aspnetcore: MSAL : Azure B2C Blazor wasm fails after 24 hours when the refresh token has been expired

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

We are using Azure B2C login with a Blazor wasm application. Using local storage to save the tokens and the goal is not to ask user credentials again if the user tries to access the same site till the refresh token expires. This works well.

But we are facing an issue if we try to access the application after a period of 24 hours of inactivity. This is the time when the refresh token expires(SPA with PKEC in azure B2C has 24 hour expiry for refresh token). After 24 hours the application is trying to login the user through a hidden iframe and for some security reason some of the browsers are throwing a warning and the login process fails.

I can see below message in the console An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

I need to know is there any way to fix this. Does MSAL in Blazor provides any customization to disable this hidden iframe and enable the normal browser redirect?

Here is my configuration in program.cs

builder.Services.AddMsalAuthentication(options =>
{
    options.ProviderOptions.LoginMode = "redirect";
    builder.Configuration.Bind("AzureAdB2C", options.ProviderOptions.Authentication);
    options.ProviderOptions.DefaultAccessTokenScopes.Add("SomeScope");
    options.ProviderOptions.Cache.StoreAuthStateInCookie = true;
    options.ProviderOptions.Cache.CacheLocation = "localStorage";
    options.UserOptions.RoleClaim = ClaimTypes.Role;
});

Here are some screenshots from the browser console which can help to understand the issue better.

In case if someone needs to re-create this issue without waiting for 24 hours, then you can replace the access token and refresh token to an already expired value and try this in Chrome Incognito or Mozilla. In normal chrome I am not getting this issue, but some other are getting the issue even in non incognito chrome window.

Expected Behavior

The application should have with some kind of a fallback strategy. Let say if the browser doesn’t support hidden iframe redirect, then define a fallback mechanism to do a regular browser redirect.

Steps To Reproduce

Login to Azure B2C Use local storage to store the token cache in client side Try to load the application again after 24 hours(ie after the refresh token expires) See the browser logs

Note: In case if someone needs to re-create this issue without waiting for 24 hours, then you can replace the access token and refresh token to an already expired value and try this in Chrome Incognito or Mozilla. In normal chrome I am not getting this issue, but some other are getting the issue even in non incognito chrome window.

Exceptions (if any)

In the chrome console windows we can see a warning like An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing.

In the redirect response we can see an error like error=interaction_required&error_description= AADB2C90077 User does not have an existing session and request prompt parameter has a value of None

.NET Version

Anything else?

No response

About this issue

Original URL
State: open
Created a year ago
Reactions: 1
Comments: 17 (4 by maintainers)

Most upvoted comments

Hi @hectormmg,

We are using blazor and could you please let me know how exactly this can be configured?

Thanks

kiranchandran on Jun 23, 2023

Just thought I’d come back and update you with a workaround. The issues arises when calling an API with an expired access token. We have an implementation of AuthorizationMessageHandler as we want to the access token to outgoing requests for a particular API. Overriding the SendAsync method allows us to catch the AccessTokenNotAvailableException and call its Redirect method, which redirects the user as opposed to using the hidden iframe. Not sure why this isn’t done for you already and why you have to step in and call the Redirect method manually, but it solves our problem.

That doesn’t work

This worked for me pre .NET 8, after upgrading to .NET 8 this doesn’t work any more.

You get correctly redirected to the login page (‘authentication/login’), but I think that page also gets a ‘AccessTokenNotAvailableException’. So the page is just stuck.

Users are now stuck on an error page, and even a full refresh doesn’t solve this. Need to clear the site data completely.

I now get the following error: crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100] Unhandled exception rendering component: net_http_message_not_success_statuscode_reason, 302, Token expired, redirecting to login.

Schoof-T on Dec 8, 2023

Just thought I’d come back and update you with a workaround.

The issues arises when calling an API with an expired access token. We have an implementation of AuthorizationMessageHandler as we want to the access token to outgoing requests for a particular API.

Overriding the SendAsync method allows us to catch the AccessTokenNotAvailableException and call its Redirect method, which redirects the user as opposed to using the hidden iframe.

Not sure why this isn’t done for you already and why you have to step in and call the Redirect method manually, but it solves our problem.

jonsaich on Aug 10, 2023

We’ve moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

msftbot[bot] on Jun 22, 2023

Discussed this with current @emlauber (her team owns MSAL.js). @emlauber feel free to unassign yourself if you find out that this is caused by Blazor, rather than MSAL.js (which is the current thinking). Thanks!

mkArtakMSFT on Jun 21, 2023