Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FOCI is hiding the true cause of refresh token failures #1067

Closed
1 task done
bgavrilMS opened this issue Apr 11, 2019 · 0 comments
Closed
1 task done

FOCI is hiding the true cause of refresh token failures #1067

bgavrilMS opened this issue Apr 11, 2019 · 0 comments
Assignees
@bgavrilMS
Labels
bug
Milestone
3.0.5

Comments

@bgavrilMS
Copy link
Member

Which Version of MSAL are you using ?
MSAL 3.0.4-preview

Platform
net45

What authentication flow has the issue?

  • Desktop / Mobile
    • Interactive

Other? - please describe;

Repro

  1. Acquire a token interactively from a family member
  2. Acquire a token silent from another family member, from a user that has an MFA policy

Expected behavior
The MFA specific exception should be thrown. Apps need this exception for their own logic.

Actual behavior
We send an exception like "UIRequireException" - no token was found in the cache.

Possible Solution
Root cause is here: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/dev3x/src/Microsoft.Identity.Client/Internal/Requests/SilentRequest.cs#L181

We catch all exceptions and consider that the FRT is not valid, i.e. a non-family member tried to redeem the FRT. We need to strengthen this condition - there is supposed to be a "client_mismatch" error code we can use, however are currently still seeing "invalid_grant".
@bgavrilMS bgavrilMS added this to the 3.0.5 milestone Apr 11, 2019
@bgavrilMS bgavrilMS self-assigned this Apr 12, 2019
bgavrilMS added a commit that referenced this issue Apr 12, 2019
@bgavrilMS
Fix for #1067 - FRT fail silently only on client_mismatch
b607b7b
bgavrilMS added a commit that referenced this issue Apr 15, 2019
@bgavrilMS
Fix for #1067 (#1071)
462b199 
* Add suberror support (internal only)

* Bump MSAL version of development envs to 3

* Fix for #1067 - FRT fail silently only on client_mismatch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgavrilMS bgavrilMS

Labels
bug
Projects
None yet
Milestone
3.0.5
Development

No branches or pull requests
1 participant
@bgavrilMS