Forum Discussion
Invalid S2S auth token error for API requests
Hi,
We are using Microsoft Graph API periodically to fetch information like directory audits and incidents.
Every hour or so the request returns the following error with status code 403:
Invalid S2S auth token:
miseHost.HandleAsync did not succeed or AuthenticationTicket is null:
MISE12034:
AuthenticationTicketProvider Name:AuthenticationTicketProvider,
GetVersion:1.8.0.0. ,
at Microsoft.Identity.ServiceEssentials.MiseHost`1.<AuthenticateRequestAsync>d__39.MoveNext()\r\n---
End of stack trace from previous location where exception was thrown ---\r\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n
at Microsoft.Identity.ServiceEssentials.MiseHost`1.<HandleAsync>d__38.MoveNext()
When we retry the request again, it returns without an issue.
Appreciate your support,
Hagar
This is expected behaviour as tokens are only short-lived by default, as described in the following articles:
- Access tokens in the Microsoft identity platform - Microsoft Entra | Microsoft Learn
- Authentication and authorization basics - Microsoft Graph | Microsoft Learn
You can have a read of the following which describe how to configure token lifetimes in various scenarios:
- Access tokens in the Microsoft identity platform - Microsoft Entra | Microsoft Learn
- Set lifetimes for tokens - Microsoft Entra | Microsoft Learn
- Configurable token lifetimes - Microsoft Entra | Microsoft Learn
Of course, just because you can extend a token lifetime (be that organisation-wide or per app) doesn't mean you should. You have to do your own risk/benefit analysis on that topic.
Cheers,
Lain
LainRobertson
Thanks Lain,
When making a request with an expired Access Token, the MS Graph API returns a 401 status code with the message: Access token has expired or is not yet valid.
In the case I have described, the response returns a 403 status code with the message Invalid S2S auth token plus something that looks like an internal error.Thanks,
Hagar
Sorry, Hagar - you're quite correct. I focused on the recurrent interval and didn't pay attention to the HTTP code.
It does feel though like the HTTP 403 is the symptom rather than indicative of the cause, given the retry is successful. It's almost like the async ticket refresh is successful under the hood, but whatever made the call wasn't happy about waiting for it to successfully complete.
But that's pure speculation since I've never before seen the modules from that exception stack. It's more just a gut feeling.
I'm afraid I'm no help on this one.
Cheers,
Lain
