Merge pull request #328 from microsoft/users/tracyboehrer/non-jwt-token-fix

tracyboehrer · web-flow · commit 3d2db10b1de7 · 2025-06-12T20:16:06.000-05:00
Handling non-JWT token during OAuth by not caching
diff --git a/src/libraries/Client/Microsoft.Agents.Connector/RestClients/UserTokenRestClient.cs b/src/libraries/Client/Microsoft.Agents.Connector/RestClients/UserTokenRestClient.cs
@@ -406,8 +406,11 @@ private static TokenResponse GetTokenResponseFromCache(string cacheKey)
             var value = _cache.Get(cacheKey);
             if (value != null)
             {
+                // Token Service will renew within 5 minutes of expiration.  Return the cached token
+                // if there is more than that. Otherwise, remove it from the cache and return null.  This
+                // will result in a call to the Token Service to get a new token.
                 var toExpiration = ((TokenResponse)value).Expiration - DateTimeOffset.UtcNow;
-                if (toExpiration?.TotalMinutes >= 5) // Align with sliding expiration
+                if (toExpiration?.TotalMinutes >= 5)
                 {
                     return (TokenResponse)value;
                 }
@@ -422,22 +425,34 @@ private static void AddTokenResponseToCache(string cacheKey, TokenResponse token
         {
             if (tokenResponse != null && tokenResponse.Token != null)
             {
-                var jwtToken = new JwtSecurityToken(tokenResponse.Token);
-
-                tokenResponse.IsExchangeable = IsExchangeableToken(jwtToken);
-
-                if (tokenResponse.Expiration == null)
+                try
+                {
+                    var jwtToken = new JwtSecurityToken(tokenResponse.Token);
+                    if (tokenResponse.Expiration == null)
+                    {
+                        // It's usually the case that the TokenResponse will NOT include an expiration value,
+                        // in which case we will use the JWT token expiration value.
+                        tokenResponse.Expiration = jwtToken.ValidTo;
+                    }
+                    tokenResponse.IsExchangeable = IsExchangeableToken(jwtToken);
+                }
+                catch (Exception)
                 {
-                    // Token Service isn't returning Expiration in TokenResponse
-                    tokenResponse.Expiration = jwtToken.ValidTo;
+                    tokenResponse.IsExchangeable = false;
                 }
 
-                _cache.Add(
-                    new CacheItem(cacheKey) { Value = tokenResponse },
-                    new CacheItemPolicy()
-                    {
-                        SlidingExpiration = TimeSpan.FromMinutes(5)
-                    });
+                // If the TokenResponse doesn't contain an expiration value then expiration calcs
+                // won't be available to callers.  But the token can otherwise be used.  However,
+                // we'll skip caching for now.
+                if (tokenResponse.Expiration != null)
+                {
+                    _cache.Add(
+                        new CacheItem(cacheKey) { Value = tokenResponse },
+                        new CacheItemPolicy()
+                        {
+                            SlidingExpiration = TimeSpan.FromMinutes(5)
+                        });
+                }
             }
         }
 
