Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] HttpContext.GetTokenAsync("access_token") returns always null when using EnableTokenAcquisitionToCallDownstreamApi()

See original GitHub issue

Which version of Microsoft Identity Web are you using? Microsoft.Identity.Web 1.5.1

Where is the issue?

  • Web app
    • Sign-in users
    • Sign-in users and call web APIs
  • Web API
    • Protected web APIs (validating tokens)
    • Protected web APIs (validating scopes)
    • Protected web APIs call downstream web APIs
  • Token cache serialization
    • In-memory caches
    • Session caches
    • Distributed caches
  • Other (please describe)

Is this a new or an existing app? This is a new app

Repro

public void ConfigureServices(IServiceCollection services)
{
    // Adds Microsoft Identity platform (AAD v2.0) support to protect this API
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddMicrosoftIdentityWebApi(Configuration)
                .EnableTokenAcquisitionToCallDownstreamApi()
                .AddInMemoryTokenCaches();
    // ...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    // ...

    app.Use(async (context, next) =>
    {
        var token = await context.GetTokenAsync("access_token");
        // token is always null here

        await next();
    });

    // ...
}

Expected behavior When JwtBearerOptions.SaveToken is true, context.GetTokenAsync("access_token") returns the access token used in the request.

Actual behavior context.GetTokenAsync("access_token") returns always null when EnableTokenAcquisitionToCallDownstreamApi() is used. When I remove EnableTokenAcquisitionToCallDownstreamApi(), I get the access token as expected.

Possible solution I debugged the code, and the problem is in MicrosoftIdentityWebApiAuthenticationBuilder.cs:

options.Events.OnTokenValidated = async context =>
{
    await onTokenValidatedHandler(context).ConfigureAwait(false);
    context.HttpContext.StoreTokenUsedToCallWebAPI(context.SecurityToken as JwtSecurityToken);
    context.Success();
};

I don’t know why context.Success(); it’s needed, but when I remove it, everything works as expected.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:10 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
Tratchercommented, Aug 18, 2021

Remove it. Success() means you’ve taken care of everything and want to disable any further processing. In this case the only further processing you’re skipping is the part where we save the access token for later use. https://github.com/dotnet/aspnetcore/blob/61fc66cada5d72e76513918aee515846f2923b4e/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L155-L161

0reactions
jennyf19commented, Aug 19, 2021

Included in 1.16 release

Read more comments on GitHub >

github_iconTop Results From Across the Web

GetUserAccessTokenAsync() always returns null in ...
I am trying to renew the token with the below snippet. But somehow the result of await ctx.HttpContext.GetUserAccessTokenAsync(); is always null ...
Read more >
Token is coming as null from GetTokenAsync in Blazor ...
I have created a blazor server app(.NET6) and I have used JWT authentication to authenticate the app with referring this Microsoft document ...
Read more >
HttpContext.GetTokenAsync("access_token") is null
I'm using the sample code from the 'ASP.NET Core Storing Tokens' quickstart. I can login successfully, but when I interrogate the ...
Read more >
AzureAD, Client confidential app calling webapi with a ...
I'm trying to develop an API which can be called from different web apps (both in client confidential or with the user token)....
Read more >
.NET | Software Engineering
The user access token is saved to the HttpContext after a successful sign-in and the GetTokenAsync method with the “access_token” parameter is ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

ITokenAcquisition token refresh and expiration

Next page

[Bug] Phone sign up form problems