microsoft-graph-explorer-v4 icon indicating copy to clipboard operation
microsoft-graph-explorer-v4 copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

[Permissions bug] consenting to permissions is not reflected cross browsers

Open RabebOthmani opened this issue 2 years ago • 2 comments

Describe the bug We received a feedback from a user reporting that when changing permissions, the change is not reflected on the UI between Firefox or Chrome. So I went ahead and tested.

To Reproduce Steps to reproduce the behavior:

  1. Go to Edge (or any other browser)
  2. On the permissions tab, consent to a permission
  3. Go to a different browser (Chrome), make sure you're signed in with the same user
  4. Notice on the permissions tab, the change you made on Edge is not there even after refreshing the page

Screenshots permission consent edge

permission consent

RabebOthmani avatar Mar 01 '22 13:03 RabebOthmani

Confirming that signing out then signing back in does not have the same problem.

The token that has the scopes a user has consented to is stored in the browser that made the request to consent to scopes.

By design, to get the token in the adjacent browser, the user needs to log in again or wait for when the token gets refreshed automatically. Reloading just gets the token from the cache. Which would be the token without the newly consented scopes for the adjacent browser

thewahome avatar Mar 01 '22 14:03 thewahome

@RabebOthmani can we close this one, if agreed by design.

ddyett avatar Aug 02 '22 18:08 ddyett

Picking up this conversation again before we decide which best to do. @thewahome @adhiambovivian @gavinbarron @darrelmiller I understand this is done by design but I'm wondering if there's a non costly way to ensure that users get a complete, up to date and relevant information when using Graph Explorer and switching between browsers. Beyond permissions, what happens if a new sample query or resource is added. Would I not be able to see it until I reload my browser or signout/in ?

RabebOthmani avatar Jan 10 '23 14:01 RabebOthmani

AFAIK Samples & resources are somewhat different in that the metadata for those is loaded from the DevX API while the application is loading and therefore should update when a user refreshes their browser.

The data for consented scopes is the response from AAD when a token is requested. We're using MSAL as a wrapper for our authentication which will use the locally cached token while it is valid. When the access token that the user has expires the subsequent token request will cause the list of consented scopes to be updated.

This feels like a pretty big edge case as it requires a user to be actively using two separate browsers with the same user credentials.

That said, in order to update the list of consented scopes, and in fact the access token being used, in a multiple browser scenario like this we'd need to have some concrete user action in which we could tie some behavior to. Likely we'd have to manually trigger a token fetch ignoring the cache, possibly via a login call.

gavinbarron avatar Jan 17 '23 19:01 gavinbarron

The token is not shared across sessions. The user would need, as mentioned by @gavinbarron, to perform a specific action in the second browser.

thewahome avatar Sep 25 '23 12:09 thewahome

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

microsoft-github-policy-service[bot] avatar Sep 29 '23 19:09 microsoft-github-policy-service[bot]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.

microsoft-github-policy-service[bot] avatar Sep 29 '23 19:09 microsoft-github-policy-service[bot]