msgraph-sdk-java icon indicating copy to clipboard operation
msgraph-sdk-java copied to clipboard
verified publisher icon microsoftgraph

Enable automatic token refresh when Continuous Access Evaluation (CAE) requires a new token

Open BnGreg opened this issue 1 year ago • 7 comments

Describe the bug

When using the AzureIdentityAuthenticationProvider with ClientCertificateCredential, the authentication process does not automatically refresh the token when CAE forces a new authentication. This results in InteractionRequired and TokenCreatedWithOutdatedPolicies errors during Microsoft Graph API calls.

Expected behavior

The AzureIdentityAuthenticationProvider should detect when CAE requires a new token and automatically refresh it to prevent authentication failures.

How to reproduce

  1. Configure authentication using ClientCertificateCredential and AzureIdentityAuthenticationProvider.
  2. Enable CAE in the Azure AD tenant.
  3. Call a Microsoft Graph API endpoint that requires authentication.
  4. If CAE enforces a re-authentication, the request fails with the error: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies

SDK Version

6.26.0

Latest version known to work for scenario above?

No response

Known Workarounds

Manually regenerating the GraphServiceClient instance or completely restarts the application.

Debug output

The provider does not refresh the token, causing repeated authentication errors when CAE is triggered.


Caused by: com.microsoft.graph.models.odataerrors.ODataError: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies
	at com.microsoft.graph.models.odataerrors.ODataError.createFromDiscriminatorValue(ODataError.java:36)
	at com.microsoft.kiota.serialization.JsonParseNode.getObjectValue(JsonParseNode.java:212)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.lambda$throwIfFailedResponse$0(OkHttpRequestAdapter.java:673)
	at com.microsoft.kiota.ApiExceptionBuilder.<init>(ApiExceptionBuilder.java:26)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.throwIfFailedResponse(OkHttpRequestAdapter.java:672)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.send(OkHttpRequestAdapter.java:280)
	at com.microsoft.graph.sites.item.drive.DriveRequestBuilder.get(DriveRequestBuilder.java:59)
	at com.microsoft.graph.sites.item.drive.DriveRequestBuilder.get(DriveRequestBuilder.java:46)

Configuration

Microsoft Graph SDK version: 6.26.0 Java version: 21 Spring Boot version: 3.3 Authentication method: ClientCertificateCredential

Other information

Manually regenerating the GraphServiceClient instance as a workaround is inefficient. It would be beneficial if the SDK could handle this scenario internally.

Would it be possible to enhance AzureIdentityAuthenticationProvider to handle CAE-related token refresh automatically?

BnGreg avatar Feb 20 '25 12:02 BnGreg

Are there any news? Will this be fixed in one of the next versions?

ddejmek-irian avatar Feb 25 '25 07:02 ddejmek-irian

+1 for the bug report, we're running into this too. any news?

dvm421 avatar Mar 21 '25 09:03 dvm421

@andrueastman @Ndiritu Can you give some feedback regarding this issue ?

BnGreg avatar Apr 03 '25 05:04 BnGreg

I think the problem is a TimeZone issue. Within the constructors of com.azure.identity.implementation.MsalToken the expiresAt is created in UTC:

OffsetDateTime.ofInstant(msalResult.expiresOnDate().toInstant(), ZoneOffset.UTC)

The isExpired check within com.azure.identity.implementation.IdentitySyncClient using the MsalToken is with local time: if (OffsetDateTime.now().isBefore(accessToken.getExpiresAt().minus(REFRESH_OFFSET))) { (in method AccessToken authenticateWithConfidentialClientCache(TokenRequestContext request) ).

TobiUll avatar Aug 08 '25 08:08 TobiUll

and https://github.com/microsoftgraph/msgraph-sdk-java/issues/2355 seems to be a duplicate of this issue #

TobiUll avatar Aug 08 '25 08:08 TobiUll