GraphServiceClient token expiration on EasyAuth App Service with session lifetime cookie

[mwiedemeyer]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.19.0

Web app

Sign-in users

Web API

Protected web APIs call downstream web APIs

Token cache serialization

In-memory caches

Description

I'm using Azure App Service EasyAuth and Microsoft.Identity.Web and Microsoft.Identity.Web.GraphServiceClient with the following code in a Blazor 8 SSR web app:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
              .AddMicrosoftIdentityWebApp(builder.Configuration)
              .EnableTokenAcquisitionToCallDownstreamApi(["user.read", "sites.read.all"])
                      .AddMicrosoftGraph()
                      .AddInMemoryTokenCaches();

The issue here is, that the user is logged in even after 1h, because of the "session" lifetime of the App Service auth cookie AppServiceAuthSession. However, the injected GraphServiceClient looses access after 1h because the token expires.
Here is the detailed explanation from March without an answer.

Reproduction steps

1. Create a blank Blazor 8 SSR app
2. Add the code to Program.cs:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
              .AddMicrosoftIdentityWebApp(builder.Configuration)
              .EnableTokenAcquisitionToCallDownstreamApi(["user.read", "sites.read.all"])
                      .AddMicrosoftGraph()
                      .AddInMemoryTokenCaches();

builder.Services.AddScoped<MyCustomGraphService>();

(...)

app.UseAuthentication();
app.UseAuthorization();

app.MapRazorComponents<App>()
    .AddInteractiveServerRenderMode();

3. Create a MyCustomGraphService.cs:

public class MyCustomGraphService(GraphServiceClient graphServiceClient)
{
    public async Task TestUser()
    {
        await graphServiceClient.Me.GetAsync();
    }
}

4. Run the app, call the TestUser method with a button click. Then wait >1h and test again

Error message

Message: Lifetime validation failed, the token is expired.

Id Web logs

No response

Relevant code snippets

See reproduction steps

Regression

No response

Expected behavior

Not sure, how this should work. However I want to work with the web app even after 1h without restarting my browser.

• The AppServiceAuth cookie should expire after 1h (same as the id token for graph)?
• The injected GraphServiceClient should check for token expiration and silently refresh?

[lancebush]

Were you able to find a solution for this? I am running into the same issue

[mwiedemeyer]

No. I hope to get an answer from Microsoft here..

[JVita-Code]

No answer yet on this? it also happens if you create a web app, in my case, I'm having an error similar to this when using asp OWIN in MVC .Net Framework app. I thought Identity.Web would handle refresh tokens by itself.

[jennyf19]

@mwiedemeyer If you have Easy Auth enabled, it is maintaining the state, so you would need to reach out to them. If you want Id Web to handle this, then you would disable Easy Auth. You would provide the app ID and certs created from Easy Auth in the appsettings.json and disable Easy Auth in the portal.

[ricardomatos95]

@jennyf19 I have the exact same issue and reported in #3106.

Seems the solution was indeed this "Easy Auth" from Azure App Service. Is this information documented anywhere about the disruption it can cause if enabled when uploaded because I found it nowhere.

Thank you.