Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B2C token still valid after the exp time #6229

Closed
DaCao opened this issue Jul 11, 2023 · 3 comments
Closed

B2C token still valid after the exp time #6229

DaCao opened this issue Jul 11, 2023 · 3 comments
Assignees
@lalimasharda
Labels
answered Question has received "first qualified response" b2c Related to Azure B2C library-specific issues msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@DaCao
Copy link

DaCao commented Jul 11, 2023
edited
Loading

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.37.1

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.5.8

Public or Confidential Client?

Public

Description

I have my reactJS SPA and I have my web api hosted in an Azure VM. I put APIM in front of the VM and the APIM validates token against B2C for authorization.
In the B2C User Flow, I have set the token lifetime to 5 minutes;

In the SPA, when I first log in, it works well and I can make calls to the web APIs with no problem. However, even though I set the token lifetime to 5 minutes, it is still valid after theexp time; It only becomes invalid after around 10 minutes; So weird;

This behavior looks very much like a bug on Azure's side.

Any ideas?

MSAL Configuration

/*
 * Copyright (c) Microsoft Corporation. All rights reserved.
 * Licensed under the MIT License.
 */

import { LogLevel } from '@azure/msal-browser';

export const b2cPolicies = {
  names: {
    signUpSignIn: 'B2C_1_susi_v2',
    forgotPassword: 'B2C_1_reset_v3',
    editProfile: 'B2C_1_edit_profile_v2',
  },
  authorities: {
    signUpSignIn: {
      authority:
        'https://devjohn1.b2clogin.com/tfp/devjohn1.onmicrosoft.com/B2C_1_docloud_frontend_devjohn1_signupandsignin', // can remove the string /tfp/; same effect;
    },
    forgotPassword: {
      authority:
        'https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/B2C_1_reset_v3',
    },
    editProfile: {
      authority:
        'https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_edit_profile_v2',
    },
  },
  authorityDomain: 'devjohn1.b2clogin.com',
};


export const msalConfig = {
  auth: {
    clientId: '123qwe-41fd-4894-893c-123qwe123qwe', // This is the ONLY mandatory field that you need to supply.
    authority: b2cPolicies.authorities.signUpSignIn.authority, // Choose SUSI as your default authority.
    knownAuthorities: [b2cPolicies.authorityDomain], // Mark your B2C tenant's domain as trusted.
    redirectUri: 'http://localhost:80', // You must register this URI on Azure Portal/App Registration. Defaults to window.location.origin
    postLogoutRedirectUri: '/', // Indicates the page to navigate after logout.
    navigateToLoginRequestUrl: false, // If "true", will navigate back to the original request location before processing the auth code response.
  },
  cache: {
    cacheLocation: 'sessionStorage', // Configures cache location. "sessionStorage" is more secure, but "localStorage" gives you SSO between tabs.
    storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge
  },
  system: {
    // loggerOptions: {
    //   loggerCallback: (level, message, containsPii) => {
    //     if (containsPii) {
    //       return;
    //     }
    //     switch (level) {
    //       case LogLevel.Error:
    //         console.error(message);
    //         return;
    //       case LogLevel.Info:
    //         console.info(message);
    //         return;
    //       case LogLevel.Verbose:
    //         console.debug(message);
    //         return;
    //       case LogLevel.Warning:
    //         console.warn(message);
    //         return;
    //       default:
    //         return;
    //     }
    //   },
    // },
  },
};


export const loginRequest = {
  scopes: ['openid', 'profile'],
};


export const silentRequest = {
  scopes: ['openid', 'profile'],
  loginHint: '[email protected]',
};

Identity Provider

Azure B2C Basic Policy

Source

Internal (Microsoft)
@DaCao DaCao added the question Customer is asking for a clarification, use case or information. label Jul 11, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jul 11, 2023
@ghost ghost assigned lalimasharda Jul 11, 2023
@github-actions github-actions bot added b2c Related to Azure B2C library-specific issues msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications labels Jul 11, 2023
@DaCao DaCao changed the title B2C token lifetime does not work and new access token cannot pass APIM B2C token still valid after the exp time Jul 11, 2023
@lalimasharda
Copy link
Contributor

Hey @DaCao is the 5 minute lifetime set for both access and id tokens?

@ghost ghost added answered Question has received "first qualified response" Needs: Author Feedback Awaiting response from issue author and removed Needs: Attention 👋 Awaiting response from the MSAL.js team labels Jul 11, 2023
@DaCao
Copy link
Author

DaCao commented Jul 12, 2023
edited
Loading

Hey @DaCao is the 5 minute lifetime set for both access and id tokens?

Thank you for your reply @lalimasharda

I've found this post that answers my question precisely: https://stackoverflow.com/a/69679982/3703783, and I quote:

There is a clock skew in the Microsoft JWT validation middleware. It is set by default to 5 mins and cannot be less (300 seconds/5 minutes)

There is a token validation parameter called ClockSkew, it gets or sets the clock skew to apply when validating a time. The default value of ClockSkew is 5 minutes. That means if you haven't set it, your token will be still valid for up to 5 minutes. If you want to expire your token on the exact time; you'd need to set ClockSkew to zero as follows,

 services.AddAuthentication("Bearer").AddJwtBearer("Bearer", options =>
        {
            options.Authority = "https://localhost:44347";
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
                ValidateLifetime = true,
                ClockSkew = TimeSpan.Zero
            };
        });

Hope this can help someone in the future.

@ghost ghost added Needs: Attention 👋 Awaiting response from the MSAL.js team and removed Needs: Author Feedback Awaiting response from issue author labels Jul 12, 2023
@lalimasharda
Copy link
Contributor

lalimasharda commented Jul 12, 2023
edited
Loading

Thanks for sharing the answer @DaCao ! I am going to go ahead and close this issue now. You can open a new issue and tag this one on it if you are still facing issues.

@microsoft-github-policy-service microsoft-github-policy-service bot removed the Needs: Attention 👋 Awaiting response from the MSAL.js team label Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lalimasharda lalimasharda

Labels
answered Question has received "first qualified response" b2c Related to Azure B2C library-specific issues msal-browser Related to msal-browser package msal-react Related to @azure/msal-react public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DaCao @lalimasharda