Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
acquireTokenSilent unable to renew token (idToken) after certain time
See original GitHub issueCore Library
@azure/msal or msal
Core Library Version
1.4.6
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
We are trying to renew idToken just before (x minutes) it get expired. We are able to perform the renew token operation by using acquireTokenSilent method. But it’s start failing after a certain time (20-23 minutes approx) and application were unable to renew the token after it. Only possible option left is the interactive way to update the token by forcing user to get log in again which is working as expected.
Error Message
AADB2C90077: User does not have an existing session and request prompt parameter has a value of ‘None’. Correlation ID: f8259bb8-79a6-416c-83d5-fb8f66346311 Timestamp: 2021-04-06 10:39:20Z
Msal Logs
[MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose AcquireTokenSilent has been called [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Telemetry Event started: f4b33bfd-246b-48d1-ae99-640128856776_d9de98b7-ba66-408a-8eef-c8a37379cd80-msal.api_event [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose-pii Serialized scopes: openid profile [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Account set from MSAL Cache [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Response type: id_token [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Finished building server authentication request [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Query parameters populated from existing SSO or account [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Skipped cache lookup since request.forceRefresh option was set to true [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose-pii Authority instance: https://custom-domain/masked.onmicrosoft.com/masked/ [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Cached metadata found for authority [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose OpenID Connect scopes only, renewing idToken [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Info RenewIdToken has been called [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Info-pii Add msal frame to document:msalIdTokenFrame|openid profile|undefined [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose RenewIdToken expected state: eyJpZCI6IjA4YmNmOTE3LTViOWUtNDMyYi1iMjcxLTZlN2UxZGIyMDFmZCIsInRzIjoxNjE3NzA1NTU0LCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9 [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose Silent login is true, set silentAuthenticationState [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Info-pii Navigate to:" https://custom-domain/masked.onmicrosoft.com/masked/oauth2/v2.0/authorize?response_type=id_token&scope=openid profile&client_id=<client_id>&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth.html&state=eyJpZCI6IjA4YmNmOTE3LTViOWUtNDMyYi1iMjcxLTZlN2UxZGIyMDFmZCIsInRzIjoxNjE3NzA1NTU0LCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9&nonce=00882293-088d-4bef-ae0f-3af93bb02f0c&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&sessionId=48742313-96c0-11eb-a4f1-ab7fd645b7c9&client-request-id=f4b33bfd-246b-48d1-ae99-640128856776&prompt=none&response_mode=fragment [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Verbose-pii Set loading state to pending for: openid profile|undefined:eyJpZCI6IjA4YmNmOTE3LTViOWUtNDMyYi1iMjcxLTZlN2UxZGIyMDFmZCIsInRzIjoxNjE3NzA1NTU0LCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9 [MSAL] Tue, 06 Apr 2021 10:39:13 GMT:1.4.6-Info-pii LoadFrame: msalIdTokenFrame|openid profile|undefined [MSAL] Tue, 06 Apr 2021 10:39:14 GMT:1.4.6-Info-pii Add msal frame to document:msalIdTokenFrame|openid profile|undefined [MSAL] Tue, 06 Apr 2021 10:39:14 GMT:1.4.6-Info-pii Frame Name : msalIdTokenFrame|openid profile|undefined Navigated to: https://custom-domain/masked.onmicrosoft.com/masked/oauth2/v2.0/authorize?response_type=id_token&scope=openid profile&client_id=<client_id>&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fauth.html&state=eyJpZCI6IjA4YmNmOTE3LTViOWUtNDMyYi1iMjcxLTZlN2UxZGIyMDFmZCIsInRzIjoxNjE3NzA1NTU0LCJtZXRob2QiOiJzaWxlbnRJbnRlcmFjdGlvbiJ9&nonce=00882293-088d-4bef-ae0f-3af93bb02f0c&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=msal&sessionId=48742313-96c0-11eb-a4f1-ab7fd645b7c9&client-request-id=f4b33bfd-246b-48d1-ae99-640128856776&prompt=none&response_mode=fragment [MSAL] Tue, 06 Apr 2021 10:39:14 GMT:1.4.6-Verbose monitorWindowForIframe polling started [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose monitorIframeForHash found url in hash [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose HandleAuthenticationResponse has been called [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose GetResponseState has been called [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Hash contains state. Creating stateInfo object [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose State matches cached state, setting requestType to login [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Obtained state from response [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Info ProcessCallBack has been called. Processing callback from redirect response [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose SaveTokenFromHash has been called [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Info State status: true; Request type: LOGIN [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Server returned an error [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Info-pii Error : interaction_required; Error description: AADB2C90077: User does not have an existing session and request prompt parameter has a value of ‘None’. Correlation ID: f8259bb8-79a6-416c-83d5-fb8f66346311 Timestamp: 2021-04-06 10:39:20Z
[MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose RequestType is login, caching login error, generating authorityKey [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Status set to complete, temporary cache cleared [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Calling callback provided to processCallback [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Telemetry Event stopped: f4b33bfd-246b-48d1-ae99-640128856776_d9de98b7-ba66-408a-8eef-c8a37379cd80-msal.api_event [MSAL] Tue, 06 Apr 2021 10:39:16 GMT:1.4.6-Verbose Flushing telemetry events: f4b33bfd-246b-48d1-ae99-640128856776
MSAL Configuration
{
auth: {
authority: AUTHORITY_SIGN_IN,
clientId: CLIENT_ID,
redirectUri: window.location.origin + "/auth/redirect",
validateAuthority: false,
},
system: {
tokenRenewalOffsetSeconds: 10,
},
cache: {
cacheLocation: typeof window !== "undefined" && localStorage ? "localStorage" : false,
storeAuthStateInCookie: false,
}
}
Relevant Code Snippets
import { authProvider } from "./auth-provider";
const Config = Object.freeze({
auth: {
msal: {
authority: AUTHORITY_SIGN_IN,
authoritySignup: AUTHORITY_SIGN_UP,
clientId: CLIENT_ID,
redirectUri: window.location.origin + "/auth/redirect",
tokenRefreshUri: window.location.origin + "/auth.html",
postLogoutRedirectUri: window.location.origin + "/auth/logout/",
scopes: ["openid"],
tokenRenewalOffsetSeconds: 10,
validateAuthority: false,
cacheLocation:
typeof window !== "undefined" && localStorage ? "localStorage" : false,
storeAuthStateInCookie: false,
},
},
});
const refreshToken = () => {
const { clientId, tokenRefreshUri } = Config?.auth?.msal || {};
const params = {
forceRefresh: true,
scopes: [clientId],
redirectUri: tokenRefreshUri,
};
try {
authProvider
.acquireTokenSilent(params)
.then((response) => {
// handle success case
})
.catch((error) => {
console.error(error);
});
} catch (error) {
console.error(error);
}
};
Reproduction Steps
- Configure idToken expiration time to 5 or 10 minutes (Something smaller to test)
- Get Logged in
- Start renewing the token in every X minutes (says few minutes before it get expired - I am doing it 4 minutes before expiry)
- Verify if token get renewed
- Keep verifying it form 30 minutes.
- Notice if there is any error in the console (In our case for idToken, we have configured idToken expiry to 5 minutes and after 20-23 minutes and some seconds the error starts coming and interactive way is required to update the token by force user to log in again)
Expected Behavior
idToken should keep getting renewed forever if it’s been renewed before expiry using acquireTokenSilent
Identity Provider
Azure B2C Custom Policy
Browsers Affected (Select all that apply)
Chrome
Regression
No response
Source
External (Customer)
Issue Analytics
- State:
- Created 2 years ago
- Comments:10 (10 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @hectormmg
Thanks for your response.
The link you have provided to understand Azure AD B2C session behavior configuration has really helped me to understand the required configuration. I am able to resolve the issue after going through the same. I was using wrong SessionExpiryType as Absolute which was creating the problem. Changing it to Rolling has fixed the issue.
Thanks again. We really appreciate your support.
@jasonnutter, @sameerag - Thanks for helping us while resolving the issue.
Hi @AyaanRanosys .
I’ve gone over your issue and I can’t see anything wrong with your
msalusage here. Here’s the link to Configure Azure AD B2C session behavior. There’s a lot of information there on how you can configure your application to handle session lifetimes.If you are able to silently refresh ID tokens for 20-23 minutes consistently, it seems like the session lifetime must be configured to about 20 minutes for your application.
Please make sure you have the right configuration there and let me know if that solves your issue. Thanks!