Skip to content

[Bug] Silent token acquisition for guest MSA account sometimes fails  #3952

Description

@bgavrilMS

Logs and network traces
Fiddler trace here.

The error is:

{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}

Which version of MSAL.NET are you using?
4.49.1

Platform
.net core

Repro

https://github.com/isra-fel/repro-wam-msa

Setup:

  • App is 04b07795-8ddb-461a-bbee-02f9e1bf7b46 (Az CLI) but you can repro with 1950a258-227b-4e31-a9cf-717495945fc2 (PowerShell) or VS client id. Note that the bug does not always repro.
  • App is MSA-PT
  • scope is "https://management.core.windows.net//.default"
  • you need an MSA account that is guest in a private tenant T (invite via portal)

Repro

  1. call AcquireTokenInteractive with authority l.m.o/organizations
  2. choose an MSA account
    (all good so far, we get a token)
  3. call AcquireTokenSilent with authority l.m.o/T (i.e. use the private tenant where the account is guest)

Expected behavior*
A token with tid set to T is obtained silently

Actual behavior
A UIRequiredException occurs. The network trace shows the error is

{"error":"invalid_grant","error_description":"V2Error: invalid_grant AADSTS700082: The refresh token has expired due to inactivity. The token was issued on 2022-09-16T05:15:04.9674384Z and was inactive for 90.00:00:00.\r\nTrace ID: 27c5f2c7-8bc6-403e-824d-c4eab5ec0801\r\nCorrelation ID: 9e6903f4-4e17-4cfa-985f-dca7ccaeedb4\r\nTimestamp: 2023-02-08 09:43:16Z","error_codes":[700082],"timestamp":"2023-02-08 09:43:16Z","trace_id":"27c5f2c7-8bc6-403e-824d-c4eab5ec0801","correlation_id":"9e6903f4-4e17-4cfa-985f-dca7ccaeedb4","error_uri":"https://login.microsoftonline.com/error?code=700082"}

Note: ensure you do not serve token from MSAL's cache, i.e. wipe out MSAL's cache everytime.

Important notes:

  • I was not able to repro this, but @isra-fel can repro all the time with his personal account
  • the flow works fine if using a browser

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions