You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using this sdk and have implemented a custom getAccessToken handler. This handler checks whether the user's access token has expired, and if so, posts to the MSGraph /token endpoint to get a new access_token, refresh_token, and expires_in time.
In another function doWork, I attempt to process a request to the graph api up to 5 times. If the request fails 5 times, I end the user's connection and log some information for debugging. However, if a user's access token is expired when doWork is called, there appears to be a chance that the response to the endpoint is a 401 InvalidAuthenticationToken which triggers doWork to be called again and loops until it fails with the same error 5 times.
What have I already investigated:
I have verified that the middleware (aka my custom getAccessToken) is being called via the sdk client whenever this error is thrown.
I have verified to the best of my ability that the refresh token is valid. If I were to change it manually to make it invalid, I get an error about the refresh token being invalid when posting to /token.
As far as I can tell, the call to /token does not fail - I have it wrapped in a try/catch and never get in the catch block.
I have verified that the new access_token I receive from the endpoint is valid using jwt.ms. There does appear to be some difference in the Decoded Token and Claims tabs with regards to the Issued At iat, Not Before nbf, and Expires At exp fields. The Claims shows the date I would expect - current, 2023 dates issuing a new token around the time of my request and expiring 60-90 minutes later. The Decoded Token tab shows dates around 1970. I am assuming this is some error with units/wraparound/overflow and is specific to this tab.
I have verified that if I let a user do a fresh authentication (for a new access_token) and manually change the token to one I know is expired after a couple requests, my handler properly refreshes the token and continues without erroring in the doWork loop. The only time I have been able to repro the consistent failure even after a (successful?) refresh is if the user is accessing a file that has been shared with them. That is, person A shares a file with person B, and person B accesses the file through my app. If the server processing person B's auth notices an expired access_token, it errors 5 times in doWork (fails once on expired auth, refresh succeeds, the next 4 calls to the graph api fails). Users may have been getting this error with their own files, but I cannot confirm that at this moment based off of the server logs I have.
Console Errors:
Stack Trace: Error
at console.error (C:\redacted\)
at C:\redacted\
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error uploading file 5 {"statusCode":401,"code":"InvalidAuthenticationToken","requestId":"deca89ea-8c19-4582-82fa-cd6d52238aee","date":"2023-09-11T22:28:10.000Z","body":"{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token has expired or is not yet valid.\",\"innerError\":{\"date\":\"2023-09-11T18:28:10\",\"request-id\":\"deca89ea-8c19-4582-82fa-cd6d52238aee\",\"client-request-id\":\"116ea9a7-60db-3cd8-c4c3-e67c55c4e697\"}}"} GraphError: Access token has expired or is not yet valid.
at new GraphError (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphError.js:31:28)
at GraphErrorHandler.constructErrorFromResponse (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:61:22)
at Function.<anonymous> (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:92:48)
at step (C:\redacted\node_modules\tslib\tslib.js:141:27)
at Object.next (C:\redacted\node_modules\tslib\tslib.js:122:57)
at C:\redacted\node_modules\tslib\tslib.js:115:75
at new Promise (<anonymous>)
at Object.__awaiter (C:\redacted\node_modules\tslib\tslib.js:111:16)
at GraphErrorHandler.getError (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:88:24)
at GraphRequest.<anonymous> (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphRequest.js:305:84) {
statusCode: 401,
code: 'InvalidAuthenticationToken',
requestId: 'deca89ea-8c19-4582-82fa-cd6d52238aee',
date: 2023-09-11T22:28:10.000Z,
body: '{"code":"InvalidAuthenticationToken","message":"Access token has expired or is not yet valid.","innerError":{"date":"2023-09-11T18:28:10","request-id":"deca89ea-8c19-4582-82fa-cd6d52238aee","client-request-id":"116ea9a7-60db-3cd8-c4c3-e67c55c4e697"}}'
}
Steps to Reproduce
Connect to MSGraph and establish a connection to the service in order to access a file shared with you
Wait for the access token to expire (optional: set the token to an old one that has already expired after a successful first connection has been made)
Call a function that will attempt to execute a call to /me up to N times
The token should be refreshed, but the call to /me will fail
Expected behavior: A refresh of a user's token should allow them to access the file they were using before their auth expired.
Actual behavior: A refresh of a user's token results in a 401 InvalidAuthenticationToken
Additional Context
Add any other context about the problem here..
Usage Information
Request IDs of all failed -
2172afb1-0a0d-4235-a1d6-faeef9411542
32c3c3e8-ac73-4428-94f5-4a9de41399ba
846a8cd6-c455-4ad3-99a1-dc6edfc05b85
7117693d-0a2c-4dff-8c3f-f5e332dc9689
deca89ea-8c19-4582-82fa-cd6d52238aee
SDK Version - 2.0.0
Node (Check, if using Node version of SDK)
Node Version - 18
Is there anything else that could cause a 401 to be thrown that I should be looking into? Please feel free to reach out, and I can provide additional information as needed to help diagnose what's happening.
The text was updated successfully, but these errors were encountered:
Bug Report
Prerequisites
For more information, see the
CONTRIBUTINGguide.Description
I am using this sdk and have implemented a custom
getAccessTokenhandler. This handler checks whether the user's access token has expired, and if so, posts to the MSGraph/tokenendpoint to get a newaccess_token,refresh_token, andexpires_intime.In another function
doWork, I attempt to process a request to the graph api up to 5 times. If the request fails 5 times, I end the user's connection and log some information for debugging. However, if a user's access token is expired whendoWorkis called, there appears to be a chance that the response to the endpoint is a 401 InvalidAuthenticationToken which triggersdoWorkto be called again and loops until it fails with the same error 5 times.What have I already investigated:
getAccessToken) is being called via the sdk client whenever this error is thrown./token./tokendoes not fail - I have it wrapped in a try/catch and never get in the catch block.access_tokenI receive from the endpoint is valid using jwt.ms. There does appear to be some difference in the Decoded Token and Claims tabs with regards to the Issued At iat, Not Before nbf, and Expires At exp fields. The Claims shows the date I would expect - current, 2023 dates issuing a new token around the time of my request and expiring 60-90 minutes later. The Decoded Token tab shows dates around 1970. I am assuming this is some error with units/wraparound/overflow and is specific to this tab.access_token) and manually change the token to one I know is expired after a couple requests, my handler properly refreshes the token and continues without erroring in thedoWorkloop. The only time I have been able to repro the consistent failure even after a (successful?) refresh is if the user is accessing a file that has been shared with them. That is, person A shares a file with person B, and person B accesses the file through my app. If the server processing person B's auth notices an expiredaccess_token, it errors 5 times indoWork(fails once on expired auth, refresh succeeds, the next 4 calls to the graph api fails). Users may have been getting this error with their own files, but I cannot confirm that at this moment based off of the server logs I have.Console Errors:
Steps to Reproduce
/meup to N times/mewill failExpected behavior: A refresh of a user's token should allow them to access the file they were using before their auth expired.
Actual behavior: A refresh of a user's token results in a 401 InvalidAuthenticationToken
Additional Context
Add any other context about the problem here..
Usage Information
Request IDs of all failed -
2172afb1-0a0d-4235-a1d6-faeef9411542
32c3c3e8-ac73-4428-94f5-4a9de41399ba
846a8cd6-c455-4ad3-99a1-dc6edfc05b85
7117693d-0a2c-4dff-8c3f-f5e332dc9689
deca89ea-8c19-4582-82fa-cd6d52238aee
SDK Version - 2.0.0
Is there anything else that could cause a 401 to be thrown that I should be looking into? Please feel free to reach out, and I can provide additional information as needed to help diagnose what's happening.
The text was updated successfully, but these errors were encountered: