I am trying to set up the MSAL browser library to work with a instance of Duende Identity Server. Login is working fine so I'm able to obtain an initial set of tokens. I'm now trying to use acquireTokenSilent in order to use the access token to authenticate an API call, and to renew that token if it has expired.
According to the Microsoft docs acquireTokenSilent should return the cached token if it is unexpired and meets other validation criteria. Specifically:
- Check if a token already exists in the token cache for the given scopes, client id, authority, and/or homeAccountIdentifier.
- If a token exists for the given parameters, then ensure we get a single match and check the expiration.
- If the access token is not expired, MSAL will return a response with the relevant tokens.
However in my case it's hitting the identity provider's token endpoint every time, so something in these checks isn't working for me. This token refresh works OK but obviously I can't tolerate that level of noise on my identity provider when the client already has a perfectly good access token.
In my code I have the following global properties:
this.authority = "https://my.identity.provider";
this.scopes = ["openid", "profile", "offline_access"];
this.redirectUri = context.baseUrl + "/index.html";
this.tokenRequest = {
authority: this.authority,
scopes: this.scopes,
clientId: context.clientId,
redirectUri: this.redirectUri,
cacheLookupPolicy: Msal.CacheLookupPolicy.AccessTokenAndRefreshToken,
prompt: 'none',
forceRefresh: false
};
My MSAL config has the following section:
auth: {
clientId: context.clientId,
authority: this.authority,
knownAuthorities: ["https://identity.relatable.local:44119"],
protocolMode: "OIDC",
redirectUri: this.redirectUri
}
And here's how I'm obtaining the access token. This is where the library is skipping the cache and renewing its tokens every time:
async getAccessToken() {
this.tokenRequest.account = this.pca.getActiveAccount();
try {
return await this.pca.acquireTokenSilent(this.tokenRequest);
} catch (error) {
if (error instanceof Msal.InteractionRequiredAuthError) {
console.error("User is signed out");
} else {
console.warn(error);
};
}
}
I've tried to be as explicit as possible according to all the supported properties documented here.
This is what MSAL is logging:
You can see here it's finding my access token then deliberately removing it from the cache. This is even when the access token is brand new with a 1-hour expiry. I have verified that all the parts of this cache key match with properties in the token request object I'm passing to acquireTokenSilent
Can anyone help me understand what's going on here? Thanks in advance.
