microsoftgraph
401 InvalidAuthenticationToken after token refresh with shared files
Bug Report
Prerequisites
- [x] Can you reproduce the problem?
- [x] Are you running the latest version?
- [x] Are you reporting to the correct repository?
- [x] Did you perform a cursory search?
For more information, see the CONTRIBUTING guide.
Description
I am using this sdk and have implemented a custom getAccessToken handler. This handler checks whether the user's access token has expired, and if so, posts to the MSGraph /token endpoint to get a new access_token, refresh_token, and expires_in time.
In another function doWork, I attempt to process a request to the graph api up to 5 times. If the request fails 5 times, I end the user's connection and log some information for debugging. However, if a user's access token is expired when doWork is called, there appears to be a chance that the response to the endpoint is a 401 InvalidAuthenticationToken which triggers doWork to be called again and loops until it fails with the same error 5 times.
What have I already investigated:
- I have verified that the middleware (aka my custom
getAccessToken) is being called via the sdk client whenever this error is thrown. - I have verified to the best of my ability that the refresh token is valid. If I were to change it manually to make it invalid, I get an error about the refresh token being invalid when posting to
/token. - As far as I can tell, the call to
/tokendoes not fail - I have it wrapped in a try/catch and never get in the catch block. - I have verified that the new
access_tokenI receive from the endpoint is valid using jwt.ms. There does appear to be some difference in the Decoded Token and Claims tabs with regards to the Issued At iat, Not Before nbf, and Expires At exp fields. The Claims shows the date I would expect - current, 2023 dates issuing a new token around the time of my request and expiring 60-90 minutes later. The Decoded Token tab shows dates around 1970. I am assuming this is some error with units/wraparound/overflow and is specific to this tab. - I have verified that if I let a user do a fresh authentication (for a new
access_token) and manually change the token to one I know is expired after a couple requests, my handler properly refreshes the token and continues without erroring in thedoWorkloop. The only time I have been able to repro the consistent failure even after a (successful?) refresh is if the user is accessing a file that has been shared with them. That is, person A shares a file with person B, and person B accesses the file through my app. If the server processing person B's auth notices an expiredaccess_token, it errors 5 times indoWork(fails once on expired auth, refresh succeeds, the next 4 calls to the graph api fails). Users may have been getting this error with their own files, but I cannot confirm that at this moment based off of the server logs I have.
Console Errors:
Stack Trace: Error
at console.error (C:\redacted\)
at C:\redacted\
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Error uploading file 5 {"statusCode":401,"code":"InvalidAuthenticationToken","requestId":"deca89ea-8c19-4582-82fa-cd6d52238aee","date":"2023-09-11T22:28:10.000Z","body":"{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token has expired or is not yet valid.\",\"innerError\":{\"date\":\"2023-09-11T18:28:10\",\"request-id\":\"deca89ea-8c19-4582-82fa-cd6d52238aee\",\"client-request-id\":\"116ea9a7-60db-3cd8-c4c3-e67c55c4e697\"}}"} GraphError: Access token has expired or is not yet valid.
at new GraphError (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphError.js:31:28)
at GraphErrorHandler.constructErrorFromResponse (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:61:22)
at Function.<anonymous> (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:92:48)
at step (C:\redacted\node_modules\tslib\tslib.js:141:27)
at Object.next (C:\redacted\node_modules\tslib\tslib.js:122:57)
at C:\redacted\node_modules\tslib\tslib.js:115:75
at new Promise (<anonymous>)
at Object.__awaiter (C:\redacted\node_modules\tslib\tslib.js:111:16)
at GraphErrorHandler.getError (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphErrorHandler.js:88:24)
at GraphRequest.<anonymous> (C:\redacted\node_modules\@microsoft\microsoft-graph-client\lib\src\GraphRequest.js:305:84) {
statusCode: 401,
code: 'InvalidAuthenticationToken',
requestId: 'deca89ea-8c19-4582-82fa-cd6d52238aee',
date: 2023-09-11T22:28:10.000Z,
body: '{"code":"InvalidAuthenticationToken","message":"Access token has expired or is not yet valid.","innerError":{"date":"2023-09-11T18:28:10","request-id":"deca89ea-8c19-4582-82fa-cd6d52238aee","client-request-id":"116ea9a7-60db-3cd8-c4c3-e67c55c4e697"}}'
}
Steps to Reproduce
- Connect to MSGraph and establish a connection to the service in order to access a file shared with you
- Wait for the access token to expire (optional: set the token to an old one that has already expired after a successful first connection has been made)
- Call a function that will attempt to execute a call to
/meup to N times - The token should be refreshed, but the call to
/mewill fail
Expected behavior: A refresh of a user's token should allow them to access the file they were using before their auth expired.
Actual behavior: A refresh of a user's token results in a 401 InvalidAuthenticationToken
Additional Context
Add any other context about the problem here..
Usage Information
Request IDs of all failed - 2172afb1-0a0d-4235-a1d6-faeef9411542 32c3c3e8-ac73-4428-94f5-4a9de41399ba 846a8cd6-c455-4ad3-99a1-dc6edfc05b85 7117693d-0a2c-4dff-8c3f-f5e332dc9689 deca89ea-8c19-4582-82fa-cd6d52238aee
SDK Version - 2.0.0
- [x] Node (Check, if using Node version of SDK)
Node Version - 18
Is there anything else that could cause a 401 to be thrown that I should be looking into? Please feel free to reach out, and I can provide additional information as needed to help diagnose what's happening.
