[iOS] [issue] For Outlook personal accounts (imap) - Not expired silent access token, requested from background, is loosing lease/access to IMAP 1h after application start (beyond that 1h - background requested tokens do not work). #2334
Comments
|
Strange, when I request DEFAULT scope only: ........ But For personal outlook account I need slightly different with "outlook.office.com" (So above token does not work for private outlook emails): Do you know why MSAL works this way? |
|
Different test: Now I get token with following scopes: But this is as per Microsoft documents that scopes with "graph.microsoft.com" will not work for Private email accounts. They have to be: Also for Private email accounts Microsoft documentation says (so we need that offline_access in the token request): |
|
Hi @Be-Maps , offline_access is a scope as defined in openid connect protocol. for v2.0 endpoints, it must be requested explicitly. For more details about it and how long the resulting access token obtained is please refer https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-offline_access-scope To clarify, can you consolidate the questions that you have so that I can try to answer them accordingly? Thanks |
|
Hi Patil, Please note (as this might be important) I am using outlook.office.com FQDN (as only this one gives working token for Outlook Private Personal Accounts), not graph.microsoft.com or not *office365.com; --------------------- observation 1 --------------- It says in some of the AzureAD posts MSAL is requesting offline_access by default, and for example when I request token with scope offline_access (interactive or silent) I get following error: I was requesting above with following scopes (which give above error): When I remove offline_access from scopes (I keep IMAP & SMTP) I get a token which works for one hour, but next refreshed token does not work. So I stop the app. Q1: Why I cannot add explicitly "offline_access" , and how to do this if it is possible? - Some of the posts on AzureAD say it is added by default and it is done by scope: "https://outlook.office.com/.default" (So I tried, but it did not help for outlook.office.com FQDN, but helps for the other one - "https://graph.microsoft.com/.default") Q2: Why the second silent token does not work / or stops working after 1h from app start? - this might be a bug as a first silent token after the app start works (so it looks the refresh token woks OK only for the first silent token requested by the app, not properly working for the second one which will loose the IMAP Lease after 1h from app start) Q2a: What could be responsible for the IMAP Lease up to 1h from the app start? as I am getting valid tokens, but they do not work after 1h from the app start. Q2b: How the first Silent request via MSAL is different to the second one (same place in code on my end)? - It looks like the first get of silent token gives the IMAP lease for 1h. Why the next silent token does not get the IMAP Lease extended according to its expiry? ---------------------- observation 2 --------------- I did just for a test when I request token from graph FQDN with scopes like below (this token will not work for Private Personal accounts as will not get the IMAP Lease for private account, but just a test): I get a token with the DEFAULT scopes: So MSAL is adding these "MSAL restricted / Default " scopes for graph FQDN. Q3: Is this a defect on MSAL end , as MSAL is not adding "offline_access" as default for outlook.office.com FQDN? or how should I request "offline_access", because when I add MSAL says "error-reserved" as one of the default scopes, MSAL error is - "... reserved scopes and may not be specified in the acquire token call". Q4: If I am doing something wrong please advise. Or if needed maybe we may have a Skype call and I will share the screen to show the behaviour and logs for various scenarios? ---------------------- observation 3 --------------- In comparison, in MSAL for Android, silent tokens work for few hours after refreshes, with the below scopes: |
|
I have the same issue on iOS (valid token stops working - after 1h from app start - when requested from background location), did you manage to sort this out? |
|
@willDTBM - I was testing it with various combinations of parameters including force refresh (and - plus removed browsing data and account, logged out, changed to a new device) and it did not help. I can only tell: on iOS valid token requested in background stops working before its 1h lifetime ends. |
Be-Maps
changed the title
Be-Maps
changed the title
|
Hi Will, and Patil, actor OAuthDetails { Hi Patil, |
I guess there should be an MSAL log entry with something for offline access (which I have in Azure in delegated permissions):
MSAL requests by default "openid profile offline_access" scopes. I was reading openid does not work for personal accounts - and maybe this makes it fail and not requests the offline_access.
I am not sure if my conclusions here are correct, but below is the behaviour I am seeing.
For delegated permissions for personal account I use scopes:
"https://outlook.office.com/IMAP.AccessAsUser.All",
"https://outlook.office.com/SMTP.Send"
I was trying to pass to MSAL offline_access in various ways , but MSAL does not take it, and I get error:
//"offline_access",
//"https://outlook.office.com/offline_access",
//"https://graph.microsoft.com/offline_access",
//"https://graph.microsoft.com/.default",
//".default",
In general I was using examples, and all started working until 1h passes:
https://cocoapods.org/pods/MSAL
https://learn.microsoft.com/de-de/graph/tutorials/ios-swift?tutorial-step=3
According to this Microsoft specification it should be possible to get access tokens and refresh tokens with silent token request:
https://learn.microsoft.com/pt-br/entra/identity-platform/v2-oauth2-auth-code-flow
Based on the articles below offline_access must be requested for mobile applications and possibly due to lack of that any tokens will be valid only for 1h from application start because offline_access was not requested, and because than refresh token is only granted 1h lifetime:
https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
https://learn.microsoft.com/en-gb/entra/identity-platform/access-tokens
I can only see in the MSAL log following requested and returned (for interactive and silent requests):
MSAL log: TID=20301803 MSAL 1.3.2 iOS 17.5.1 [2024-09-09 16:37:48 - F2CC8655-27DC-4A1F-9772-BDF5B4B82013] [MSAL] -[MSALPublicClientApplication acquireTokenSilentForScopes:(
"https://outlook.office.com/IMAP.AccessAsUser.All",
"https://outlook.office.com/SMTP.Send"
)
account:Masked(not-null)
authority:<MSALAADAuthority: 0x301a1d060>
validateAuthority:Yes
forceRefresh:Yes
correlationId:(null)
capabilities:(null)
claimsRequest:(null)]
...
...
MSAL log: TID=20301801 MSAL 1.3.2 iOS 17.5.1 [2024-09-09 16:37:49 - F2CC8655-27DC-4A1F-9772-BDF5B4B82013] [MSAL] Silent flow finished. Result (not-null), error: 0 error domain: (null)
MSAL log: TID=20301801 MSAL 1.3.2 iOS 17.5.1 [2024-09-09 16:37:49] Parsing result access token
MSAL log: TID=20301801 MSAL 1.3.2 iOS 17.5.1 [2024-09-09 16:37:49 - F2CC8655-27DC-4A1F-9772-BDF5B4B82013] [MSAL] acquireTokenSilent returning with at: a754306 scopes:(
"https://outlook.office.com/IMAP.AccessAsUser.All",
"https://outlook.office.com/SMTP.Send"
) expiration:2024-09-09 17:37:49 +0000
Result:
NOTE: Above is in debug mode - I guess debug mode does not limit the lifetime of tokens?
I also described the problem in: #2325
Please help.
The text was updated successfully, but these errors were encountered: