refresh token and update the cache.

Design

Add LongRunningOBO APIs just like https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/on-behalf-of
and AzureAD/microsoft-authentication-library-for-dotnet#2733

• Ensure we have E2E "short running" OBO test
• Ensure we have unit test around "short running" OBO test
• Refresh token gets "assertion hash" property in cache
• Add the 2 new APIs
• Ensure that cached AT and cached RT are usable only if OBO key matches.

CC @pmaytak and @trwalke for breakdown of tasks - please add more if needed.

[bmahall]

@aleknik Thanks for bringing this to our attention, we currently do not support OBO tokens refreshed with long lived RT, i.e user will have to send a new assertion if the current access token expires.
This is to prevent security issues when the assertion changes over time, however, longlived RT helps retaining the session.

I can get back to you on whether we intend to support this scenario in near future.

[aleknik]

Our scenario requires us to refresh the token for the lifetime of the session even though the assertion is expired, so this would help us to leverage the MSAL library for all scenarios (We are currently using a custom implementation of OBO and refresh flow for this scenario). Is it possible to get the refresh token in the msal library response and call the refresh method as a workaround?

[bmahall]

@aleknik We do not intentionally expose the refresh token in the response and that is unlikely to change.
To make sure I understand, are you trying to get a new access token even though the assertion is expired?