Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.Net Project Graph SDK Token is expiring when deployed to Azure App Service #2723

Open
ricardomatos95 opened this issue Oct 23, 2024 · 2 comments
Open

.Net Project Graph SDK Token is expiring when deployed to Azure App Service #2723

ricardomatos95 opened this issue Oct 23, 2024 · 2 comments
Labels
Needs: Attention 👋 type:bug A broken experience

Comments

@ricardomatos95
Copy link

ricardomatos95 commented Oct 23, 2024
edited
Loading

Describe the bug

I developed a .NET webapp and after deploying it into Azure App servicey the access token seems to be expiring after 1h and not refreshing and throwing me the error:

ODataError: Lifetime validation failed, the token is expired.

Currently I have a class called Invite.cshtml.cs that looks like this:

namespace Test_Web_App.Pages
{
    [AuthorizeForScopes(ScopeKeySection = "MicrosoftGraph:Scopes")]
    public class InviteModel : PageModel
    {
        private readonly GraphServiceClient _graphServiceClient;
        private readonly ILogger<IndexModel> _logger;
        private readonly IConfiguration _configuration;
        private readonly IHttpContextAccessor _httpContextAccessor;

        public InviteModel(  ILogger<IndexModel> logger, IConfiguration configuration, GraphServiceClient graphServiceClient, IHttpContextAccessor httpContextAccessor)
        {
            _logger = logger;
            _graphServiceClient = graphServiceClient; ;
            _configuration = configuration;
            _httpContextAccessor = httpContextAccessor;
        }

public async Task<IActionResult> OnPostAsync()
{
        var user = await _graphServiceClient.Me.GetAsync(); ;
//Other actions
 }

The code after 1 hour of the user being signed in throws a server error for token expiration on my OnPostAsync method as soon as it tries to load the graphServiceClient:

public async Task<IActionResult> OnPostAsync()
{
        var user = await _graphServiceClient.Me.GetAsync(); ;
}

On my Program.cs I have setup the following:

var builder = WebApplication.CreateBuilder(args);

var initialScopes = builder.Configuration["AzureAd:Scopes"]?.Split(' ') ?? builder.Configuration["MicrosoftGraph:Scopes"]?.Split(' ');

// Add services to the container.
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp( options =>
    {
        builder.Configuration.Bind("AzureAd", options);
        options.SaveTokens = true; // Ensure tokens are saved
    })
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches().AddMicrosoftGraph();

builder.Services.AddAuthorization(options =>
{
    // By default, all incoming requests will be authorized according to the default policy.
    options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services.AddRazorPages().AddMicrosoftIdentityUI();
var app = builder.Build();

Expected behavior

I expected the builder settings in Program.cs to automatically refresh the Access token since they are using graph sdk

How to reproduce

  • Create builder for Initialize GraphServiceClient.
  • Create class to send call to graphServiceClient (e.g., graphServiceClient.Me.GetAsync(); )
  • Publish application to Azure Web App
  • Open Azure Web app trigger Post method.
  • Wait 1 hour for token to expire and trigger post method again

SDK Version

5.56.0

Latest version known to work for scenario above?

No response

Known Workarounds

N/A

Debug output

Click to expand log ``` 
</details>


### Configuration

Windows 11
x64

### Other information

_No response_
@ricardomatos95 ricardomatos95 added status:waiting-for-triage An issue that is yet to be reviewed or assigned type:bug A broken experience labels Oct 23, 2024
@andrueastman
Copy link
Member

Thanks for raising this @ricardomatos95

The line below suggests that you are using the Microsoft.Identity.Web.GraphServiceClient library for acquiring tokens. Any chance this is the case?

.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddInMemoryTokenCaches().AddMicrosoftGraph();

If so, I believe the right place to file the issue is at https://github.com/AzureAD/microsoft-identity-web/issues

@andrueastman andrueastman added status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels Oct 24, 2024
@ricardomatos95
Copy link
Author

Hi @andrueastman thank you for reaching out,
So the responsible actor for keeping the token alive is the Microsoft.Identity.Web.GraphServiceClient ?

I assumed when calling the SDK through _graphServiceClient.Me.GetAsync(); ; it would be here that the refresh would be triggered by the SDK to refresh the token in case the one provided is not valid.

Is this not the case, because from what I've seen the SDK should have cover the refresh automatically no?

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋 type:bug A broken experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrueastman @ricardomatos95