App Service Issue getting access token to azure sql db

Question

App Service Issue getting access token to azure sql db

Alex Thompson 20

I have a linux app service hosting a node v20 api that calls and gets an access token through entra for an azure sql db. The access token is fine on first load or after restarting the app, but then in about 1 hour to 1 hour 30 min the token expires and it doesn't go fetch a new one. I am pretty sure my logic is right but I don't know if I'm missing a setting in the app service or my logic isn't right. Here is my code I'm using to get the token. const mssql = require('mssql');

const msal = require('@azure/msal-node');

const crypto = require('crypto');

// Azure AD App Registration details

const tenantID = '';

const clientID = '';

const clientSecret = '';

const authority = https://login.microsoftonline.com/${tenantID};

const sqlServer = '';

const database = '';

Const mySecret =

// MSAL Confidential Client

const cca = new msal.ConfidentialClientApplication({

auth: {

clientId: clientID,

clientSecret: clientSecret,

authority: authority,

},

});

// Token caching

let cachedToken = null;

let tokenExpiresAt = 0;

// SQL connection pooling

let connectionPool = null;

async function getAccessToken() {

const now = Date.now();

if (!cachedToken || now >= tokenExpiresAt - 5 * 60 * 1000) {

console.log('🔄 Fetching new Azure AD access token...');

const result = await cca.acquireTokenByClientCredential({

scopes: ['https://database.windows.net/.default'],

});

if (!result?.accessToken) throw new Error('Failed to acquire access token');

cachedToken = result.accessToken;

tokenExpiresAt = result.expiresOn.getTime();

console.log('✅ Token valid until:', new Date(tokenExpiresAt).toISOString());

}

return cachedToken;

}

async function getConnection() {

const token = await getAccessToken();

if (!connectionPool || !connectionPool.connected) {

connectionPool = await mssql.connect({

server: sqlServer,

database: database,

authentication: {

type: 'azure-active-directory-access-token',

options: { token },

},

options: {

encrypt: true,

trustServerCertificate: false,

},

});

}

return connectionPool;

}

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-27T22:27:13.4566667+00:00
Hi Alex Thompson,
This behavior indicates that when the token is in the caching logic place, your application is not trying to refresh the token if the connection pool is still active. Getaccesstocen is logic sound, but the issue lies in reuse of connection.

When the SQL connection pool is made, it uses access tokens at that time. But after the token is finished, the pool now continues to use tokens as it is not refreshing the connection or the token inside.

To fix this, you should force to refresh the connection when the token is finished. Here's how you can modify your Getconnection function:

async function getConnection() { const token = await getAccessToken(); // Always reconnect if token is expired or close to expiring if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) { if (connectionPool && connectionPool.close) { await connectionPool.close(); // Clean up old pool } connectionPool = await mssql.connect({ server: sqlServer, database: database, authentication: { type: 'azure-active-directory-access-token', options: { token }, }, options: { encrypt: true, trustServerCertificate: false, }, }); } return connectionPool; }

this ensures:

A new token is obtained before the expiration.

A new connection pool is installed with updated tokens.

No stale tokens are reused after expiration.
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
if you have any further concerns or queries, please feel free to reach out to us.
Alex Thompson 20 Reputation points

2025-05-28T01:10:45.2666667+00:00

@Alekhya Vaddepally I am still getting this error in a little over an hour of refreshing the app service.

Error retrieving users: ConnectionError: Login failed for user '<token-identified principal>'. Token is expired.

2025-05-28T01:07:57.929170923Z at /home/site/wwwroot/node_modules/mssql/lib/tedious/connection-pool.js:85:17

2025-05-28T01:07:57.929182626Z at Connection.onConnect (/home/site/wwwroot/node_modules/tedious/lib/connection.js:849:9)

2025-05-28T01:07:57.929203094Z at Object.onceWrapper (node:events:633:26)

2025-05-28T01:07:57.929208474Z at Connection.emit (node:events:518:28)

2025-05-28T01:07:57.929213314Z at Connection.emit (/home/site/wwwroot/node_modules/tedious/lib/connection.js:970:18)

2025-05-28T01:07:57.929225557Z at /home/site/wwwroot/node_modules/tedious/lib/connection.js:2369:18

2025-05-28T01:07:57.929230256Z at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {

2025-05-28T01:07:57.929235225Z code: 'ELOGIN',

2025-05-28T01:07:57.929240114Z originalError: ConnectionError: Login failed for user '<token-identified principal>'. Token is expired.

2025-05-28T01:07:57.929245595Z at Login7TokenHandler.onErrorMessage (/home/site/wwwroot/node_modules/tedious/lib/token/handler.js:186:19)

2025-05-28T01:07:57.929250854Z at Readable.<anonymous> (/home/site/wwwroot/node_modules/tedious/lib/token/token-stream-parser.js:19:33)

2025-05-28T01:07:57.929255894Z at Readable.emit (node:events:518:28)

2025-05-28T01:07:57.929260773Z at addChunk (node:internal/streams/readable:561:12)

2025-05-28T01:07:57.929265573Z at readableAddChunkPushObjectMode (node:internal/streams/readable:538:3)

2025-05-28T01:07:57.929270462Z at Readable.push (node:internal/streams/readable:393:5)

2025-05-28T01:07:57.929275481Z at nextAsync (node:internal/streams/from:194:22)

2025-05-28T01:07:57.929280521Z at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {

2025-05-28T01:07:57.929286021Z code: 'ELOGIN'

2025-05-28T01:07:57.929290650Z }

2025-05-28T01:07:57.929295269Z }
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-28T17:09:27.85+00:00
Hi Alex Thompson
While your code successfully receives a new token when the previous one is going to end, the existing SQL connection continues using the pool expired token. The MSSQL driver (supported by the tedious) does not automatically update the token in a live connection. Therefore, even with a valid new token in the cache, the SQL pool is still using the expired token, resulting in login failures.

You can try below getconnection function:

async function getConnection() { const token = await getAccessToken(); // Always reconnect if token is expired or close to expiring if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) { if (connectionPool && connectionPool.close) { await connectionPool.close(); // Clean up old pool using expired token } connectionPool = await mssql.connect({ server: sqlServer, database: database, authentication: { type: 'azure-active-directory-access-token', options: { token }, }, options: { encrypt: true, trustServerCertificate: false, }, }); } return connectionPool; }

please check Fresh token uses when the previous one is close to ending Reliable authentications for all subsequent DB Query Token rescue from connection issues due to re -use

Alex Thompson 20

@Alekhya Vaddepally I have placed the getConnected function in my code, and i can see the expireddd token and a message i added when a new one is fetched, but i still get the token expired message.
'''

// MSAL client
const cca = new msal.ConfidentialClientApplication({
  auth: {
    tenantId: tenantID,
    clientId: clientID,
    clientSecret: clientSecret,
    authority: authority,
  },
});

// Cached token state
let cachedToken = null;
let tokenExpiresAt = 0; // ms since epoch
let connectionPool = null;

async function getAccessToken() {
  const now = Date.now();

  // Refresh if no token or within 5 minutes of expiry
  if (!cachedToken || now >= tokenExpiresAt - 5 * 60 * 1000) {
    console.log("Fetching new token...");

    const result = await cca.acquireTokenByClientCredential({
      scopes: ["https://database.windows.net/.default"],
    });

    if (!result || !result.accessToken || !result.expiresOn) {
      throw new Error("Failed to acquire token.");
    }

    cachedToken = result.accessToken;
    tokenExpiresAt = result.expiresOn.getTime();

    const decoded = jwt.decode(cachedToken);
    console.log("Token expires at:", new Date(decoded.exp * 1000));
  } else {
    console.log("Using cached token.");
  }

  return cachedToken;
}

async function getConnection() {
  const token = await getAccessToken();
  // Always reconnect if token is expired or close to expiring
  if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) {
    if (connectionPool && connectionPool.close) {
      await connectionPool.close(); // Clean up old pool using expired token
    }
    connectionPool = await mssql.connect({
      server: sqlServer,
      database: database,
      authentication: {
        type: 'azure-active-directory-access-token',
        options: { token },
      },
      options: {
        encrypt: true,
        trustServerCertificate: false,
      },
    });
  }
  return connectionPool;
}

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-30T16:15:50.6866667+00:00

Hi Alex Thompson,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Accepted answer

0 additional answers

Your answer

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-27T22:27:13.4566667+00:00

Hi Alex Thompson,
This behavior indicates that when the token is in the caching logic place, your application is not trying to refresh the token if the connection pool is still active. Getaccesstocen is logic sound, but the issue lies in reuse of connection.

When the SQL connection pool is made, it uses access tokens at that time. But after the token is finished, the pool now continues to use tokens as it is not refreshing the connection or the token inside.

To fix this, you should force to refresh the connection when the token is finished. Here's how you can modify your Getconnection function:

async function getConnection() { const token = await getAccessToken(); // Always reconnect if token is expired or close to expiring if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) { if (connectionPool && connectionPool.close) { await connectionPool.close(); // Clean up old pool } connectionPool = await mssql.connect({ server: sqlServer, database: database, authentication: { type: 'azure-active-directory-access-token', options: { token }, }, options: { encrypt: true, trustServerCertificate: false, }, }); } return connectionPool; }

this ensures:

A new token is obtained before the expiration.

A new connection pool is installed with updated tokens.

No stale tokens are reused after expiration.
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
if you have any further concerns or queries, please feel free to reach out to us.
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-28T17:09:27.85+00:00

Hi Alex Thompson
While your code successfully receives a new token when the previous one is going to end, the existing SQL connection continues using the pool expired token. The MSSQL driver (supported by the tedious) does not automatically update the token in a live connection. Therefore, even with a valid new token in the cache, the SQL pool is still using the expired token, resulting in login failures.

You can try below getconnection function:

async function getConnection() { const token = await getAccessToken(); // Always reconnect if token is expired or close to expiring if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) { if (connectionPool && connectionPool.close) { await connectionPool.close(); // Clean up old pool using expired token } connectionPool = await mssql.connect({ server: sqlServer, database: database, authentication: { type: 'azure-active-directory-access-token', options: { token }, }, options: { encrypt: true, trustServerCertificate: false, }, }); } return connectionPool; }

please check Fresh token uses when the previous one is close to ending Reliable authentications for all subsequent DB Query Token rescue from connection issues due to re -use
Alex Thompson 20 Reputation points

2025-05-28T19:19:36.72+00:00

@Alekhya Vaddepally I have placed the getConnected function in my code, and i can see the expireddd token and a message i added when a new one is fetched, but i still get the token expired message.
'''

// MSAL client const cca = new msal.ConfidentialClientApplication({ auth: { tenantId: tenantID, clientId: clientID, clientSecret: clientSecret, authority: authority, }, }); // Cached token state let cachedToken = null; let tokenExpiresAt = 0; // ms since epoch let connectionPool = null; async function getAccessToken() { const now = Date.now(); // Refresh if no token or within 5 minutes of expiry if (!cachedToken || now >= tokenExpiresAt - 5 * 60 * 1000) { console.log("Fetching new token..."); const result = await cca.acquireTokenByClientCredential({ scopes: ["https://database.windows.net/.default"], }); if (!result || !result.accessToken || !result.expiresOn) { throw new Error("Failed to acquire token."); } cachedToken = result.accessToken; tokenExpiresAt = result.expiresOn.getTime(); const decoded = jwt.decode(cachedToken); console.log("Token expires at:", new Date(decoded.exp * 1000)); } else { console.log("Using cached token."); } return cachedToken; } async function getConnection() { const token = await getAccessToken(); // Always reconnect if token is expired or close to expiring if (!connectionPool || !connectionPool.connected || Date.now() >= tokenExpiresAt - 5 * 60 * 1000) { if (connectionPool && connectionPool.close) { await connectionPool.close(); // Clean up old pool using expired token } connectionPool = await mssql.connect({ server: sqlServer, database: database, authentication: { type: 'azure-active-directory-access-token', options: { token }, }, options: { encrypt: true, trustServerCertificate: false, }, }); } return connectionPool; }
Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-30T16:15:50.6866667+00:00

Hi Alex Thompson,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.

Answer 1

HiAlex Thompson
To guarantee a clean handshake using new tokens, we recommend rebuilding a fully underlying MSSQL connection pool example, not just calling. close(). This means removing and reinstalling all cashed states:

async function getConnection() {
  const token = await getAccessToken();
  const shouldRefreshConnection =
    !connectionPool ||
    !connectionPool.connected ||
    Date.now() >= tokenExpiresAt - 5 * 60 * 1000;
  if (shouldRefreshConnection) {
    if (connectionPool) {
      try {
        await connectionPool.close();
      } catch (err) {
        console.warn('Error closing connection pool:', err.message);
      }
      connectionPool = null; // Force reinitialization
    }
    connectionPool = await mssql.connect({
      server: sqlServer,
      database: database,
      authentication: {
        type: 'azure-active-directory-access-token',
        options: { token },
      },
      options: {
        encrypt: true,
        trustServerCertificate: false,
        connectionTimeout: 15000,
      },
    });
  }
  return connectionPool;
}

If this answer was helpful and pointed you in the right direction, please consider clicking "Accept Answer"—it may benefit other community members reading this thread. If you have any further questions, feel free to let us know.

Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator

2025-05-30T20:20:26.06+00:00

Hi Alex Thompson
If this answer was helpful and pointed you in the right direction, please consider clicking "Accept Answer"—it may benefit other community members reading this thread. If you have any further questions, feel free to let us know.

Share via

App Service Issue getting access token to azure sql db

0 additional answers

Your answer