This repository has been archived by the owner on Jun 30, 2023. It is now read-only.
Android + Broker - interactive auth is forced when requesting different resources #1353
Closed
1 task done
Assignees
Labels
Comments
|
@eldin66 : I believe that what you observe is the expected behavior as, when an app uses the broker, the Refresh token is really stored and refreshed by the broker itself. (ADAL delegates token acquisition to the broker) Did you ever see that the Refresh token was not null? |
|
@jmprieur Did you ever see that the Refresh token was not null? |
|
@eldin66 : @jennyf19 will confirm, but I believe that the reason why the refresh token is kept locally in ADAL.NET for Xamarin.iOS, is otherwise the application would be interrupted to display the broker app, and therefore the experience would not be good. On Android, this is not needed as apps can be called in the background, and therefore the Refresh token is kept in the broker. Again do you see the access token not being refreshed silently on Android (that would be a bug). The fact that the implementation is different (the refreshment is done by the broker, not the application), should not matter app developers? |
|
@jmprieur The token does not get refreshed silently on Android when using the broker. |
|
@jennyf19 : The token does not get refreshed silently on Android when using the broker. |
|
Are you able to give an ETA for this bugfix? This so we can decide how to move forward with our planning. |
|
@jennyf19 is looking at it. |
|
Any update on this issue? Edit: Oops, accidentally closed issue when commenting. |
|
@eldin66 we've been prioritizing msal issues. I will get to this asap. |
|
Thanks for the update. |
|
Is there an approximate ETA available for this bug? |
|
@eldin66 Sorry for the delay. @bgavrilMS is working on another broker issue and will keep you updated. thanks. |
|
Hi @eldin66 - just a quick update here. We've had several users report an issue on Android, when using the broker. It seems that the bug repros when the application is set to access multiple resources. I am still trying to repro this, but a rough repro scenario is:
Actual: the silent call fails Impact: if the silent call fails, apps typically fallback to an interactive call => user prompt for password again. |
|
Hi @bgavrilMS , Thanks for the update. This is is indeed the case for us. First we access Microsoft Graph and then SharePoint. |
|
Hi @eldin66, I have another update. I've inspected the logs of an internal user who also has this problem and I can now conclude there is a failure when calling the broker. I am reaching out to the broker team for further investigation (the broker code is not public, so I can't reference an issue, so I will keep this issue open). I also found a minor problem in the way the ADAL token cache behaves, but I don't think it is as significant as the broker failure - #1463 The failure in the log if you'd like to confirm: AdalLoggerBase.cs: User is specified for background token request |
bgavrilMS
changed the title
|
I have a potential fix for one of the 2 causes of failure. Please try it out from: This fix should decrease the number of interactive logins by quite a bit, but it does not fix the entire problem. It focuses on fixing the ADAL token cache, so scenarios such as:
Since the ADAL token cache does not hold on to the refresh token, it can only serve access tokens, which have a default expiration of 1h. After than 1h, the silent requests will fail and your code should redirect to interactive requests. I'll update the thread when the I manage to meet with the Authenticator team. |
|
I’m currently on vacation and sadly don’t have my gear with me to check. I’ll be back at work on 5 January but maybe I can test it before that. Happy holidays and have a great new year :) |
|
Enjoy your holiday @eldin66, most of us will be out of office soon as well. There are several customers impacted by this issue and you are the first to report it on GitHub, so I'll keep on adding details here. |
|
I am back from my holidays. Do you still need me to test for you or did you already make progress? |
|
Hi @eldin66 , welcome back! We made some progress in the sense that we added 2 potential fixes and a lot of logging :). It seems that everyone experiencing broker issues is actually facing a different problem. Could I ask you to try this package please? https://www.myget.org/feed/aad-clients-nightly/package/nuget/Microsoft.IdentityModel.Clients.ActiveDirectory/4.4.2-internal01002fix1353 Please make sure to turn on all logging, see https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/Logging-in-ADAL.Net if in doubt. |
|
Thank you @bgavrilMS :). I have tried the nightly package and it seems that the problem has been partially fixed. The token now refreshes silently after an app restart. The only problem that remains is that during the initial login the user has to authenticate twice. Here are the logs: |
|
Thank you. When you perform the AcquireTokenSilent call, what do you provide as user identifier / login hint? I believe you provide the UniqueID, but in fact the UPN (the email) should be provided. The reason is that we need to identify the account to be used in teh silent call on the broker side. This is known to you from the interactive call as result.UserInfo.DisplayableId; Here is a code sample that I have and is working: |
|
I did use the UniqueID. I changed it to use the UPN and the application behaves the same. This is my exact code for the silent call: |
|
Hi @bgavrilMS, no worries. I will test it out asap and report my findings. |
|
Hi @bgavrilMS, I tested version 4.5 and can confirm that the issue has been partially fixed. The token now gets silently refreshed after an app restart, for us this was the most important fix here. Thank you! The issue that still remains is that the user has to login twice on initial login. Once using https://login.windows.net/ and second time https://graph.microsoft.com. |
|
Not sure I fully understand what you mean by your last statement. I assume that you need to login once for Sharepoint and once for Graph? I expect that if you get a token for resource R1 interactively, then you should be able to perform silent calls to get tokens for R2 (and R1 of course). Are you making the silent calls explicitly? |
|
Yes, that is exactly what I mean. After we interactively got the token for R1, we cannot get the token silently for R2. It works on iOS and not on Android. |
|
Closing as duplicate of #1601 which is being fixed. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Which Version of ADAL are you using ?
4.3
Which platform has the issue?
Xamarin.Android
What authentication flow has the issue?
Repro
While using the broker to authenticate users the tokencache does not have a refreshtoken.
See code:
Expected behavior
TokenCache has a RefreshToken that is not null.
Actual behavior
RefreshToken in TokenCache is null when using a broker. When platformParams.UseBroker = false; the behavior is as expected and RefreshToken in TokenCache is not null.
The text was updated successfully, but these errors were encountered: