acquireTokenSilent after 8 hour

[alexseyrakov]

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.29.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Public or Confidential Client?

Public

Description

We use the MSAL library to access corporate resources.
After 8 hours, acquireTokenSilent stops receiving a new token and asks for re-authorization in ADFS.

MSAL Configuration

No response

Relevant Code Snippets

//MSAL Config
const msalConfig = {
  auth: {
      clientId: APPID,
      authority: 'https://corporate.network/adfs/', 
      knownAuthorities: ['https://corporate.network/adfs/'], 
      redirectUri: REDIRECTURL, 
      
  },
  cache: {
      cacheLocation: "localStorage",
      storeAuthStateInCookie: false, 
  },
};

//acquireTokenSilent
async function refreshWebToken(){

  return await msalInstance.acquireTokenSilent(silentRequest).catch(async (error) => {
    if (error instanceof msal.InteractionRequiredAuthError) {
        return await msalInstance.acquireTokenPopup(loginRequest).catch(error => {
            console.log(error);
        });
    }
});
}

Identity Provider

ADFS

Source

External (Customer)

[sameerag]

@alexseyrakov Thanks for reaching out. We try to acquire/refresh tokens silently as long as the session is valid. Can you share the exact error message you see?

[alexseyrakov]

@sameerag
in console
"MSIS9615: The refresh token received in 'refresh_token' parameter has expired."

[sameerag]

@alexseyrakov This could be the policy set by your admin. msal-js does not control the expiration times, the token issuance does which depends on many factors.

@derisen can you help here or redirect this to support who can help?

[alexseyrakov]

@sameerag @derisen
Thanks
Tell me please, what settings on the ADFS server are responsible for this settings?

[derisen]

@alexseyrakov Let me reach out to some internal partners about this. In the meantime, could you capture a network trace with Fiddler when this happens, and then send it to me (you can find my email on my profile)?

[ghost]

@alexseyrakov This issue has been automatically marked as stale because it is marked as requiring author feedback but has not had any activity for 5 days. If your issue has been resolved please let us know by closing the issue. If your issue has not been resolved please leave a comment to keep this open. It will be closed automatically in 7 days if it remains stale.

[derisen]

@alexseyrakov apologies for the late response. 8 hours seems to be the default configuration with ADFS -you can find more on this here. In general refresh tokens can be invoked at any time for a variety of reasons, and your application shouldn't assume an interval and should be ready to handle the error (by re-authenticating the user). Longer lived refresh tokens are not always desirable for enhanced security.

Closing this -feel free to open another issue if you have other questions.