From d55cb9a7a04ab9b894b3d3f51ae5a0f4589bf924 Mon Sep 17 00:00:00 2001 From: Tyler James Leonhardt Date: Thu, 19 Dec 2024 10:25:37 -0800 Subject: [PATCH] Use claims to force an idToken in Broker flow (#236623) Looks like the Broker doesn't support `forceRefresh`... This is an alternative way of forcing a refresh. Fixes https://github.com/microsoft/vscode/issues/229456 --- .../src/node/cachedPublicClientApplication.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts b/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts index 7396da1799018..0f27c2c0e4d62 100644 --- a/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts +++ b/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts @@ -102,9 +102,19 @@ export class CachedPublicClientApplication implements ICachedPublicClientApplica ); if (fiveMinutesBefore < new Date()) { this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] id token is expired or about to expire. Forcing refresh...`); - result = await this._sequencer.queue(() => this._pca.acquireTokenSilent({ ...request, forceRefresh: true })); + const newRequest = this._isBrokerAvailable + // HACK: Broker doesn't support forceRefresh so we need to pass in claims which will force a refresh + ? { ...request, claims: '{ "id_token": {}}' } + : { ...request, forceRefresh: true }; + result = await this._sequencer.queue(() => this._pca.acquireTokenSilent(newRequest)); this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] got refreshed result`); } + const newIdTokenExpirationInSecs = (result.idTokenClaims as { exp?: number }).exp; + if (newIdTokenExpirationInSecs) { + if (new Date(newIdTokenExpirationInSecs * 1000) < new Date()) { + this._logger.error(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] id token is still expired.`); + } + } } // this._setupRefresh(result);