How can I automatically renew the Access Token in Azure App Service Authentication (Easy Auth) once it is expired

Question

Dear Team,

We are in the process of developing of an application. The application first authenticates users using Azure AD, then utilizes the Microsoft Graph API to retrieve the profile information from the authenticated user's Azure Active Directory profile.  Here are some technical details:

• The application (Web App) is built using .NET 7 and will be hosted on Azure App Service.
• Azure App Service's inbuilt authentication ("Easy Auth") is enabled.
• Authentication and Microsoft Graph API calls are facilitated through an App registered in Azure Active Directory, utilizing a Client Secret.
• User.Read delegated permission is assigned for Microsoft Graph in app registration in Azure AD

For this implementation, We are following the article available at https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=azure-resource-explorer When we access the application URL, it prompts for the login. Once authenticated with valid credentials, Azure app service passes the access token to the application which uses this access token to fetch logged-in user's profile information using Graph Service client library. This works fine as per the expectations. The access token is valid ~1 hour. During this time, Graph API calls are working fine without any issue.

However, once, access token is expired, Graph API calls starts giving exceptions as "Microsoft.Graph.Models.ODataErrors.ODataError: Lifetime validation failed, the token is expired."

It is expected that access token should be automatically renewed by Azure app service authentication (Easy Auth) process once it is expired. However, the access token is not renewed automatically, and thus, GRAP API call start throwing exceptions.

We are seeking guidance on the following:

1. Are we missing any App service level configuration or anything missing in code?
2. How can I automatically renew the expired Access Token in Azure App Service Authentication (Easy Auth)?
3. How can I ensure that the application has an active Access Token?

Your early response is highly appreciated.

Thanks in advance. Regards, Shivaji 

Answer 1

Shivaji Shitole, Thanks for the question. Apologies for the delayed response from over the weekend.

  Based on my understanding of your scenario, you typically must write code to collect, store, and refresh these tokens in your application. With the token store, you just retrieve the tokens when you need them and tell App Service to refresh them when they become invalid.  I understand you are leveraging Easy Auth.

  As outlined in this doc, you may avoid token expiration by making a GET call to the /.auth/refresh endpoint of your application. When called, App Service automatically refreshes the access tokens in the token store for the authenticated user. Subsequent requests for tokens by your app code get the refreshed tokens. However, for token refresh to work, the token store must contain refresh tokens for your provider. 

You may ensure that the application has an active access token by checking the expiration date of the token in the request header. The header name for the Microsoft identity provider is X-MS-TOKEN-AAD-EXPIRES-ON.  

Additionally, just to highlight, the OpenID Connect response type to use in the authentication flow. If not specified, a default is chosen based on the current configuration. If the Microsoft Entra (Azure AD) settings include a non-empty client-secret, then this defaults to code id_token. Otherwise, id_token is the default. Other combinations are not supported.

Check this article for more details.  

Kindly let us know, I’ll follow with you further to understand more about your requirement and config.