Logs and network traces
Fiddler trace here.
The error is:
{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}
Which version of MSAL.NET are you using?
4.49.1
Platform
.net core
Repro
https://github.com/isra-fel/repro-wam-msa
Setup:
- App is
04b07795-8ddb-461a-bbee-02f9e1bf7b46 (Az CLI) but you can repro with 1950a258-227b-4e31-a9cf-717495945fc2 (PowerShell) or VS client id. Note that the bug does not always repro.
- App is MSA-PT
- scope is "https://management.core.windows.net//.default"
- you need an MSA account that is guest in a private tenant T (invite via portal)
Repro
- call
AcquireTokenInteractive with authority l.m.o/organizations
- choose an MSA account
(all good so far, we get a token)
- call
AcquireTokenSilent with authority l.m.o/T (i.e. use the private tenant where the account is guest)
Expected behavior*
A token with tid set to T is obtained silently
Actual behavior
A UIRequiredException occurs. The network trace shows the error is
{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}
Note: ensure you do not serve token from MSAL's cache, i.e. wipe out MSAL's cache everytime.
Important notes:
- I was not able to repro this, but @isra-fel can repro all the time with his personal account
- the flow works fine if using a browser
Logs and network traces
Fiddler trace here.
The error is:
{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}Which version of MSAL.NET are you using?
4.49.1
Platform
.net core
Repro
https://github.com/isra-fel/repro-wam-msa
Setup:
04b07795-8ddb-461a-bbee-02f9e1bf7b46(Az CLI) but you can repro with1950a258-227b-4e31-a9cf-717495945fc2(PowerShell) or VS client id. Note that the bug does not always repro.Repro
AcquireTokenInteractivewith authorityl.m.o/organizations(all good so far, we get a token)
AcquireTokenSilentwith authorityl.m.o/T(i.e. use the private tenant where the account is guest)Expected behavior*
A token with
tidset toTis obtained silentlyActual behavior
A UIRequiredException occurs. The network trace shows the error is
{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}Note: ensure you do not serve token from MSAL's cache, i.e. wipe out MSAL's cache everytime.
Important notes: