New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
React MSAL - Silent SSO could not be completed, when token expired #2934
Comments
@MarekLani You have 3 options in this scenario:
|
@tnorling thank you for response, however I am not able to set loginHint on acquireTokenSilent, it seems not to be valid parameter (I am using typescript) |
@MarekLani My mistake, you're right |
Thank you @tnorling, I was trying to enable emails claim in my custom policy, but I probably made mistake somewhere, can't find documentation on doing it, but will try to manually set the username using email from idTokenClaims. Will report back |
The accesstoken will always expire after 24 hours, even if you refresh your tokens. There is no rolling window. This is how the flow works within a SPA. As @tnorling explained, you should trigger an interactive flow when offtopic: I really hope this will be changed within b2c... It's really hard to create a user friendly app when your token expires every 24 hours. |
@code-by-gijs thanks for additional context, would this be helpful in this case: https://docs.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy |
The refresh token expires after 24 hours. Access token lifetimes are 1 hour.
When the refresh token expires after 24 hours msal.js will attempt to silently acquire a new set of tokens (including refresh token) using a hidden iframe, this is what @MarekLani was asking about. This will not work if you don't have a @MarekLani If you enable the |
Nope, you can refresh a token for 24 hours, after those 24 hours, you cannot refresh your token anymore. It is not a rolling window for a SPA. So every 24 hours you will have to perform an interactive flow. |
My mistake! I was under the impression the new refresh token had a new expiration. please disregard my comment. |
@code-by-gijs This is not accurate. See my comment above regarding hidden iframes. |
Hidden iframes are not the way to go. They require third party cookies. More and more browsers are dropping support for third party cookies by default. |
Unfortunately there isn't another workaround at the moment. The limitation of 3p cookies being blocked is going to be more prevalent, as you called out. We are working on solutions that may leverage Storage Access API, but these are still in design and will need time from the server team and the MSAL team to implement correctly. Until then the only way to handle this is to make a request using the redirect or popup APIs every 24 hours. |
The expired acquireTokenSilent call does return the error code from the 400 response however this information isnt available in the catch instead it returns "Silent SSO could not be completed - insufficient information was provided. Please provide either a loginHint or sid." The actual response from the failed request : error: "invalid_grant",…} It would be nice to capture these details as the current errormessage is misleading. @MarekLani, how do you send across the email address from social accounts, for example google? |
@RonniePitts What you're experiencing is by design and the error that you're receiving is telling you what's not working. This happens because |
@tnorling, doesnt passing the email address become an issue when you may have mutiple social accounts with the same email address? Is it possible to pass across the localAccountId instead which is available from the prior cache object? |
@RonniePitts Email is currently the only session identifier the service accepts. With that said, the B2C service doesn't do anything with the loginHint MSAL sends them in most scenarios, they rely on the cookies set during login. The error thrown in the library is to make sure that developers are passing some session identifier as it is used, and required, in other non-B2C scenarios. The multiple account scenario you call out is definitely a valid concern and we're working with the B2C service team to improve this experience. If you would like to give them your feedback directly and/or get some support you can open a ticket with the service team by following these instructions |
There is any tutorial to show how to accomplish it using a custom user flow ? My user flow need to be changed in a xml way, but I don`t know how to do it. |
@vinizinmoraes-concrete You should open a ticket with the B2C service and they should be able to help you configure your user flow. As the original question has been answered I'm going to go ahead and close this issue. Please open a new issue if you have additional non-service related questions, thanks! |
Library
msal@1.x.x
or@azure/msal@1.x.x
@azure/msal-browser@2.x.x
@azure/msal-node@1.x.x
@azure/msal-react@1.x.x
(Alpha 1)@azure/msal-angular@0.x.x
@azure/msal-angular@1.x.x
@azure/msal-angular@2.x.x
@azure/msal-angularjs@1.x.x
Framework
Description
I am developing react app and authenticating user against AAD B2C using react msal library. I was able to make the authentication working and I am able to acquire token silently, however I am facing issue when original token expires:
BrowserAuthError: silent_sso_error: Silent SSO could not be completed - insufficient information was provided. Please provide either a loginHint or sid.
I assume this has something to do with token not being refreshed. Is there anything I should do explicitly, so that token gets refreshed?
Error Message
BrowserAuthError: silent_sso_error: Silent SSO could not be completed - insufficient information was provided. Please provide either a loginHint or sid.
MSAL Configuration
Reproduction steps
Login using sample code
Wait for 24 hours for token to expire
Issue appears
Expected behavior
AcquireTokenSilently would acquire the token
Identity Provider
Browsers/Environment
Regression
Version:
Security
Source
The text was updated successfully, but these errors were encountered: