Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
OBO flow not using refresh tokens
See original GitHub issueCore Library
MSAL Node (@azure/msal-node)
Core Library Version
1.14.2
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
When acquiring tokens using obo flow, they are not refreshed before expiry (offline_access scope is included). Since MSAL is not exposing refresh tokens it should handle refresh on its own. What happens is that when the oboAssertion expires we are not able to get the token anymore.
Based on the documentation I was under the impressions that all refresh tokens are handled by MSAL library.
Error Message
Failed to execute exchange request: StatusCodeError: 400 - "{"error":"invalid_grant","error_description":"AADSTS500133: Assertion is not within its valid time range. Ensure that the access token is not expired before using it for user assertion, or request a new token. Current time: 2022-10-20T21:20:43.1843767Z, expiry time of assertion 2022-10-20T21:20:43.0000000Z.\r\nTrace ID: 0c81f3ab-9374-4d33-aac8-584f1a4b5000\r\nCorrelation ID: 442b6065-3c34-483f-98a9-e8ed6b993a24\r\nTimestamp: 2022-10-20 21:20:43Z","error_codes":[500133],"timestamp":"2022-10-20 21:20:43Z","trace_id":"0c81f3ab-9374-4d33-aac8-584f1a4b5000","correlation_id":"442b6065-3c34-483f-98a9-e8ed6b993a24","error_uri":"https://login.microsoftonline.com/error?code=500133\“}”
Msal Logs
No response
MSAL Configuration
const config: Configuration = {
auth: {
clientId: clientId,
clientCertificate: {
privateKey: cert.privateRSAKey,
thumbprint: Buffer.from(thumbprint, 'base64').toString('hex'),
x5c: cert.publicCER.asPEM()
}
},
system: {
networkClient: new CustomHttpsNetworkModule()
}
};
Relevant Code Snippets
const response = await msalClient.acquireTokenOnBehalfOf({
scopes: request.scopes,
authority: `https://${request.authorityHostname}/${request.tenantId}`,
oboAssertion: request.oboAssertion
});
Reproduction Steps
- Request token using obo flow
- When obo assertion expired request the token again
- Error: Assertion is not within its valid time range.
Expected Behavior
MSAL should refresh the obo token proactively using the refresh token and update the cache.
Design
Add LongRunningOBO APIs just like https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/on-behalf-of and https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/2733
- Ensure we have E2E “short running” OBO test
- Ensure we have unit test around “short running” OBO test
- Refresh token gets “assertion hash” property in cache
- Add the 2 new APIs
- Ensure that cached AT and cached RT are usable only if OBO key matches.
CC @pmaytak and @trwalke for breakdown of tasks - please add more if needed.
Issue Analytics
- State:
- Created a year ago
- Comments:8 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @aleknik - not yet, we’re working on bugs at the moment.
Next we will probably pick this up or making the token cache more performant. I have a preference for this scenario, because the token cache issues can be worked around.
@bmahall We are a server-side service that gets the assertion from the client side and uses it to do OBO flow. We want to be able to do obo flow even after the assertions is expired.