Refreshing OIDC Token/Force Re-Login

TheAlbionist · December 15, 2021, 10:04pm

Is there anything in PSU that can handle this out of interest? After an hour of being logged into my UD my access token expires and so I can no longer use it for getting msal tokens to query Graph etc

Just updated from 2.4.1 to 2.6.1 and it looks like the logout button has disappeared… this was providing a handy workaround from me fixing this properly. Logging out and then loading any page sent me back through OIDC login and my token was renewed.

I tried just hitting the /login page, which loads, but it doesn’t actually log me out. /logout and /log-out give a 404.

Is there some way I can force the user through a re-login so it grabs a new token?

Noticed this git issue, but it’s from a fair old while ago:

github.com/ironmansoftware/universal-dashboard

Azure OpenId Access Token Expired but UD Session still active

opened 01:01PM - 23 Dec 19 UTC

timd19

enhancement enterprise

#### Is your Enhancement request related to a problem? Please describe When Usi…ng Azure with OpenId Auth, the Access Token is valid for only 1 hour. In most cases the Token will expire before UD forces a login again causing the Access Token to become unusable. #### Describe the solution you'd like If the access token is expired/no longer valid UD will force the user to re-authenticate to get a new Access Token #### Describe how this would improve your Universal Dashboard Quality of Life Please help us understand how this would improve your usage of universal dashboard and/or what new capabilities this enhancement would provide you with. #### Describe alternatives you've considered Full Post here - [https://forums.universaldashboard.io/t/azure-openid-access-token-expired-but-ud-session-still-active/1875](url) #### Additional context Add any other context or screenshots about the Enhancement request here.

adam · December 15, 2021, 10:24pm

We currently don’t support this but you could try to perform a logout in the event of an error like this.The sign out URL is: ‘/api/v1/signout’

try {
  # azure stuff
} catch {
   if ($_.Exception.Message.Contains('AADSTS500133'))
   {
         Invoke-UDRedirect '/api/v1/signout' -OpenInNewWindow
         Invoke-UDJavaScript 'window.location.reload()'
   }
}

TheAlbionist · December 15, 2021, 10:57pm

That’ll definitely do for now… thanks!

Out of interest - if I were to have a bash at writing a function to refresh the user’s token, would a dashboard/endpoint be able to overwrite $AccessToken in the user’s session with a new value or is that protected somehow?

(Just thinking out loud tbh)

adam · December 16, 2021, 5:15pm

I don’t think it would be able to overwrite it and have it persist so you might need to use a $Session:AccessToken variable or something.

$Session:AccessToken = $AccessToken
if ($Refresh)
{ 
      $Session:AccessToken = $RefreshedAccessToken
}

TheAlbionist · December 16, 2021, 7:49pm

Ah yeah, great thought

Topic		Replies	Views
Azure OpenId Access Token Expired but UD Session still active	14	1082	August 4, 2020
Has the signout api changed recently? PowerShell Universal	3	156	January 18, 2023
Refresh Tokens - OIDC Universal Dashboard	2	336	December 21, 2021
Problems with refreshing auth tokens Universal Dashboard Help	4	866	October 14, 2022
OpenID - connect-AzureAD works (it seems) but Get-Azureaduser gives me a TokenExpired error PowerShell Universal	8	2060	September 28, 2021

Refreshing OIDC Token/Force Re-Login

Related Topics