Enable automatic token refresh when Continuous Access Evaluation (CAE) requires a new token

[BnGreg]

Describe the bug

When using the AzureIdentityAuthenticationProvider with ClientCertificateCredential, the authentication process does not automatically refresh the token when CAE forces a new authentication. This results in InteractionRequired and TokenCreatedWithOutdatedPolicies errors during Microsoft Graph API calls.

Expected behavior

The AzureIdentityAuthenticationProvider should detect when CAE requires a new token and automatically refresh it to prevent authentication failures.

How to reproduce

1. Configure authentication using ClientCertificateCredential and AzureIdentityAuthenticationProvider.
2. Enable CAE in the Azure AD tenant.
3. Call a Microsoft Graph API endpoint that requires authentication.
4. If CAE enforces a re-authentication, the request fails with the error:
   Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies

SDK Version

6.26.0

Latest version known to work for scenario above?

No response

Known Workarounds

Manually regenerating the GraphServiceClient instance or completely restarts the application.

Debug output

The provider does not refresh the token, causing repeated authentication errors when CAE is triggered.

Caused by: com.microsoft.graph.models.odataerrors.ODataError: Continuous access evaluation resulted in challenge with result: InteractionRequired and code: TokenCreatedWithOutdatedPolicies
	at com.microsoft.graph.models.odataerrors.ODataError.createFromDiscriminatorValue(ODataError.java:36)
	at com.microsoft.kiota.serialization.JsonParseNode.getObjectValue(JsonParseNode.java:212)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.lambda$throwIfFailedResponse$0(OkHttpRequestAdapter.java:673)
	at com.microsoft.kiota.ApiExceptionBuilder.<init>(ApiExceptionBuilder.java:26)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.throwIfFailedResponse(OkHttpRequestAdapter.java:672)
	at com.microsoft.kiota.http.OkHttpRequestAdapter.send(OkHttpRequestAdapter.java:280)
	at com.microsoft.graph.sites.item.drive.DriveRequestBuilder.get(DriveRequestBuilder.java:59)
	at com.microsoft.graph.sites.item.drive.DriveRequestBuilder.get(DriveRequestBuilder.java:46)

Configuration

Microsoft Graph SDK version: 6.26.0
Java version: 21
Spring Boot version: 3.3
Authentication method: ClientCertificateCredential

Other information

Manually regenerating the GraphServiceClient instance as a workaround is inefficient. It would be beneficial if the SDK could handle this scenario internally.

Would it be possible to enhance AzureIdentityAuthenticationProvider to handle CAE-related token refresh automatically?

[ddejmek-irian]

Are there any news? Will this be fixed in one of the next versions?

[dvm421]

+1 for the bug report, we're running into this too.
any news?

[BnGreg]

@andrueastman @Ndiritu
Can you give some feedback regarding this issue ?

[TobiUll]

I think the problem is a TimeZone issue. Within the constructors of
com.azure.identity.implementation.MsalToken the expiresAt is created in UTC:

OffsetDateTime.ofInstant(msalResult.expiresOnDate().toInstant(), ZoneOffset.UTC)

The isExpired check within com.azure.identity.implementation.IdentitySyncClient using the MsalToken is with local time:
if (OffsetDateTime.now().isBefore(accessToken.getExpiresAt().minus(REFRESH_OFFSET))) {
(in method AccessToken authenticateWithConfidentialClientCache(TokenRequestContext request) ).

[TobiUll]

and #2355 seems to be a duplicate of this issue #

[loicdewerchin]

Hitting the same bug with version 6.57.0 of microsoft-graph and v1.18.1 of azure-identity. Hoping for a fix so we don't have to downgrade back to v 5.x where the error never occured before.

[baywet]

HI everyone,
Thank you for your patience.

As a workaround, you can entirely disable the support for CAE in the SDK with this argument to the authentication provider

The token refresh on CAE challenge is implemented here and there. Something could be off and would need to be investigated.

I have transitioned to a new team and won't be replying to this issue/pull request moving forward.
Thank you for your understanding.
So have Andrew, and Philip (previously mentioned on this thread)

Pinging @gavinbarron and @adrian05-ms to take it from here.