Trying to get redeemed Auth token using AcquireTokenSilent does not work

Question

Trying to get redeemed Auth token using AcquireTokenSilent does not work

Parag Kale 25

Hi,I have followed the auth code flow in my functions app to get auth token using auth code. The problem I am seeing is my http triggered function gets invoked multiple times and eventually I get an exception that that auth token was already redeemed for the auth code. Below is my function definition. I am trying to use MSAL library mechanism to get token from cache ( if it was redeemed earlier ) , but it didn't work

public class MyCustomDfMonEndpoint : ServeStatics
{
    
    
    public MyCustomDfMonEndpoint(DfmSettings dfmSettings, DfmExtensionPoints extensionPoints, ILoggerFactory loggerFactory, HttpClient httpClient) :
        base(dfmSettings, extensionPoints, loggerFactory)
    {
    }

    [Function(nameof(MyCustomDfMonEndpoint))]
    public async Task<HttpResponseData> ServeDfMonStatics(
        [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
        string p1,
        string p2,
        string p3
    )
    {
        // Extract the 'code' query parameter returned after authentication
        
        string code = req.Query["code"]!;

        // If no code is present, redirect user to the Microsoft identity platform's sign-in page
        if (string.IsNullOrEmpty(code))
        {
            string tenant = "<tenantId>"; // or use your tenant ID
            string clientId = "ClientId";
            // Ensure this redirect URI matches what is in your app registration
            string redirectUri = "http://localhost:7079/api/DFM";
            // Define the scopes you need (openid, profile, offline_access, etc.)
            string scope = "openid profile email";

            string authUrl = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize" +
                             $"?client_id={clientId}" +
                             $"&response_type=code" +
                             $"&redirect_uri={WebUtility.UrlEncode(redirectUri)}" +
                             $"&response_mode=query" +
                             $"&scope={WebUtility.UrlEncode(scope)}" +
                             $"&state=12345"; // ideally, generate a dynamic state value

            var response = req.CreateResponse(HttpStatusCode.Redirect);
            response.Headers.Add("Location", authUrl);

            return response;
        }
        else
        {

            string tenant = "tenantId"; // or your tenant-specific ID
            string clientId = "clientId";
            string clientSecret = "Secret";
            string redirectUri = "http://localhost:7079/api/DFM";

            // Build the MSAL confidential client application
            IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
                .WithClientSecret(clientSecret)
                .WithRedirectUri(redirectUri)
                .WithAuthority($"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token")
                .Build();

            var account = await app.GetAccountAsync("user-identifier");
            AuthenticationResult result = null;
            if (account != null)
            {
                result = await app.AcquireTokenSilent(new string[] { "openid", "profile", "email" }, account)
    .ExecuteAsync();

            } else
            {
                // Acquire token using the authorization code
                result = await app.AcquireTokenByAuthorizationCode(
                    new string[] { "openid", "profile", "email" }, code)
                    .ExecuteAsync();
            }
            

            if (result.AccessToken != null)
            {

                return await this.DfmServeStaticsFunction(req, p1, p2, p3);
            }
            else
            {
                return req.CreateResponse(HttpStatusCode.BadRequest);
            }
        }
    }

    
}

Parag Kale 25 Reputation points

2025-05-05T13:19:50.1366667+00:00

What I am trying to do is when I initially invoke this http triggered function in my browser , I get the sign in screen via https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, where I pass my credentials and then I mentioned the redirect URI as the same function end point.

When It gets called the second time , I am able to get the token

When the statement return await this.DfmServeStaticsFunction(req, p1, p2, p3); is executed , then I see that the function gets invoked again with the same auth code and this time when it tries to get the token using this code , then it errors saying "The token was already redeemed ..." which makes sense , since my function is getting invoked multiple times

Parag Kale 25

That's why what I am trying to achieve is try to get the token silently if it is present in the cache , but it is always never able to find the token in token cache

    var account = await app.GetAccountAsync("user-identifier");

    AuthenticationResult result = null;

    if (account != null)

    {

        result = await app.AcquireTokenSilent(new string[] { "openid", "profile", "email" }, account)

.ExecuteAsync();

    } else

    {

        // Acquire token using the authorization code

        result = await app.AcquireTokenByAuthorizationCode(

            new string[] { "openid", "profile", "email" }, code)

            .ExecuteAsync();

    }

Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-05T14:20:52.9333333+00:00

@Parag Kale ,

Thank you for sharing the detailed information. We understand the issue where the authorization code appears to be getting reused, leading to a redemption error.

To assist you better, we are currently working to replicate the behavior on our end. Once we have reproduced the scenario, we will analyze the flow and get back to you with our findings and the appropriate solution shortly.

Parag Kale 25

Thank you

I am trying to use the durability functions monitor in injected mode https://github.com/microsoft/DurableFunctionsMonitor/tree/main/durablefunctionsmonitor.dotnetisolated.core

Hence as mentioned in the tool's github page , I have created a custom endpoint for the monitor as mentioned below

But I see even below gets executed twice. I just want to provide Authentication sign in dialog to user and if proper access token is provisioned , then show the monitor to the user

 return this.DfmServeStaticsFunction(req, p1, p2, p3);

namespace DurableFunctionsMonitor.DotNetIsolated
{
    public class MyCustomDfMonEndpoint: ServeStatics
    {
        public MyCustomDfMonEndpoint(DfmSettings dfmSettings, DfmExtensionPoints extensionPoints, ILoggerFactory loggerFactory) : 
            base(dfmSettings, extensionPoints, loggerFactory)
        {
        }

        [Function(nameof(MyCustomDfMonEndpoint))]
        public Task<HttpResponseData> ServeDfMonStatics(
            [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
            string p1,
            string p2,
            string p3
        )
        {
            return this.DfmServeStaticsFunction(req, p1, p2, p3);
        }
    }
}

Parag Kale 25 Reputation points

2025-05-05T19:00:16.83+00:00

Just checking if there is any update on this scenario
Praveen Kumar Gudipudi 450 Reputation points Microsoft External Staff Moderator

2025-05-06T11:47:14.5866667+00:00

Hello @Parag Kale ,

Apologies for the delay, you're trying to use MSAL library mechanism to get token from cache.

Could you please check this Acquire and cache tokens using the Microsoft Authentication Library (MSAL) and authentication with Microsoft Authentication Library (MSAL), using node and TypeScript documentations.

We are working to reproduce the issue from our end. Meanwhile please go through above documents.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-07T15:23:58.5+00:00

@Parag Kale ,

Just checking in to see if you had a chance to try the suggested update for the custom Durable Functions Monitor endpoint. Please let us know if it helped resolve the duplicate execution issue or if you need any further assistance.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-08T15:08:41.17+00:00

@Parag Kale ,

Just wanted to follow up again regarding the Durable Functions Monitor issue you reported. Were you able to implement the suggested fix on your custom endpoint? If you're still encountering problems or need any clarification, please let us know

1 answer

Your answer

Parag Kale 25 Reputation points

2025-05-05T13:19:50.1366667+00:00

What I am trying to do is when I initially invoke this http triggered function in my browser , I get the sign in screen via https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize, where I pass my credentials and then I mentioned the redirect URI as the same function end point.

When It gets called the second time , I am able to get the token

When the statement return await this.DfmServeStaticsFunction(req, p1, p2, p3); is executed , then I see that the function gets invoked again with the same auth code and this time when it tries to get the token using this code , then it errors saying "The token was already redeemed ..." which makes sense , since my function is getting invoked multiple times
Parag Kale 25 Reputation points

2025-05-05T13:22:05.03+00:00

That's why what I am trying to achieve is try to get the token silently if it is present in the cache , but it is always never able to find the token in token cache

var account = await app.GetAccountAsync("user-identifier"); AuthenticationResult result = null; if (account != null) { result = await app.AcquireTokenSilent(new string[] { "openid", "profile", "email" }, account)

.ExecuteAsync();

} else { // Acquire token using the authorization code result = await app.AcquireTokenByAuthorizationCode( new string[] { "openid", "profile", "email" }, code) .ExecuteAsync(); }
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-05T14:20:52.9333333+00:00

@Parag Kale ,

Thank you for sharing the detailed information. We understand the issue where the authorization code appears to be getting reused, leading to a redemption error.

To assist you better, we are currently working to replicate the behavior on our end. Once we have reproduced the scenario, we will analyze the flow and get back to you with our findings and the appropriate solution shortly.
Parag Kale 25 Reputation points

2025-05-05T14:41:33.62+00:00

Thank you

I am trying to use the durability functions monitor in injected mode https://github.com/microsoft/DurableFunctionsMonitor/tree/main/durablefunctionsmonitor.dotnetisolated.core

Hence as mentioned in the tool's github page , I have created a custom endpoint for the monitor as mentioned below

But I see even below gets executed twice. I just want to provide Authentication sign in dialog to user and if proper access token is provisioned , then show the monitor to the user

return this.DfmServeStaticsFunction(req, p1, p2, p3);

namespace DurableFunctionsMonitor.DotNetIsolated { public class MyCustomDfMonEndpoint: ServeStatics { public MyCustomDfMonEndpoint(DfmSettings dfmSettings, DfmExtensionPoints extensionPoints, ILoggerFactory loggerFactory) : base(dfmSettings, extensionPoints, loggerFactory) { } [Function(nameof(MyCustomDfMonEndpoint))] public Task<HttpResponseData> ServeDfMonStatics( [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = "/{p1?}/{p2?}/{p3?}")] HttpRequestData req, string p1, string p2, string p3 ) { return this.DfmServeStaticsFunction(req, p1, p2, p3); } } }
Parag Kale 25 Reputation points

2025-05-05T19:00:16.83+00:00

Just checking if there is any update on this scenario
Praveen Kumar Gudipudi 450 Reputation points Microsoft External Staff Moderator

2025-05-06T11:47:14.5866667+00:00

Hello @Parag Kale ,

Apologies for the delay, you're trying to use MSAL library mechanism to get token from cache.

Could you please check this Acquire and cache tokens using the Microsoft Authentication Library (MSAL) and authentication with Microsoft Authentication Library (MSAL), using node and TypeScript documentations.

We are working to reproduce the issue from our end. Meanwhile please go through above documents.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-07T15:23:58.5+00:00

@Parag Kale ,

Just checking in to see if you had a chance to try the suggested update for the custom Durable Functions Monitor endpoint. Please let us know if it helped resolve the duplicate execution issue or if you need any further assistance.
Khadeer Ali 5,065 Reputation points Microsoft External Staff Moderator

2025-05-08T15:08:41.17+00:00

@Parag Kale ,

Just wanted to follow up again regarding the Durable Functions Monitor issue you reported. Were you able to implement the suggested fix on your custom endpoint? If you're still encountering problems or need any clarification, please let us know

Answer 1

@Parag Kale ,

Thank you for sharing the implementation details.

We understand that your custom Durable Functions Monitor endpoint is being executed multiple times due to the auth flow, and you're encountering a “token already redeemed” error on repeated invocations. Based on our analysis, this can occur when the same authorization code is used more than once or when the token is not cached correctly.

To address this, please try the following update to your function logic:

Suggested Fix in Code

Update your function to ensure the code is only processed once, and cache the token to avoid redeeming the code multiple times:


// Token cache (could be improved with distributed or persistent cache for production use)
private static AuthenticationResult _cachedAuthResult;

[Function(nameof(MyCustomDfMonEndpoint))]
public async Task<HttpResponseData> ServeDfMonStatics(
    [HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = Globals.DfMonRoutePrefix + "/{p1?}/{p2?}/{p3?}")] HttpRequestData req,
    string p1, string p2, string p3)
{
    string code = req.Query["code"];

    if (_cachedAuthResult == null)
    {
        if (string.IsNullOrEmpty(code))
        {
            // Redirect to login if no code is present
            var authUrl = $"https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?...";
            var response = req.CreateResponse(HttpStatusCode.Redirect);
            response.Headers.Add("Location", authUrl);
            return response;
        }

        // Acquire token only once
        var app = ConfidentialClientApplicationBuilder.Create(clientId)
            .WithClientSecret(clientSecret)
            .WithRedirectUri(redirectUri)
            .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenant}"))
            .Build();

        _cachedAuthResult = await app.AcquireTokenByAuthorizationCode(
            new[] { "openid", "profile", "email" }, code).ExecuteAsync();
    }

    // Serve monitor UI if token is cached
    if (_cachedAuthResult != null && !string.IsNullOrEmpty(_cachedAuthResult.AccessToken))
    {
        return await this.DfmServeStaticsFunction(req, p1, p2, p3);
    }

    return req.CreateResponse(HttpStatusCode.BadRequest);
}

Note: This sample uses a simple static cache. In a production setting, you may want to store the token securely per user/session or integrate with a more robust caching mechanism.

We recommend testing this approach in your environment. If it resolves the repeated invocation issue, we can further help harden the solution for your needs.

Please let us know how it goes, and feel free to reach out with any follow-up questions.

Hope this helps. Do let us know if you have any further queries.

If this answers your query, do click Accept Answer and Yes for "Was this answer helpful." And if you have any further questions, let us know.

Share via

Trying to get redeemed Auth token using AcquireTokenSilent does not work

1 answer

Your answer