-
Notifications
You must be signed in to change notification settings - Fork 340
Client Throttling
AAD throttles applications when you are calling it to often. 99% of the cases this happens because token caching is not used:
- Setup token caching - see https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization
- If you are asking for a scope which does not make sense for MSA users like User.ReadBasic.All - it causes cache misses.
The server signals throttling in 2 ways:
- for client_credentials grant, i.e.
AcquireTokenForClient, AAD will reply with 429 Too Many Request with a Retry-After: 60 header - for user facing calls, AAD will send an message which results in an MsalUiRequiredException with error code "invalid_grant" and message "AADSTS50196: The server terminated an operation because it encountered a loop while processing a request"
MSAL detects certain conditions (see below) where the application should not make repeated calls to AAD. If a call is made, then an MsalThrottledServiceException or an MsalThrottledUiRequiredException is thrown by MSAL. These are subtypes of MsalServiceException, so this behaviour does not introduce a breaking change. If MSAL would not apply client-side throttling, the application would still not be able to acquire tokens, as AAD would throw the error.
If the server is having problems or if an application is requesting tokens too often, AAD will respond with HTTP 429 (Too Many Requests) and with Retry-After header, Retry-After X seconds. The application will see an MsalServiceException with header details. The throttling state is maintained for the X seconds. Affects all flows. Introduced in 4.13.0.
The most likely culprit is that you have not setup token caching. See https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization
If AAD is having problems it may respond with an HTTP 5xx error code with no Retry-After header. The throttling state is maintained for 1 minute. Affects only public client flows. Introduced in 4.13.0
MSAL throws MsalUiRequiredException when authentication cannot be resolved silently and the end-user needs to use a browser. This is a common occurrence when a tenant admin introduced 2FA or when a user password expires. Retrying the silent authentication cannot succeed. The throttling state is maintained for 2 minutes. Affects only the AcquireTokenSilent. Introduced in 4.14.0
If you are using WithForceRefresh(true), it will ignore the cache and make calls to the backend. This may result in too many calls causing it to throttle.
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Xamarin Docs
- UWP
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- High Availability
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code