Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Provide a more sophisticated token cache L1/L2 (L1 in InMemoryCache, L2 IDistributedCache, with encryption strategy) #957

Closed
jmprieur opened this issue Feb 11, 2021 · 5 comments
Labels
enhancement New feature or request fixed
Milestone

Comments

@jmprieur
Copy link
Collaborator

Is your feature request related to a problem? Please describe.
@henrik-me to update or @jennyf19 / @jmprieur after discussing with @henrik-me and/or @GeoK

Describe the solution you'd like
TBD

Describe alternatives you've considered
TBD

Additional context
See MISE

@jmprieur jmprieur added the enhancement New feature or request label Feb 11, 2021
@damienbod
Copy link

It would be great that when the required access token has expired, or does not exist in the cache, the lib just tries to get a new access token. We do this with other OIDC, OAUTH clients. Would this be possible?

Greetings Damien

@jmprieur
Copy link
Collaborator Author

@damienbod : in a web app? or in a web API?
in a web app, Microsoft.Identity.Web manages it already with the [AuthorizeForScopes] attribute. See https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access

@jmprieur jmprieur changed the title [Feature Request] Provide a more sophisticated token cache L1/L2 (M1 in InMemoryCache, L2 IDistributedCache, with encryption strategy) [Feature Request] Provide a more sophisticated token cache L1/L2 (L1 in InMemoryCache, L2 IDistributedCache, with encryption strategy) Feb 11, 2021
@damienbod
Copy link

damienbod commented Feb 11, 2021

Hi @jmprieur In both, I don't see this from the docs. But you say then that if I don't use a persistent cache, then I can use the [AuthorizeForScopes] attribute on my API and it will get me a new token if the the cache has been reset?

Will try this. => Tried this and it does not help (hopefully I try this correctly.)

I can show the problem with the demo:

https://github.com/damienbod/AzureADAuthRazorUiServiceApiCertificate/tree/main/DownstreamApis

Steps to reproduce:

  • Start the Web App and the 2 APIs
  • call the API from the Web APP
  • stop the applications
  • start the applications again
  • call the API => Bug
    ApplicationException: Exception Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.

If I reset my persistent cache or use in memory cache I have this problem.The consent has been already given. To solve I need to delete my cookies from the browser or use a persistent cache but then problem will exist here as well if the cache gets reset.

It would be great if the lib could recover from this without having to delete the APP cookies.

Thanks Damien

@jmprieur
Copy link
Collaborator Author

Thanks @damienbod
this is on the backlog: #685
(today if you have a web API, you'd need handle the exception and pass it to ITokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeaderAsync. See https://github.com/AzureAD/microsoft-identity-web/wiki/web-apis#handle-conditional-access

@jmprieur jmprieur added this to the 1.8.0 milestone Feb 18, 2021
@jmprieur jmprieur added the fixed label Mar 6, 2021
@jennyf19
Copy link
Collaborator

Included in 1.8.0 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request fixed
Projects
None yet
Development

No branches or pull requests

3 participants