AADB2C90080: The provided grant has expired. Please re-authenticate and try again

Question

We are using azure/msal-angular v2.3 with ADB2C Custom policies having MFA enabled with either Phone or Email method.

Many LIVE users are reporting issues while logging in. At times they need to do MFA twice (at times thrice) to get into the application. After digging into the audit logs from b2c and HAR file from the customer we observed below error is being raised in User Journey.

{
  "error": "invalid_grant",
  "error_description": "AADB2C90080: The provided grant has expired. Please re-authenticate and try again. Current time: 1676016884, Grant issued time: 1675941825, Grant expiration time: 1675951412\r\nCorrelation ID: 6052f247\r\nTimestamp: 2023-02-10 08:14:44Z\r\n"
}

As per my understanding msal 2.x automatically handles the token refresh and we don’t need to implement any code for acquiring tokens silently. Don't know why it is expring.

Is it affecting if user keeps the screen idle for long?

Any help to resolve this is appreciated , Thanks in advance.

Answer 1

You are correct that msal 2.x automatically takes care to refresh token. But in few cases when user is inactive for long time or when access token expiry is less than the refresh token default time set.

In that case, acquireTokenSilent() method can be used to obtain a new token.To obtain a new access token silently, call the acquireTokenSilent() method of the MsalService with the desired scopes.

Code:

getToken() {
this.authService.acquireTokenSilent({
  scopes: ['<your-scope>'],
}).then((accessToken: string) => {
  // Use the access token  // console.log('New token:', token);
}).catch((error: any) => {
  console.log(error);
});

• Check expiration times of the access and refresh tokens, and refresh interval set. Adjust these settings using accessTokenExpirationOffsetInSeconds property to tell number of seconds/minutes before which refresh token has to be set.

   this.authService.init({
    auth: {
      clientId: '<your-client-id>',
      authority: '<your-b2c-tenant>.b2clogin.com/<b2c-tenant>.onmicrosoft.com/B2C_1_<policy-name>',
      redirectUri: '<your-redirect-uri>',
    },
    cache: {
      cacheLocation: 'localStorage',
      storeAuthStateInCookie: true,
      accessTokenExpirationOffsetInSeconds: 300,
    },
  });
  }
  

In this MSAL will try to refresh the access token within 5 minutes ~ 300 seconds before it expires.

• This error or failure can happen if the user takes too long to complete the MFA flow.

• For that ,In custom policy set the timeout for mutifactor authentication to 5 minutes to give minimum time for user to authenticate.

  <OrchestrationStep Order="2" Type="MultiFactorAuthentication">
  <MultiFactorAuthentication>
    <AuthenticationMethods>
      <AuthenticationMethod ReferenceId="phoneFactor" />
      <AuthenticationMethod ReferenceId="emailFactor" />
    </AuthenticationMethods>
    <FailureModes>Deny</FailureModes>
    <Default>false</Default>
    <SendErrorCodesToResponse>false</SendErrorCodesToResponse>
    <Enrollment>Conditional</Enrollment>
    <phoneFactor-Timeout>300</phoneFactor-Timeout>
    <emailFactor-Timeout>300</emailFactor-Timeout>
  </MultiFactorAuthentication>
  

By theses token refresh behavior can be contolled.

Reference :

1. Configure authentication in a sample single-page application by using Azure Active Directory B2C | Microsoft Learn
2. Configure session behavior - Azure Active Directory B2C | Microsoft Learn

Answer 2

While doing development work on custom B2C policies, we found that this error sometimes appeared.

The way we got around it was clearing the local storage and session storage for the b2c domain and then we did not see this error again.