Comments (11)
I will take a look at this. @jmprieur
from active-directory-aspnetcore-webapp-openidconnect-v2.
@jasonshave I can confirm this also happens when running it for 12 hours on localhost.
from active-directory-aspnetcore-webapp-openidconnect-v2.
@jasonshave : thanks again for reporting this issue.
This is now fixed.
from active-directory-aspnetcore-webapp-openidconnect-v2.
@jasonshave : what are the repro steps? just use the sample? which sub folder?
from active-directory-aspnetcore-webapp-openidconnect-v2.
The step to reproduce (for me at least) is to simply wait about 12 hours. The website eventually won't authenticate and loops as mentioned above. I tried setting the token type to .AddInMemoryPerUserTokenCache
and while this seemed to work okay over the past few days, I have the login loop showing up again.
I just noticed the MSALMemoryTokenCacheOptions
has a 12 hour expiration which lines up with the time frame I'm noticing my issue. Looking at that object for Microsoft.Identity.Web
I see the comments suggest an expiration of up to 90 days so I'm going to try that. I just updated my Startup.cs
to:
services.AddAzureAdV2Authentication(Configuration) .AddMsal(new string[] { ScopeConstants.ScopeUserRead }) .AddInMemoryPerUserTokenCache(new MSALMemoryTokenCacheOptions() { AbsoluteExpiration = DateTimeOffset.Now.AddDays(90) });
...so hopefully this will help.
The code I'm using is from the sample here.
I'm happy to set up a LiveShare or Teams session to show you. You can find me in the GAL.
from active-directory-aspnetcore-webapp-openidconnect-v2.
@kalyankrishna1 @TiagoBrenck
does one of you have time to have a look?
otherwise I'll try to get to this by EOW
from active-directory-aspnetcore-webapp-openidconnect-v2.
@jasonshave Could you reproduce this bug running on localhost? Or it just happens when you deploy the web app on Azure?
from active-directory-aspnetcore-webapp-openidconnect-v2.
I'm having te same problem on a Linux Azure Web App.
I only see these two messages:
2019-05-28T05:31:08.033349541Z �[40m�[1m�[33mwarn�[39m�[22m�[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15]
2019-05-28T05:31:08.033398243Z '.AspNetCore.Correlation.AzureADOpenID.ekRozARehhfY9jxmECEumJc-vhZdY3cCAwK88HGKORU' cookie not found.
2019-05-28T05:31:50.339705384Z �[40m�[1m�[33mwarn�[39m�[22m�[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[14]
2019-05-28T05:31:50.339764686Z .AspNetCore.Correlation. state property not found.
Could this problem occur if DataProtection is not configured?
from active-directory-aspnetcore-webapp-openidconnect-v2.
With DataProtection on it still happens.
from active-directory-aspnetcore-webapp-openidconnect-v2.
@ferronsw I could reproduce it locally. We are still investigating it, but so far here is my analysis:
What is happening is:
- After X-hrs (I set locally to expire in 1 min), the token that we have cached expires.
- The user calls Profile Action Result, (with MsalUiRequiredExceptionFilter) and an access token will try to be acquired. The method
GetAccessTokenOnBehalfOfUser
(insideTokenAcquisition.cs
) is called - This method builds a new
IConfidentialClientApplication
(where cache accessor is empty), receives an account identifier and tries to retrieve anIAccount
object. It returns null because it got expired and cache accessor is empty. - The method calls
AcquireTokenSilent
with the nullIAccount
in the parameters. AMsalUiRequiredException
is thrown and the filter gets in action. - The filter calls
BuildAuthenticationPropertiesForIncrementalConsent
that basically populatesAuthenticationProperties
with the scope, loginHint and extra claims (if needed) with the same ones that got requested previously. Then, a newChallengeResult
is created with theAuthenticationProperties
created. - The event
OnAuthorizationCodeReceived
gets triggered and the methodAddAccountToCacheFromAuthorizationCode
is called. - A new
IConfidentialClientApplication
is built andAcquireTokenByAuthorizationCode
is called right after. This method populates the cache accessor properly however this newIConfidentialClientApplication
object is lost (in my opinion), because after this step, we get back to step 2, and all this flow happens again, and again. I would expect that on step 3, the cache accessor had the values populated byAcquireTokenByAuthorizationCode
.
If you want to reproduce this behavior locally, download the sample https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph
Then modify the class MSALPerUserMemoryTokenCacheProvider.cs, to this one:
public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCacheOptions option)
{
this.memoryCache = cache;
if (option != null)
{
this.CacheOptions = new MSALMemoryTokenCacheOptions() { AbsoluteExpiration = System.DateTime.Now.AddMinutes(1) };
}
else
{
option.AbsoluteExpiration = System.DateTime.Now.AddMinutes(1);
this.CacheOptions = option;
}
}
Run the project, login and go to Profile page. Wait your token expiration time, then click on the Profile link again. You will then be in the loop.
The problem
The job done on IConfidentialClientApplication
at step 7, doesnt affect the IConfidentialClientApplication
created at step 2
from active-directory-aspnetcore-webapp-openidconnect-v2.
@kalyankrishna1 : why is there an Absolute expiration time? Don't we rather want to have a sliding window?
By setting an absolute time. Once it's reached, no token can be added to the cache.
from active-directory-aspnetcore-webapp-openidconnect-v2.
Related Issues (20)
- System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://XXX.onmicrosoft.com/XXX_SignUp_SignIn/v2.0/.well-known/openid-configuration'. HOT 5
- [Feature Request] Update 2-WebApp-graph-user/2-3-Multi-Tenant to Graph SDK 5 HOT 1
- 1-5-B2C Returning 'Unauthorized_client' error HOT 2
- Fix graphic on 3-Web-app-multi-apis & 4-1
- Why is the secret necessary in sample 2-1-Call-MSGraph? HOT 4
- AADSTS501461 on 4-1-MyOrg HOT 2
- Please update your client sample to use Blazor Web App in .NET 8 HOT 2
- Notes: Notes.md
- [Feature Request] HOT 1
- [Azure AD B2C] AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow HOT 1
- Error when redirecting to Graph API deployed to Azure Web Apps HOT 3
- SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. HOT 1
- Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as ..."
- Configure.sp1
- [Feature Request]
- Code example does not handle OData error to process the CAE challenge from Microsoft Graph. HOT 1
- mongodb HOT 1
- Required step to add owner is missing in documentation
- Revoke session/Reset password not Asking relogin even enabled CAE in WebAPP code
- Should app registrations be defined in a B2C Active Directoy for the example found in 4-WebApp-your-API/4-1-MyOrg?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-aspnetcore-webapp-openidconnect-v2.