Login loop (temporarily fixed by restarting app service) about active-directory-aspnetcore-webapp-openidconnect-v2 HOT 11 CLOSED

I will take a look at this. @jmprieur

from active-directory-aspnetcore-webapp-openidconnect-v2.

@jasonshave I can confirm this also happens when running it for 12 hours on localhost.

from active-directory-aspnetcore-webapp-openidconnect-v2.

@jasonshave : thanks again for reporting this issue.
This is now fixed.

from active-directory-aspnetcore-webapp-openidconnect-v2.

@jasonshave : what are the repro steps? just use the sample? which sub folder?

from active-directory-aspnetcore-webapp-openidconnect-v2.

The step to reproduce (for me at least) is to simply wait about 12 hours. The website eventually won't authenticate and loops as mentioned above. I tried setting the token type to .AddInMemoryPerUserTokenCache and while this seemed to work okay over the past few days, I have the login loop showing up again.

I just noticed the MSALMemoryTokenCacheOptions has a 12 hour expiration which lines up with the time frame I'm noticing my issue. Looking at that object for Microsoft.Identity.Web I see the comments suggest an expiration of up to 90 days so I'm going to try that. I just updated my Startup.cs to:

services.AddAzureAdV2Authentication(Configuration) .AddMsal(new string[] { ScopeConstants.ScopeUserRead }) .AddInMemoryPerUserTokenCache(new MSALMemoryTokenCacheOptions() { AbsoluteExpiration = DateTimeOffset.Now.AddDays(90) });

...so hopefully this will help.

The code I'm using is from the sample here.

I'm happy to set up a LiveShare or Teams session to show you. You can find me in the GAL.

from active-directory-aspnetcore-webapp-openidconnect-v2.

@kalyankrishna1 @TiagoBrenck
does one of you have time to have a look?
otherwise I'll try to get to this by EOW

from active-directory-aspnetcore-webapp-openidconnect-v2.

@jasonshave Could you reproduce this bug running on localhost? Or it just happens when you deploy the web app on Azure?

from active-directory-aspnetcore-webapp-openidconnect-v2.

I'm having te same problem on a Linux Azure Web App.

I only see these two messages:

2019-05-28T05:31:08.033349541Z �[40m�[1m�[33mwarn�[39m�[22m�[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15]
2019-05-28T05:31:08.033398243Z       '.AspNetCore.Correlation.AzureADOpenID.ekRozARehhfY9jxmECEumJc-vhZdY3cCAwK88HGKORU' cookie not found.

2019-05-28T05:31:50.339705384Z �[40m�[1m�[33mwarn�[39m�[22m�[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[14]
2019-05-28T05:31:50.339764686Z       .AspNetCore.Correlation. state property not found.

Could this problem occur if DataProtection is not configured?

from active-directory-aspnetcore-webapp-openidconnect-v2.

With DataProtection on it still happens.

from active-directory-aspnetcore-webapp-openidconnect-v2.

@ferronsw I could reproduce it locally. We are still investigating it, but so far here is my analysis:

What is happening is:

1. After X-hrs (I set locally to expire in 1 min), the token that we have cached expires.
2. The user calls Profile Action Result, (with MsalUiRequiredExceptionFilter) and an access token will try to be acquired. The method GetAccessTokenOnBehalfOfUser (inside TokenAcquisition.cs) is called
3. This method builds a new IConfidentialClientApplication (where cache accessor is empty), receives an account identifier and tries to retrieve an IAccount object. It returns null because it got expired and cache accessor is empty.
4. The method calls AcquireTokenSilent with the null IAccount in the parameters. A MsalUiRequiredException is thrown and the filter gets in action.
5. The filter calls BuildAuthenticationPropertiesForIncrementalConsent that basically populates AuthenticationProperties with the scope, loginHint and extra claims (if needed) with the same ones that got requested previously. Then, a new ChallengeResult is created with the AuthenticationProperties created.
6. The event OnAuthorizationCodeReceived gets triggered and the method AddAccountToCacheFromAuthorizationCode is called.
7. A new IConfidentialClientApplication is built and AcquireTokenByAuthorizationCode is called right after. This method populates the cache accessor properly however this new IConfidentialClientApplication object is lost (in my opinion), because after this step, we get back to step 2, and all this flow happens again, and again. I would expect that on step 3, the cache accessor had the values populated by AcquireTokenByAuthorizationCode.

If you want to reproduce this behavior locally, download the sample https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-1-Call-MSGraph
Then modify the class MSALPerUserMemoryTokenCacheProvider.cs, to this one:

        public MSALPerUserMemoryTokenCacheProvider(IMemoryCache cache, MSALMemoryTokenCacheOptions option)
        {
            this.memoryCache = cache;

            if (option != null)
            {
                this.CacheOptions = new MSALMemoryTokenCacheOptions() { AbsoluteExpiration = System.DateTime.Now.AddMinutes(1) };
            }
            else
            {
                option.AbsoluteExpiration = System.DateTime.Now.AddMinutes(1);

                this.CacheOptions = option;
            }
        }

Run the project, login and go to Profile page. Wait your token expiration time, then click on the Profile link again. You will then be in the loop.

The problem
The job done on IConfidentialClientApplication at step 7, doesnt affect the IConfidentialClientApplication created at step 2

from active-directory-aspnetcore-webapp-openidconnect-v2.

@kalyankrishna1 : why is there an Absolute expiration time? Don't we rather want to have a sliding window?
By setting an absolute time. Once it's reached, no token can be added to the cache.

from active-directory-aspnetcore-webapp-openidconnect-v2.