I am using Microsoft Azure AD to login members in our site (Umbraco 13). I need to use their access token to make a call to the Graph API on their behalf.
After some looking around, I found the tokens in umbracoExternalLoginToken table and I’m currently using the access_token to authenticate the call to the Graph API.
However, I found that the access token expires even while the user is logged in, as the cookie expiration is different from the token’s expiry. I can see there is a refresh token in the table but it does not seem to be used to renew the access token.
Is this something I need to implement manually, i.e. use the IExternalLoginWithKeyService to manually get the refresh tokens, then write some custom code to get a new access token and store it back in the table? Or is there a out of the box Umbraco/Microsoft functionality I can use?
It seems that there is no out of the box Umbraco/Microsoft functionality to refresh the access token using the refresh token for external login providers. You may need to implement this manually, as you suggested, by using the IExternalLoginWithKeyService to get the refresh tokens and then calling the Microsoft identity platform endpoint to obtain a new access token and refresh token pair. You can then store the new tokens in the umbracoExternalLoginToken table and use them for your Graph API calls.
Alternatively, you can try to use the Easy Auth feature of Azure App Service, which can automatically refresh the access tokens for you and expose them as environment variables or HTTP headers. However, this may require some additional configuration and changes to your Umbraco site.
I hope this helps you find a solution for your scenario.
Renewing expired access tokens in umbracoExternalLoginToken table
I am using Microsoft Azure AD to login members in our site (Umbraco 13). I need to use their access token to make a call to the Graph API on their behalf.
After some looking around, I found the tokens in
umbracoExternalLoginToken
table and I’m currently using the access_token to authenticate the call to the Graph API.However, I found that the access token expires even while the user is logged in, as the cookie expiration is different from the token’s expiry. I can see there is a refresh token in the table but it does not seem to be used to renew the access token.
Is this something I need to implement manually, i.e. use the
IExternalLoginWithKeyService
to manually get the refresh tokens, then write some custom code to get a new access token and store it back in the table? Or is there a out of the box Umbraco/Microsoft functionality I can use?Hello BallSportsGear@Hefin Jones,
It seems that there is no out of the box Umbraco/Microsoft functionality to refresh the access token using the refresh token for external login providers. You may need to implement this manually, as you suggested, by using the IExternalLoginWithKeyService to get the refresh tokens and then calling the Microsoft identity platform endpoint to obtain a new access token and refresh token pair. You can then store the new tokens in the umbracoExternalLoginToken table and use them for your Graph API calls.
Alternatively, you can try to use the Easy Auth feature of Azure App Service, which can automatically refresh the access tokens for you and expose them as environment variables or HTTP headers. However, this may require some additional configuration and changes to your Umbraco site.
I hope this helps you find a solution for your scenario.
Hi,
Thanks for your advice. I have looked into easy auth and implemented it for Umbraco Member login.
While I can login fine, I am unable to get a token using either the ITokenAcquisition service, or with GraphServiceClient based on this URL: https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?source=recommendations&tabs=azure-resource-explorer
Here is the code for setup:
Using the ITokenAcquisition service throws an error of 'ErrorCode: user_null':
While using HttpContext returns null:
is working on a reply...