MSAL AcquireTokenByAuthorizationCode in a web farm

Question

I am using ASP.NET 4.8, implementing OpenID auth against Azure AD, and consecutive provisioning of access to Power BI APIs. The scenario is described here. What I don't understand is how this works in a web farm.

Here is how I understand the steps on a single server:

• A user authenticates using OpenID against Azure AD and receives an authorization code

• This authorization code is used by ConfidentialClientApplication in a call to AcquireTokenByAuthorizationCode to get an AccessToken that is stored in a token cache.

• Later, when a user needs to access some API, the AccessToken is retrieved from the token cache. If the AccessToken is expired or is not there, the ConfidentialClientApplication has access to the RefreshToken to get a new AccessToken.

I guess I don't understand how this works in a multi-server scenario. If node A in a web farm went through the steps above and contains the access and refresh tokens, what happens when a request is served by node B that has none of these tokens? Is there a way to get a hold of the refresh token from a cookie in order to request a new access token on node B?

Thank you for your help!

Answer 1

You should use the distributed cache. More about this here: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnetcore#distributed-token-caches

Note: link above contains not a ready-to-use example, you will need to setup any kind of real distributed cache first (SQL, Radis, NCache): https://learn.microsoft.com/en-us/aspnet/core/performance/caching/distributed