Aug 29 2023 01:54 AM
Aug 29 2023 01:54 AM
We are using Microsoft Graph API periodically to fetch information like directory audits and incidents.
Every hour or so the request returns the following error with status code 403:
Invalid S2S auth token: miseHost.HandleAsync did not succeed or AuthenticationTicket is null: MISE12034: AuthenticationTicketProvider Name:AuthenticationTicketProvider, GetVersion:188.8.131.52. , at Microsoft.Identity.ServiceEssentials.MiseHost`1.<AuthenticateRequestAsync>d__39.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.<HandleAsync>d__38.MoveNext()
When we retry the request again, it returns without an issue.
Appreciate your support,
Aug 29 2023 06:08 AM
This is expected behaviour as tokens are only short-lived by default, as described in the following articles:
You can have a read of the following which describe how to configure token lifetimes in various scenarios:
Of course, just because you can extend a token lifetime (be that organisation-wide or per app) doesn't mean you should. You have to do your own risk/benefit analysis on that topic.
Aug 29 2023 06:40 AM
When making a request with an expired Access Token, the MS Graph API returns a 401 status code with the message: Access token has expired or is not yet valid.
In the case I have described, the response returns a 403 status code with the message Invalid S2S auth token plus something that looks like an internal error.
Aug 29 2023 07:30 AM
Sorry, Hagar - you're quite correct. I focused on the recurrent interval and didn't pay attention to the HTTP code.
It does feel though like the HTTP 403 is the symptom rather than indicative of the cause, given the retry is successful. It's almost like the async ticket refresh is successful under the hood, but whatever made the call wasn't happy about waiting for it to successfully complete.
But that's pure speculation since I've never before seen the modules from that exception stack. It's more just a gut feeling.
I'm afraid I'm no help on this one.