Silent authentication call results in unexpected network call

[mjcheetham]

Which Version of MSAL are you using ?
MSAL.NET 3.0.8

Platform
net45

What authentication flow has the issue?

• Desktop / Mobile
  • Silent

Is this a new or existing app?
This is a new app or experiment.

Repro
Please see the following command line app which is a simplified model of how we are using MSAL:
https://gist.github.com/mjcheetham/d3faa36325beef54527a5434e6445ddb

The specific offending code is line 80:

app.AcquireTokenSilent(Scopes, account).ExecuteAsync()

Running the application once will perform an interactive authentication and store the AT/RT in a cache at %UserProfile%\.gettoken\msal.cache (using MSAL's cache extensibility APIs).

Running the application a second time will perform a silent authentication for the same user as previous.

Expected behavior
No web call is performed (unless the access token has expired).

Actual behavior
An instance discovery web call is made.

Possible Solution
Unknown.

Additional context/ Logs / Screenshots
Fiddler shows the following request:

..with the following response:

[bgavrilMS]

CC @henrik-me @MarkZuber

[henrik-me]

This is current expected behavior when starting a new process. We will look into how we can optimize this. If you have one process the result is stored in a process level static.

[mjcheetham]

This is current expected behavior when starting a new process. We will look into how we can optimize this. If you have one process the result is stored in a process level static.

Is there a possibility to store this kind of configuration information in a similar way to tokens (UserTokenCache .. ConfigurationCache)?

[bgavrilMS]

@mjcheetham - yes, this is our current approach but I need to figure out how we do expiration (i.e. 24h expiry? more? ) and refresh (i.e. refresh when the info is missing or expired, or also try to refresh whenever a non silent request is made).

Other proposals are:

• use HTTP request caching
• let the developers pass in a list of aliases

[stevehurcombe]

@jmprieur You pointed me at this issue, from #1040 but you also tagged this as Desktop. We're getting this on mobile.

[stevehurcombe]

@bgavrilMS my expectation is that if the token hasn't expired yet then there should no need to go out and update anything. If you have to do this then can it be done in a way that doesn't impact startup, especially on mobile?

How often is this information expected to change?

[jmprieur]

@stevehurcombe , I've added the scenarios for mobile as well.

[stevehurcombe]

#1144 sounds like it's a closely related issue.

[jmprieur]

yes, indeed. They all are related to the fact that MSAL does instance discovery (to discover the aliases of issuers across clouds), and this takes time, and prevents offline scenarios.

[bgavrilMS]

A large part of the work for this has been shipped in 4.1 - AcquireTokenSilent (with a valid AT in cache) and GetAccounts are fixed.

[stevehurcombe]

@bgavrilMS still seems much the same:

07-08 15:53:42.095 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) MSAL MSAL.Xamarin.Android with assembly version '4.1.0.0'. CorrelationId(90e2966c-ba85-4033-9da1-ed68f2d146da)
07-08 15:53:42.132 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) === OnBehalfOfParameters ===
07-08 15:53:42.132 I/        (18478): LoginHint provided: False
07-08 15:53:42.132 I/        (18478): User provided: True
07-08 15:53:42.132 I/        (18478): ForceRefresh: False
07-08 15:53:42.265 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) 
07-08 15:53:42.265 I/        (18478): === Request Data ===
07-08 15:53:42.265 I/        (18478): Authority Provided? - True
07-08 15:53:42.265 I/        (18478): Scopes - https://aialearning.onmicrosoft.com/server/dataaccess
07-08 15:53:42.265 I/        (18478): Extra Query Params Keys (space separated) - 
07-08 15:53:42.267 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) === Token Acquisition (SilentRequest) started:
07-08 15:53:42.267 I/        (18478): 	Cache Provided: True
07-08 15:53:42.267 I/        (18478): 	Authority Host: login.microsoftonline.com
07-08 15:53:42.277 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Looking up access token in the cache.
07-08 15:53:42.889 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Filtering by home account id item count before 2 after 2
07-08 15:53:42.890 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Tenant id: xxxxx.onmicrosoft.com
07-08 15:53:42.891 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Filtering by tenant id item count before 2 after 2
07-08 15:53:42.891 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Matching entry count -2
07-08 15:53:42.897 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Matching entry count after filtering by scopes - 2
07-08 15:53:42.914 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:42 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) Access token is not expired. Returning the found cache entry. [Current time (07/08/2019 14:53:42) - Expiration Time (07/08/2019 15:52:20 +00:00) - Extended Expiration Time (01/01/0001 00:00:00 +00:00)]
07-08 15:53:43.677 W/zygote64(18478): Checksum mismatch for dex base.apk
07-08 15:53:43.988 I/        (18478): (False) MSAL 4.1.0.0 MSAL.Xamarin.Android 26 [07/08/2019 14:53:43 - 90e2966c-ba85-4033-9da1-ed68f2d146da] (UnknownClient: 0.0.0.0) === Token Acquisition finished successfully. An access token was returned with Expiration Time: 07/08/2019 15:52:20 +00:00 ===

This is a Samsung S7 Edge.

Maybe we need some more pieces??
Cheers

Steve

[bgavrilMS]

Thanks for checking @stevehurcombe . All this work is cross platform, so it should work for Xamarin. Are you saying that in your case a discovery call was made?

[stevehurcombe]

Not necessarily. If I'm offline then the login process seems quicker. If I'm online then it's still as slow as before, even though the token has not expired.

[bgavrilMS]

I see what you're saying. I can see a spike of ~600ms when it says "Looking up a token in the cache". This is understandable because it will access the token cache (on Android, we store in Shared Preferences, which are just files).

I can't explain the 1s difference at the end though, after it found a valid token and it returns a token. Will need to investigate (that APK log message from Xamarin is strange) - I opened another issue for this #1256

Thanks for validating that we're not performing an extra network call. That should at least save some 400ms.

[bgavrilMS]

I'll close this so that it's clear that is has been done in 4.1.

GetAccountsAsync and AcquireTokenSilent (when a valid AT is in the cache) no longer make network calls unless an atypical authority host is used (i.e. something other than https://login.microsoft.com etc.). For a full list of these authorities, see https://aka.ms/aad-instance-discovery

[ckrempp91]

So to confirm this wont work for the Azure B2C case because the authority host is something like this: {tenantName}.b2clogin.com?

If so, then I take it there would have to be a code adjustment to support the the vast array of URLs rather than just the provided list from this comment: #1174 (comment)

[bgavrilMS]

@ckrempp91 - please open a new issue if needed, this has been fixed and closed more than 1 year ago. ATS should not make a network call unless required, e.g. if the access token expired (typically after 1h).