Franz Kiermaier
Reputation: 397
Azure AD ADAL in MVC Application - Token Expiration
I have created a Web Application using Azure AD for authentication. The Access Token expires after one hour (by default). Since my Application mainly uses Telerik Controls it doesn't do any full page roundtrips to the server. To refresh the token I have implemented a JavaScript countdown. I have tried different approaches
- Insert a hidden IFrame and refresh the content of the IFrame with a page inside my app before the token expires
- Insert a hidden IFrame and refresh the content of the IFrame with the Microsoft logon link like described in this Microsoft article: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-v2-protocols-implicit
- Open a Temporary window with the Microsoft logon link
- I also took a look inside the ADAL JavaScript Library here: https://github.com/AzureAD/azure-activedirectory-library-for-js/tree/dev but this would mean I have to rebuild the whole application
All approaches did not work. Even worse: If i do a full page refresh by hitting F5 in the browser, approximately 5 minutes before the token expires, the page does not load anymore and the "loading" circle in the browser is spinning endlessly.
Does anybody have a working approach how to deal with ADAL access tokens in MVC?
This is the code to configure my authentication
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions() { CookieSecure = CookieSecureOption.Always });
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = "https://login.microsoftonline.com/common/",
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
// instead of using the default validation (validating against a single issuer value, as we do in line of business apps (single tenant apps)),
// we turn off validation
//
// NOTE:
// * In a multitenant scenario you can never validate against a fixed issuer string, as every tenant will send a different one.
// * If you don’t care about validating tenants, as is the case for apps giving access to 1st party resources, you just turn off validation.
// * If you do care about validating tenants, think of the case in which your app sells access to premium content and you want to limit access only to the tenant that paid a fee,
// you still need to turn off the default validation but you do need to add logic that compares the incoming issuer to a list of tenants that paid you,
// and block access if that’s not the case.
// * Refer to the following sample for a custom validation logic: https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
AuthorizationCodeReceived = (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signInUserId = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(string.Format("{0}/{1}", "https://login.microsoftonline.com", tenantID), new ADALTokenCache(signInUserId));
// Get the access token for AAD Graph. Doing this will also initialize the token cache associated with the authentication context
// In theory, you could acquire token for any service your application has access to here so that you can initialize the token cache
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, "https://graph.windows.net");
return Task.FromResult(0);
},
RedirectToIdentityProvider = (context) =>
{
// This ensures that the address used for sign in and sign out is picked up dynamically from the request
// this allows you to deploy your app (to Azure Web Sites, for example)without having to change settings
// Remember that the base URL of the address used here must be provisioned in Azure AD beforehand.
string appBaseUrl = context.Request.Scheme + "://" + context.Request.Host + context.Request.PathBase;
context.ProtocolMessage.RedirectUri = appBaseUrl + "/";
context.ProtocolMessage.PostLogoutRedirectUri = appBaseUrl;
return Task.FromResult(0);
},
AuthenticationFailed = (context) =>
{
// Suppress the exception if you don't want to see the error
context.HandleResponse();
return Task.FromResult(0);
}
}
});
}
This is the code in my BaseController to refresh the token before it expires. I monitor the Token Expiration client side and call this method before the Token expires:
[HttpGet]
public ActionResult RefreshAuthenticationToken()
{
var refreshToken = DirectoryUserRepository.GetTokenForApplication().Result.RefreshToken;
var newToken = DirectoryUserRepository.RefreshToken(refreshToken);
return Json(new { TokenExpirationTimestampUTC = newToken.ExpiresOn.GetUnixTimestamp() }, JsonRequestBehavior.AllowGet);
}
Here are the other missing methods
public async Task<AuthenticationToken> GetTokenForApplication()
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string userObjectID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;
// get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
ClientCredential clientcred = new ClientCredential(clientId, appKey);
// initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
try
{
var authenticationResult = await authenticationContext
.AcquireTokenSilentAsync(
graphResourceID,
new ClientCredential(clientId, appKey),
new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
return new AuthenticationToken(authenticationResult.AccessToken) { ExpiresOn = authenticationResult.ExpiresOn, RefreshToken = authenticationResult.RefreshToken };
//return authenticationResult.AccessToken;
}
catch (AggregateException e)
{
foreach (Exception inner in e.InnerExceptions)
{
if (!(inner is AdalException)) continue;
if (((AdalException)inner).ErrorCode == AdalError.FailedToAcquireTokenSilently)
{
authenticationContext.TokenCache.Clear();
}
}
throw e.InnerException;
}
catch (AdalException exception)
{
if (exception.ErrorCode == AdalError.FailedToAcquireTokenSilently)
{
authenticationContext.TokenCache.Clear();
throw;
}
return null;
}
}
public AuthenticationToken RefreshToken(string refreshToken)
{
string signedInUserID = ClaimsPrincipal.Current.FindFirst(ClaimTypes.NameIdentifier).Value;
string tenantID = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
// get a token for the Graph without triggering any user interaction (from the cache, via multi-resource refresh token, etc)
ClientCredential clientcred = new ClientCredential(clientId, appKey);
// initialize AuthenticationContext with the token cache of the currently signed in user, as kept in the app's database
AuthenticationContext authenticationContext = new AuthenticationContext(aadInstance + tenantID, new ADALTokenCache(signedInUserID));
try
{
var authenticationResult = authenticationContext
.AcquireTokenByRefreshToken(
refreshToken,
clientcred,
graphResourceID);
return new AuthenticationToken(authenticationResult.AccessToken) { ExpiresOn = authenticationResult.ExpiresOn, RefreshToken = authenticationResult.RefreshToken };
}
catch (AggregateException e)
{
foreach (Exception inner in e.InnerExceptions)
{
if (!(inner is AdalException)) continue;
if (((AdalException)inner).ErrorCode == AdalError.FailedToAcquireTokenSilently)
{
authenticationContext.TokenCache.Clear();
}
}
throw e.InnerException;
}
catch (AdalException exception)
{
if (exception.ErrorCode == AdalError.FailedToAcquireTokenSilently)
{
authenticationContext.TokenCache.Clear();
throw;
}
return null;
}
}
Upvotes: 1
Views: 2759
Answers (1)
Fei Xue
Reputation: 14649
The are two kinds of access tokens we can use from a web application to call the web API.
The first is that using delegated User identity with OAuth 2.0 Authorization Code Grant flow. The second is that using application identity with OAuth 2.0 Client Credentials Grant flow.
When we use the delegated user token, we can refresh the token via the web application server side then the token is expired.
And if you using the application identity to acquire the token, we can get the access token again using the app's credential.
Since my Application mainly uses Telerik Controls it doesn't do any full page roundtrips to the server.
Did you mean that the control using AJAX to receive the data? If I understood correctly, we can develop an proxy in MVC application to acquire the data. And in the proxy service, we can renew the token when the token is expired.
Here is a figure about the flow of web application call the web API:
Update(refresh the access token via HTTP request)
public static void RefreshToken(string refreshToken)
{
HttpClient client = new HttpClient();
string clientId = "{clientId}";
string secret = "{secret}";
string resource = "https://graph.windows.net";
StringBuilder sb = new StringBuilder();
sb.Append($"client_id={clientId}");
sb.Append($"&grant_type=refresh_token");
sb.Append($"&client_secret={secret}");
sb.Append($"&resource={resource}");
sb.Append($"&refresh_token={refreshToken}");
HttpContent bodyContent = new StringContent(sb.ToString(), Encoding.UTF8, "application/x-www-form-urlencoded");
var tokenResponse = client.PostAsync("https://login.microsoftonline.com/common/oauth2/token", bodyContent).Result;
var stringResponse = tokenResponse.Content.ReadAsStringAsync().Result;
JObject jObject = JObject.Parse(stringResponse);
Console.WriteLine(jObject["access_token"].Value<string>());
}
Upvotes: 1
Related Questions
- Handle token timeout in Asp.Net MVC when using Azure AD
- IdentityServer MVC Token Expiration
- How can I configure the expiration time of an Azure AD access token (using ADAL)?
- azure active directory token lifetimes
- Handling expired Azure AD session in asp.net core and angular app
- AuthorizeAttribute adal signout MVC
- ADAL native application token expires after 12 hours
- MVC App using Azure AD with ADAL 3 - Authentication Cookie expires after 1 hour
- mvc azure ad token expiration
- Azure AAD token expire issue with web app