microsoft-authentication-library-for-js: Intermittent acquireTokenSilent timeout issue

Please follow the issue template below. Failure to do so will result in a delay in answering your question.

Library

  • msal@1.x.x or @azure/msal@1.x.x
  • @azure/msal-angular@0.x.x
  • [x ] @azure/msal-angular@1.x.x
  • @azure/msal-angularjs@1.x.x

Description

Version: “@azure/msal-angular”: “^1.0.0-alpha.1” ,“msal”: “^1.2.1-beta.1” We are experiencing intermittent acquireTokenSilent Token renewal operation failed due to timeout issue. We observed that we have block_token_requests error as well, but the timeout issue sometimes disappears sometimes doesn’t, although the block_token_requests error is always there. I’ve included a detailed verbose log (with sensitive info stripped out) below for both working and non-working cases. I’ve observed that the block_token_requests error is when acquireTokenSilent’s callback redirects to a route that’s guarded by MsalGuard. All of our routes are guarded by MsalGuard and we would like it to work this way.

Question

We think the timeout error is not related to block_token_requests, because we’ve tried to create our own guard to not activate the redirect route in hidden iframe, however the timeout issue still occurs although block_token_requests is not observed anymore. We’ve tried to increase the timeout to 30s with no luck. What’s the reason for this timeout error? We’ve not observed this in older versions. We recently updated to the alpha version due to SSO requirement.

Details of the app:

For our app, we have all of our routes guarded with MsalGuard, and the default callback from login/acquireToken redirects to one of the guarded Home route. Our APIs have interceptors to make sure acquireToken is successful before making an API call.

Verbose Logs:

The one that’s not working: msal client logging: Fri, 17 Jan 2020 20:31:44 GMT:1234-1.2.0-Verbose location change event from old url to new url main.js:1081 msal client logging: Fri, 17 Jan 2020 20:31:44 GMT:1234-1.2.0-Info Navigate to:https://xxx/oauth2/v2.0/authorize?response_type=id_token&response_mode=fragment msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info Returned from redirect url msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info Processing the callback from redirect response msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info State status:true; Request type:LOGIN msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info State is right msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info Fragment has id token VM11 main.js:680 LOGIN SUCCESS msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Verbose location change event from old url to new url msal client logging: Fri, 17 Jan 2020 20:31:51 GMT:1234-1.2.0-Info Token is already in cache for scope:f7de192f-f705-4194-83a8-d49228fa3e6c msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Verbose renewing accesstoken msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Verbose renewToken is called for scope:xxx msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Info Add msal frame to document:msalRenewFramehttps://scopexxx msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Verbose Renew token Expected state: 8920e54e-7a8a-48a3-bf26-d9139f211458 msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Info Navigate to:https://xxx/oauth2/v2.0/authorize?response_type=token&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.0&domain_hint=organizations&client-request-id=16f1e18a-fcad-4513-a10a-7d9d1e8f79b3&prompt=none&response_mode=fragment msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Verbose Set loading state to pending for: scopexxx msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Info LoadFrame: msalRenewFramehttps:/xxx.onmicrosoft.com/api/user_impersonation msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Info Add msal frame to msal client logging: Fri, 17 Jan 2020 20:31:55 GMT:1234-1.2.0-Info Frame Name : msalRenewFramehttps:// Navigated to: https://xxx.onmicrosoft.com/oauth2/v2.0/authorize?response_type=token&scope=&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.0&domain_hint=organizations&client-request-id=16f1e18a-fcad-4513-a10a-7d9d1e8f79b3&prompt=none&response_mode=fragment acquire token failure {“errorCode”:“block_token_requests”,“errorMessage”:“Token calls are blocked in hidden iframes”,“name”:“ClientAuthError”} msal client logging: Fri, 17 Jan 2020 20:31:58 GMT:1234-1.2.0-Error Error when acquiring token for scopes: ClientAuthError: Token calls are blocked in hidden iframes msal client logging: Fri, 17 Jan 2020 20:32:28 GMT:1234-1.2.0-Verbose Loading frame has timed out after: 30 seconds for scope app.component.ts:181 acquire token failure {“errorCode”:“token_renewal_error”,“errorMessage”:“URL navigated to is https://xxx.b2clogin.com/xxx.onmicrosoft.com/policy/oauth2/v2.0/authorize?response_type=token&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.0&domain_hint=organizations&client-request-id=16f1e18a-fcad-4513-a10a-7d9d1e8f79b3&prompt=none&response_mode=fragment, Token renewal operation failed due to timeout.”,“name”:“ClientAuthError”} app.module.ts:79 msal client logging: Fri, 17 Jan 2020 20:32:28 GMT:1234-1.2.0-Error Error when acquiring token for scope Token renewal operation failed due to timeout.

The one that works: msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Verbose location change event from old url to new url msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Info Token is already in cache for scope:f7de192f-f705-4194-83a8-d49228fa3e6c app.component.ts:146 LOGIN SUCCESS msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Verbose renewing accesstoken msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Verbose renewToken is called for scope msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Info Add msal frame to document:msalRenewFramehttps:// msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Verbose Renew token Expected state: msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Info Navigate to:https://xxx.b2clogin.com/xxx.onmicrosoft.com&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.0&domain_hint=organizations&client-request-id=e41c5916-dab0-4394-beb3-305aad9c4f5b&prompt=none&response_mode=fragment msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Verbose Set loading state to pending for: scope msal client logging: Fri, 17 Jan 2020 20:26:03 GMT:1234-1.2.0-Info LoadFrame: msalRenewFramehttps:// msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info Add msal frame to document:msalRenewFramehttps:// msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info Frame Name : msalRenewFramehttps:// Navigated to: https://xxx.b2clogin.com/xxx.onmicrosoft.com/policy/oauth2/v2.0/authorize?response_type=token&client_info=1&x-client-SKU=MSAL.JS&x-client-Ver=1.2.0&domain_hint=organizations&client-request-id=e41c5916-dab0-4394-beb3-305aad9c4f5b&prompt=none&response_mode=fragment msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info Returned from redirect url msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info Processing the callback from redirect response msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info State status:true; Request type:RENEW_TOKEN msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info State is right msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info Fragment has access token msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Info The user object received in the response is the same as the one passed in the acquireToken request msal client logging: Fri, 17 Jan 2020 20:26:04 GMT:1234-1.2.0-Verbose acquiring token interactive in progress acquireTokenSuccess msal client logging: Fri, 17 Jan 2020 20:26:07 GMT:1234-1.2.0-Verbose location change event from old url to new url app.component.ts:181 acquire token failure {“errorCode”:“block_token_requests”,“errorMessage”:“Token calls are blocked in hidden iframes”,“name”:“ClientAuthError”} msal client logging: Fri, 17 Jan 2020 20:26:07 GMT:1234-1.2.0-Error Error when acquiring token for scopes: ClientAuthError: Token calls are blocked in hidden iframes

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 45 (19 by maintainers)

Most upvoted comments

@jasonnutter We no longer use MSAL for Angular.

+1
pasanenl on Mar 31, 2020

@mbrevda Initially, we set the src to a location on your authority (e.g. login.microsoftonline.com), and then when the operation is complete, the authority redirects that response (and thus the iframe) to the provided redirect uri, which allows us to parse it.

You can read more about the implementation of the implicit flow here: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

+1
jasonnutter on Feb 19, 2020

@mbrevda Yes, in order for MSAL.js to read the url of the iframe (which includes the response), the redirect uri needs to be on the same origin as the application. Otherwise, we have no way to read the response, which would result in a timeout.

+1
jasonnutter on Feb 18, 2020
Read more comments on GitHub
← microsoft-authentication-library-for-js: interaction_in_progress errror after returning from logoutRedirect
microsoft-authentication-library-for-js: Intermittent: After trying to log in, login pop-up not closing and inside that pop-up window application is rendering →