The acces token of the web app obtained through AadTokenProvider will expire in one hour and no new token will be obtained.

Al Lo 1 Reputation point
2020-08-31T04:03:46.057+00:00

I get the access token with the following code. 

protected async getAccessToken(): Promise<string> {  
        return await this.context.aadTokenProviderFactory
            .getTokenProvider()
            .then((tokenProvider: AadTokenProvider): Promise<string> => {
                return tokenProvider.getToken(Config.resourceEndpoint, false);
            })
            .catch(error => {
                console.error("getAccessToken", error);
                return null;
            });
    }

The access token obtained every time is the same, but this token will expire in one hour, which will cause me to be unable to access the webapi on the azure web app. How can I solve this problem? Has anyone encountered a similar problem?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,908 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,559 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-08-31T09:58:18.613+00:00

    @AILo-0925, Thank you for reaching out. The behavior you are witnessing here is a by-design behavior, where the lifetime of an access token is set to 1 hour by default in AAD. You can modify that as per requirement, but we do not recommend doing that, rather we would want users, to utilize the refresh tokens to get access-tokens as soon as they expire after 1 hour.

    In your case also, I believe, you can utilize the refresh token, to get another access token as soon as you hit the 1-hour mark of your access token expiration. The refresh token is only issued in case you use the Authorization-Code grant flow where the user interactively logs in to AAD (by entering username and password, and in the scope parameter you have to send offline_access), but in other OAuth flows like Client-Credentials flow, since that being a non-interactive login, the refresh token is not issued by AAD.

    Also, do let us know what library are you using, is it MSAL? If yes, then we can share some samples based on which you can perfect the code. But you should consider using the Authorization Code Grant Flow to get a seamless user auth experience with SSO. From the snippet above, it's JS snippet and you can consider checking the following sample. It uses MSAL 2.0, Auth-Code Grant Flow with PKCE

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.