Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Hefin Jones 2 posts 72 karma points
    Feb 22, 2024 @ 14:52
    Hefin Jones

    Renewing expired access tokens in umbracoExternalLoginToken table

    I am using Microsoft Azure AD to login members in our site (Umbraco 13). I need to use their access token to make a call to the Graph API on their behalf.

    After some looking around, I found the tokens in umbracoExternalLoginToken table and I’m currently using the access_token to authenticate the call to the Graph API.

    However, I found that the access token expires even while the user is logged in, as the cookie expiration is different from the token’s expiry. I can see there is a refresh token in the table but it does not seem to be used to renew the access token.

    Is this something I need to implement manually, i.e. use the IExternalLoginWithKeyService to manually get the refresh tokens, then write some custom code to get a new access token and store it back in the table? Or is there a out of the box Umbraco/Microsoft functionality I can use?

  • Nicholas Smith 1 post 71 karma points
    Feb 23, 2024 @ 08:11
    Nicholas Smith

    Hello BallSportsGear@Hefin Jones,

    It seems that there is no out of the box Umbraco/Microsoft functionality to refresh the access token using the refresh token for external login providers. You may need to implement this manually, as you suggested, by using the IExternalLoginWithKeyService to get the refresh tokens and then calling the Microsoft identity platform endpoint to obtain a new access token and refresh token pair. You can then store the new tokens in the umbracoExternalLoginToken table and use them for your Graph API calls.

    Alternatively, you can try to use the Easy Auth feature of Azure App Service, which can automatically refresh the access tokens for you and expose them as environment variables or HTTP headers. However, this may require some additional configuration and changes to your Umbraco site.

    I hope this helps you find a solution for your scenario.

  • Hefin Jones 2 posts 72 karma points
    Feb 23, 2024 @ 13:52
    Hefin Jones


    Thanks for your advice. I have looked into easy auth and implemented it for Umbraco Member login.

    While I can login fine, I am unable to get a token using either the ITokenAcquisition service, or with GraphServiceClient based on this URL:

    Here is the code for setup:

    builder.AddMemberExternalLogins(logins =>
          logins.AddMemberLogin(memberAuthenticationBuilder =>
                      .AddMicrosoftIdentityWebApp(options =>
                          var tenantId = "";
                          var clientId = "";
                          var instance = "";
                          options.CallbackPath = "/signin-oidc";
                          options.Instance = instance;
                          options.TenantId = tenantId;
                          options.ClientId = clientId;
                          options.SignedOutRedirectUri = "/";
                          options.ClientSecret = "";
                          options.SaveTokens = true;
                          options.Events.OnTokenValidated = ctx =>
                              var username = ctx.Principal?.Claims.FirstOrDefault(c => c.Type == ClaimConstants.PreferredUserName);
                              if (username != null && ctx.Principal?.Identity is ClaimsIdentity claimsIdentity)
                                      new Claim(
                              return Task.CompletedTask;
                      }, null, 
                      .AddMicrosoftGraph(defaultScopes: defaultScopes);

    Using the ITokenAcquisition service throws an error of 'ErrorCode: user_null':

    var token = await _tokenAcquisition.GetAccessTokenForUserAsync(scopes);

    While using HttpContext returns null:

    var token = await HttpContext.GetTokenAsync("access_token");
Please Sign in or register to post replies

Write your reply to: