chore(ui): Replace ssoSilent with acquireTokenSilent for token renewal

[chirag-madlani]

Describe your changes:

This PR replaces usage of ssoSilent with acquireTokenSilent for silent token acquisition. The change addresses consistent interaction_required (AADSTS160021) failures observed due to browser restrictions impacting iframe-based authentication flows.

---

Background / Problem

We were relying on ssoSilent for session renewal. This method depends on:

• hidden iframe
• prompt=none
• existing IdP session cookie

Modern browser privacy changes (third-party cookie restrictions) prevent access to Azure AD session cookies in iframe contexts. As a result:

• ssoSilent fails consistently with interaction_required
• App may incorrectly treat this as session expiry → triggers logout
• Leads to degraded UX and unnecessary re-authentication

This behavior is platform-driven (browser + Microsoft Entra ID), not due to application logic changes.

---

Solution

Switch to acquireTokenSilent as the primary mechanism for token acquisition.

• Uses refresh tokens (RT) via MSAL cache
• Does not depend on iframe or IdP session cookies
• More resilient to modern browser privacy constraints

Fallback handling:

• On InteractionRequiredAuthError, trigger loginRedirect (top-level if in iframe)

---

Changes

• Replaced:

  ssoSilent(...)

  with:

  acquireTokenSilent(...)

• Updated error handling:

  • Removed logout triggers on ssoSilent failure
  • Added explicit fallback to interactive login when required

• Ensured:

  • Active account is set via getAllAccounts()
  • Auth state is derived from MSAL account, not silent SSO result

• Updated MsalAuthenticator.test.tsx:

  • Replaced ssoSilent mock with acquireTokenSilent in the mock instance
  • Updated renewIdToken success test assertions to use acquireTokenSilent
  • Added new test verifying that InteractionRequiredAuthError is propagated when renewIdToken encounters an expired/interaction-required session

Impact

✅ Eliminates false logout scenarios
✅ Improves reliability of token renewal
✅ Aligns with modern browser security model
✅ Unit tests now accurately reflect the acquireTokenSilent-based flow
⚠️ First-time login or expired sessions may require redirect (expected behavior)

Testing

• Verified token renewal via acquireTokenSilent
• Confirmed APIs succeed with refreshed tokens
• Tested fallback flow:
  • expired session → redirect login
• Tested in:
  • Chrome (with third-party cookies restricted)
  • Incognito mode

Notes

ssoSilent is inherently unreliable in modern browsers due to third-party cookie restrictions. This change aligns with recommended SPA authentication patterns from Microsoft Entra ID.

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

[Copilot]

Pull request overview

This PR updates the Azure MSAL authenticator flow in the UI to use acquireTokenSilent (cache/refresh-token based) instead of ssoSilent (iframe/cookie based) for silent token acquisition, aiming to reduce interaction_required failures under modern browser privacy restrictions.

Changes:

• Switched MSAL silent token call from ssoSilent to acquireTokenSilent in MsalAuthenticator.
• Small hardening/cleanup in token refresh utilities (use globalThis, optional chaining, remove console timing).
• Added an aria-label to the popup settings link.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
openmetadata-ui/src/main/resources/ui/src/utils/Auth/TokenService/TokenServiceUtil.ts	Minor browser-global cleanup (globalThis) and callback invocation cleanup for token refresh notifications.
openmetadata-ui/src/main/resources/ui/src/components/Auth/AppAuthenticators/MsalAuthenticator.tsx	Replaces silent auth method with acquireTokenSilent and updates a link’s accessibility label.

Comments suppressed due to low confidence (1)

openmetadata-ui/src/main/resources/ui/src/components/Auth/AppAuthenticators/MsalAuthenticator.tsx:98

• renewIdToken() calls fetchIdToken() with the default shouldFallbackToPopup=false, so when acquireTokenSilent throws InteractionRequiredAuthError (the scenario this PR is addressing), the code currently falls into the non-fallback branch and just rethrows. This means token renewal can still hard-fail instead of triggering an interactive flow. Consider handling InteractionRequiredAuthError unconditionally here (e.g., initiate loginRedirect in top-level windows and loginPopup when embedded) or pass/derive shouldFallbackToPopup so the fallback path is actually reachable.

      const tokenRequest = {
        account: account || accounts[0], // This is an example - Select account based on your app's requirements
        scopes: msalLoginRequest.scopes,
      };
      try {
        const response = await instance.acquireTokenSilent(tokenRequest);
        const msalResponse = await parseMSALResponse(response);

        return msalResponse;
      } catch (error) {
        if (
          error instanceof InteractionRequiredAuthError &&
          shouldFallbackToPopup
        ) {

[Copilot]

This code path switched from ssoSilent to acquireTokenSilent, but there is an existing unit test (MsalAuthenticator.test.tsx) that still mocks/asserts ssoSilent for renewIdToken. The test suite will fail unless the mock instance and assertions are updated to use acquireTokenSilent and to reflect any new interaction-required fallback behavior.

[chirag-madlani]

@copilot apply changes based on this feedback

[Copilot]

Fixed in d470b3f. Updated MsalAuthenticator.test.tsx to:

• Replace ssoSilent with acquireTokenSilent in the mock instance
• Update the renewIdToken success test to assert against acquireTokenSilent
• Add a new test that verifies InteractionRequiredAuthError is propagated when renewIdToken encounters an expired/interaction-required session (aligning with the new fallback behavior)

[gitar-bot]

Code Review ✅ Approved

Replaces the deprecated ssoSilent method with acquireTokenSilent for Azure token renewal, including corresponding test updates. No issues found.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	64.28% (59499/92558)	43.78% (31019/70851)	46.94% (9355/19928)

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🟡 Playwright Results — all passed (21 flaky)

✅ 3597 passed · ❌ 0 failed · 🟡 21 flaky · ⏭️ 207 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	455	0	2	2
🟡 Shard 2	639	0	3	32
🟡 Shard 3	647	0	4	26
🟡 Shard 4	616	0	6	47
🟡 Shard 5	606	0	1	67
🟡 Shard 6	634	0	5	33

🟡 21 flaky test(s) (passed on retry)

• Features/CustomizeDetailPage.spec.ts › Ml Model - customization should work (shard 1, 1 retry)
• Pages/UserCreationWithPersona.spec.ts › Create user with persona and verify on profile (shard 1, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/DataQuality/TestCaseIncidentPermissions.spec.ts › User with only VIEW cannot PATCH incidents (shard 2, 1 retry)
• Features/DataQuality/TestCaseResultPermissions.spec.ts › User with only VIEW cannot PATCH results (shard 2, 1 retry)
• Features/IncidentManager.spec.ts › Complete Incident lifecycle with table owner (shard 3, 1 retry)
• Features/Permissions/GlossaryPermissions.spec.ts › Team-based permissions work correctly (shard 3, 1 retry)
• Features/Table.spec.ts › Tags term should be consistent for search (shard 3, 1 retry)
• Flow/ExploreDiscovery.spec.ts › Should not display soft deleted assets in search suggestions (shard 3, 1 retry)
• Pages/Customproperties-part2.spec.ts › entityReferenceList shows item count, scrollable list, no expand toggle (shard 4, 1 retry)
• Pages/DataContracts.spec.ts › Create Data Contract and validate for Table (shard 4, 1 retry)
• Pages/DataContractsSemanticRules.spec.ts › Validate DataProduct Rule Any_In (shard 4, 1 retry)
• Pages/Domains.spec.ts › Domain Rbac (shard 4, 1 retry)
• Pages/DomainUIInteractions.spec.ts › Add expert to domain via UI (shard 4, 1 retry)
• Pages/Entity.spec.ts › Delete Container (shard 4, 1 retry)
• Pages/ExploreTree.spec.ts › Verify Database and Database Schema available in explore tree (shard 5, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › Column lineage for container -> mlModel (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/ODCSImportExport.spec.ts › Multi-object ODCS contract - object selector shows all schema objects (shard 6, 1 retry)
• Pages/ProfilerConfigurationPage.spec.ts › Non admin user (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[github-actions]

Failed to cherry-pick changes to the 1.12.5 branch.
Please cherry-pick the changes manually.
You can find more details here.