microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

The value of ExpiresOn in AuthenticationResult does not change when using IPublicClientApplication.AcquireTokenSilent

Open anhtuan1412 opened this issue 2 years ago • 3 comments

I'm using MSAL .NET in a Desktop app, and I call

IPublicClientApplication.AcquireTokenSilent

with a TokenCache to get the access token. In the app, we call this 15 seconds before the access token expires to refresh the access token. However, the value of ExpiresOn in the returned AuthenticationResult does not change (neither does the AccessToken). ExpiresOn seems to change if the access token expires for a while (more than 2 hours), but it doesn't change if the access token does not expire yet.

Is this expected behavior? Maybe, we have some sort of caching behind the scenes in AAD. If yes, are there any we can refresh the AccessToken and ExpiresOn?

anhtuan1412 avatar Sep 13 '22 17:09 anhtuan1412

The described behavior is expected. AcquireTokenSilent (ATS) checks the MSAL cache and if it finds a non-expired token, it will return it. So the ExpiresOn will stay the same. At the same time MSAL also checks if this token needs to be refreshed, then it will refresh the access token in the background thread and cache it. But if AquireTokenSilent doesn't find a token in the cache, then it goes straight to AAD to get a new one.

This behavior is intended so the app doesn't unnecessarily hit AAD too often to refresh tokens, if they are not being used.

You can add WithForceRefresh on ATS to bypass the cache and just get a token from AAD, but this should be used sparingly to avoid perf hit. This is for something like if you want the conditional access policies to be applied immediately instead of after the token expires.

pmaytak avatar Sep 14 '22 06:09 pmaytak

Thanks Peter for the response. If the value of ExpiresOn is reached, are we guaranteed to get a new access token with new ExpiresOn when we call ATS? In my testing, if I call ATS shortly after ExpiresOn I don't get new values for access token and ExpiresOn.

In addition, does MSAL extend the lifetime of access tokens when ATS is called? Is it possible that the lifetime of access token is extended but ExpiresOn is not updated?

anhtuan1412 avatar Sep 14 '22 16:09 anhtuan1412

A token's lifetime cannot be extended, the token is immutable.

MSAL will renew your access token (i.e. request a new token) 5 minutes before expiration when you call AcquireTokenSilent. The reason for the "5 min" is to avoid clock skews between the client and the service.

Example assuming token lifetime is 1h (this is controlled by the tenant admin):

10:00 AM - AcquireTokenInteractive -> AT1, expires at 11 AM 10:30 AM - AcquireTokenSilent -> AT1, expires at 11 AM 10:55 AM - AcquireTokenSilent -> gets a new token -> AT2, expires at 11:55 AM 10:56 AM - AcquireTokenSilent -> AT2, expires at 11:55 AM

bgavrilMS avatar Sep 19 '22 18:09 bgavrilMS