How to extend access token in ASP.NET SDK sample

Question

My application is based on ASP.NET SDK sample for Microsoft graph from here: https://developer.microsoft.com/en-us/graph/docs/get-started/aspnetmvc

I successfully build an application which manages calendars (meeting rooms), but I come across the problem that user is logged out after 1 hour. Application is based on OpenID and lifetime of access token is 1 hour. I would assume that in SDK sample would automatically extend lifetime of access token through code bellow, so that I would not implement refresh token by self:

var cca = new ConfidentialClientApplication(appId, redirectUri, new ClientCredential(appSecret), tokenCache);
var result = await cca.AcquireTokenSilentAsync(scopes);

I was trying playing around with cookie and authentication options, but I want successful:

var cookieAuthenticationOptions = new CookieAuthenticationOptions();
cookieAuthenticationOptions.ExpireTimeSpan = TimeSpan.FromMinutes(90);
cookieAuthenticationOptions.SlidingExpiration = false;

new OpenIdConnectAuthenticationOptions{ UseTokenLifetime = true }

So basically I would like to know, how to keep user signed in for 90 days in my application so user don’t need to enter his credentials every hour.

1. Is it possible to do that in sample SDK or do I need to implement it manually?
   
2. If is it possible by SDK, what should I change or how to set it up?

Thank you very much for your help.

Answer 1

As mentioned by @Jason Johnston The SDK handles it by itself but there is one thing we have found out when we read this article - Focus on tenants section.

Most of our users had personal and even organization account and therefore when it tried to refresh the token you had to choose one of these accounts (when asked by MS login page after every hour.)

After changing our login URL to work with "organizations" tenant, no other action was needed and then all refreshing happened automatically, which was our intended behavior.

Answer 2

From a quick look at that sample, it should work. Refreshing the tokens is a task for the MSAL library, not the Graph SDK. Essentially the way it works is that the sample sets the GraphClient to call GetUserAccessTokenAsync whenever it sends a request. That method calls AcquireTokenSilentAsync from the MSAL library, which does the following:

• Checks the token cache for a valid non-expired access token. If it's there, returns it.
• If the token is expired, it checks for the presence of a refresh token. If the refresh is there, it uses it to obtain a new access token/refresh token, caches the new tokens, then returns the new access token.

If that's not happening, I would examine what's going on with your token cache. It looks like that sample uses the session to store the tokens, so it could be something expiring with your session. A more robust solution would be to store tokens in a secure database, but samples tend to take the easy route here :)

Answer 3

You cannot control the TTL for tokens but you can get a Refresh Token by requesting the offline_access scope. The TTL for Refresh Tokens is 14 days and each time you request a refresh you get both a new token and a new refresh token.

While not specific to the SDK, I wrote a v2 Endpoint Primer which covers the underlying mechanisms at play here, including refresh tokens.