1

I have been using the B2CModeFragment class from the Use MSAL in an Android app to sign-in users and call Microsoft Graph which has been very helpful in getting B2C running in my app and I can call a web api which requires authentication. However, I am struggling with how to implement the solution in other areas. I need to call web apis throughout my app from multiple fragments. I currently have all the B2C functions working in a settings fragment where I can select the user. At that point I have the B2C user and have authenticated silently. Using:

user.acquireTokenSilentAsync(b2cApp, B2CConfiguration.getPolicy(), B2CConfiguration.getScopes(), new SilentAuthenticationCallback()

The b2cApp is a private variable in the settings fragment:

private IMultipleAccountPublicClientApplication b2cApp;

Should I call the the acquireTokenSilentAsync before every api call? The tokens only last for an hour so I can't assume I have a token and I read this article showing:

headers.put("Authorization", "Bearer " + authResult.getAccessToken());

I was previously storing the token in SharedPreferences and using it but it only lasts an hour and I have to refresh the token from another fragment when it fails. I could keep the b2cuser object around but would still need the b2cApp to make a silent call.

What was the intent of the b2capp and b2cuser. Do I keep them in the MainActivity, do I extend the Application and keep them there, do I encapsulate them in an object and instantiate it on authentication failure when calling an api to get another one?

I also want to note that the app can work offline completely so successful api calls need to happen at some point but are not required for the app to function.

lcj
  • 1,355
  • 16
  • 37
  • Did you ever figure this out? (Also, how to reinstantiate the list of b2cusers on reopening the app without logging in again?) – unhammer Oct 27 '21 at 18:49
  • 1
    I didn't get any answers on this so I just implemented it. I check to see if the date is close to being expired and I refresh the token before the call if it is. All the logic is in an AuthHelper component which doesn't linger around. I just create the B2C app when I need it. – lcj Oct 28 '21 at 01:28
  • 1
    I keep the access token as a shared preference to check it. I was going to extend the token beyond an hour so it did not always need to check so regularly but it worked well in development. Don't know about production yet. – lcj Oct 29 '21 at 11:09
  • Thanks for the updates! I think that's the same as what I've done so far, which kind of seems to work but I find it hard to test whether it's working correctly since I don't know what rules msal applies to expiry (when I have to log in again, is that due to a bug I have or some policy feature I don't know about) – unhammer Oct 30 '21 at 06:29
  • 1
    From what I have seen there are two types of expirations. The first is the one which happens every 60 minutes (or whatever you set it to) and another one which requires the user to re-login if it's set (default 90 days). I think there is a setting to make it indefinite. Otherwise you have to look for this specific error and re-login the user. I had a post on this https://stackoverflow.com/questions/69186580/how-to-refresh-the-token-in-azure-ad-b2c-not-the-access-id-one-the-lifetime – lcj Oct 30 '21 at 22:43

0 Answers0