From b425f4802fcbcccb11ad991208fa262c06255be3 Mon Sep 17 00:00:00 2001 From: Tyler James Leonhardt Date: Thu, 12 Dec 2024 17:45:44 -0800 Subject: [PATCH] Check idtoken expiration (#236011) and force expiration in a similar way to the way MSAL does it for access tokens. Fixes https://github.com/microsoft/vscode/issues/229456 --- .../src/node/cachedPublicClientApplication.ts | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts b/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts index 2f90e3af3aa..7396da17990 100644 --- a/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts +++ b/extensions/microsoft-authentication/src/node/cachedPublicClientApplication.ts @@ -90,8 +90,23 @@ export class CachedPublicClientApplication implements ICachedPublicClientApplica async acquireTokenSilent(request: SilentFlowRequest): Promise { this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] starting...`); - const result = await this._sequencer.queue(() => this._pca.acquireTokenSilent(request)); + let result = await this._sequencer.queue(() => this._pca.acquireTokenSilent(request)); this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] got result`); + // Check expiration of id token and if it's 5min before expiration, force a refresh. + // this is what MSAL does for access tokens already so we're just adding it for id tokens since we care about those. + const idTokenExpirationInSecs = (result.idTokenClaims as { exp?: number }).exp; + if (idTokenExpirationInSecs) { + const fiveMinutesBefore = new Date( + (idTokenExpirationInSecs - 5 * 60) // subtract 5 minutes + * 1000 // convert to milliseconds + ); + if (fiveMinutesBefore < new Date()) { + this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] id token is expired or about to expire. Forcing refresh...`); + result = await this._sequencer.queue(() => this._pca.acquireTokenSilent({ ...request, forceRefresh: true })); + this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] got refreshed result`); + } + } + // this._setupRefresh(result); if (result.account && !result.fromCache && this._verifyIfUsingBroker(result)) { this._logger.debug(`[acquireTokenSilent] [${this._clientId}] [${this._authority}] [${request.scopes.join(' ')}] [${request.account.username}] firing event due to change`);