Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

forceRefresh does not work as intended with NAA #7546

Open
2 tasks
tomaskukk opened this issue Jan 31, 2025 · 1 comment
Open
2 tasks

forceRefresh does not work as intended with NAA #7546

tomaskukk opened this issue Jan 31, 2025 · 1 comment
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@tomaskukk
Copy link

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.0.2

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

Force refresh not working as intended with NAA

In the 4.0.2 release to msal-browser, support for forceRefresh was added to NAA. This doesn't help with what it's supposed to though.

There is a known issue with expired ID tokens being served from cache. Regular workaround for this is would be to use forceRefresh, but it doesn't do any good with NAA. Setting this flag to true, will skip the cache check, and then call bridgeProxy.getTokenSilent which will yield the same tokens, which aren't refreshed.

This is a huge issue, as there is no way to force refresh an expired ID token using NAA.

Error Message

No response

MSAL Logs

Image

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

auth: {
      clientId: config.entraAppClientId,
      authority: 'https://login.microsoftonline.com/common',
    },
    cache: {
      cacheLocation: 'localStorage',
    },
    ...(debugEnabled && {
      system: {
        loggerOptions: {
          logLevel: LogLevel.Verbose,
          loggerCallback: (level: LogLevel, message: string) => {
            switch (level) {
              case LogLevel.Error:
                console.error(message);

                return;
              case LogLevel.Info:
                console.info(message);

                return;
              case LogLevel.Verbose:
                console.debug(message);

                return;
              case LogLevel.Warning:
                console.warn(message);

                return;
            }
          },
          piiLoggingEnabled: false,
        },
      },
    })

Relevant Code Snippets

const pca = await createNestablePublicClientApplication({
  auth: {
    authority: 'https://login.microsoftonline.com/common',
    clientId: <clientId>
  },
  cache: {
    cacheLocation: 'localStorage'
  }
})

const forceRefreshResult = await pca.acquireTokenSilent({
    scopes,
    forceRefresh: true,
});

// see tokens are always the same, not being refreshed as should
console.log(forceRefreshResult)

Reproduction Steps

  1. Set up NAA flow to acquire tokens (e.g office-js repo's official example here)
  2. Set forceRefresh to true when calling acquireTokenSilent
  3. Use the example add-in and inspect the tokens returned
  4. See that same tokens are returned over and over again, not being refreshed.

Expected Behavior

When setting forceRefresh to true, refreshed tokens should be returned (expiry extended).

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge

Regression

No response
@tomaskukk tomaskukk added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Jan 31, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jan 31, 2025
@github-actions GitHub Actions
Copy link
Contributor

Invalid Issue Template:
Please update the original issue and make sure to fill out the entire issue template so we can better assist you.

@github-actions github-actions bot added more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications labels Jan 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed more-information-needed Use this label when you are waiting on information from the issue creator msal-browser Related to msal-browser package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomaskukk