-
Notifications
You must be signed in to change notification settings - Fork 378
Client Throttling
AAD throttles applications when you call it too often. Most often this happens when token caching is not used, for example, because:
- Token caching is not setup correctly (see Token cache serialization).
- Not calling
AcquireTokenSilentbefore callingAcquireTokenInteractive,AcquireTokenByUsernamePassword(see AcquireTokenSilent). - If you are asking for a scope which does not make sense for MSA users like
User.ReadBasic.All, which causes cache misses.
The server signals throttling in 2 ways:
- for
client_credentialsgrant, i.e.AcquireTokenForClient, AAD will reply with429 Too Many Requestswith aRetry-After: 60header. - for user facing calls, AAD will send an message which results in an
MsalUiRequiredExceptionwith error codeinvalid_grantand a messageAADSTS50196: The server terminated an operation because it encountered a loop while processing a request.
MSAL detects certain conditions (see below) where the application should not make repeated calls to AAD. If a call is made, then an MsalThrottledServiceException or an MsalThrottledUiRequiredException is thrown by MSAL. These are subtypes of MsalServiceException, so this behaviour does not introduce a breaking change. If MSAL would not apply client-side throttling, the application would still not be able to acquire tokens, as AAD would throw the error.
If the server is having problems or if an application is requesting tokens too often, AAD will respond with HTTP 429 (Too Many Requests) and with Retry-After header, Retry-After X seconds. The application will see an MsalServiceException with header details. The throttling state is maintained for the X seconds. Affects all flows. Introduced in 4.13.0.
The most likely culprit is that you have not setup token caching. See https://aka.ms/msal-net-token-cache-serialization.
If AAD is having problems it may respond with an HTTP 5xx error code with no Retry-After header. The throttling state is maintained for 1 minute. Affects only public client flows. Introduced in 4.13.0
MSAL throws MsalUiRequiredException when authentication cannot be resolved silently and the end-user needs to use a browser. This is a common occurrence when a tenant admin introduced Multi-Factor Authentication or when a user's password expires. Retrying the silent authentication cannot succeed. The throttling state is maintained for 2 minutes. Affects only the AcquireTokenSilent. Introduced in 4.14.0
- Home
- Why use MSAL.NET
- Is MSAL.NET right for me
- Scenarios
- Register your app with AAD
- Client applications
- Acquiring tokens
- MSAL samples
- Known Issues
- Acquiring a token for the app
- Acquiring a token on behalf of a user in Web APIs
- Acquiring a token by authorization code in Web Apps
- AcquireTokenInteractive
- WAM - the Windows broker
- .NET Core
- Maui Docs
- Custom Browser
- Applying an AAD B2C policy
- Integrated Windows Authentication for domain or AAD joined machines
- Username / Password
- Device Code Flow for devices without a Web browser
- ADFS support
- High Availability
- Regional
- Token cache serialization
- Logging
- Exceptions in MSAL
- Provide your own Httpclient and proxy
- Extensibility Points
- Clearing the cache
- Client Credentials Multi-Tenant guidance
- Performance perspectives
- Differences between ADAL.NET and MSAL.NET Apps
- PowerShell support
- Testing apps that use MSAL
- Experimental Features
- Proof of Possession (PoP) tokens
- Using in Azure functions
- Extract info from WWW-Authenticate headers
- SPA Authorization Code