Mar 24 2021 04:38 PM
Nov 15 2021 02:06 AM - edited Nov 15 2021 02:07 AM
How are you guys able to work with that access token?
Nov 15 2021 03:58 PM
I'm still unable to get it work. I'm still receiving an error "Connect-MicrosoftTeams : The provided tokens must have less than 180 seconds difference in the time range of expiration."
I have not been able to figure out how to configure the expiration of the tokens as we generate the tokens at the same time and the difference in expiration is approx. 800 seconds.
Nov 15 2021 04:29 PM
Nov 15 2021 11:55 PM - edited Nov 16 2021 12:18 AM
Hi @Thomsch @Sridevi-MSFT
I do the following two requests to get the tokens the payload is below
Graph Token
https://login.microsoftonline.com/common/oauth2/v2.0/token
client_id=redacted
&scope=Directory.AccessAsUser.All
&code=redacted
&redirect_uri=redacted
&grant_type=authorization_code
&client_secret=redacted
Teams Token
https://login.microsoftonline.com/common/oauth2/token
resource=48ac35b8-9aa8-4d74-927d-1f4a14a0b239
&client_id=redacted
&refresh_token=redacted
&redirect_uri=redacted
&grant_type=refresh_token
&client_secret=redacted
But the token expiry time of the two tokens are always more than 180 seconds.
Graph JWT
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/redacted/",
"iat": 1637048601,
"nbf": 1637048601,
"exp": 1637054055,
Teams JWT
"aud": "48ac35b8-9aa8-4d74-927d-1f4a14a0b239",
"iss": "https://sts.windows.net/redacted/",
"iat": 1637048627,
"nbf": 1637048627,
"exp": 1637053010,
Time difference = 1045 seconds
So this will result in the error that the expiry time difference is greater than 180 seconds.
Is there something wrong with the way I am requesting a token, or is there a change in the token issuing logic that is not compatible with the Teams Connector?
Kind regards
Peter
Nov 16 2021 04:22 PM
Nov 17 2021 07:32 AM
Tried with ClientSecret. Same Result.
$TenantId = "tenantname.onmicrosoft.com"
$AppID = "546f064a-baa2-4eb9-8b68-70c79b91942b" #TeamsPS
$ClientSecret = ConvertTo-SecureString "MyClientSecret" -AsPlainText -Force
#GraphAccessToken
$Scope = "https://graph.microsoft.com/.default"
$Token = Get-MsalToken -clientID $AppID -ClientSecret $ClientSecret -tenantID $tenantID -Scope $Scope
$GraphAccessToken = $Token.AccessToken
$GraphAccessToken
#TeamsAccessToken
$Scope = "48ac35b8-9aa8-4d74-927d-1f4a14a0b239/.default"
$Token = Get-MsalToken -clientID $AppID -ClientSecret $ClientSecret -tenantID $tenantID -Scope $Scope
$TeamsAccessToken = $Token.AccessToken
$TeamsAccessToken
#Connect
$AccessTokens = @($GraphAccessToken,$TeamsAccessToken)
Connect-MicrosoftTeams -AccessTokens $AccessTokens
Regards
Andres
Nov 17 2021 08:59 AM
Nov 17 2021 10:52 AM
Nov 17 2021 02:27 PM
Nov 18 2021 05:30 AM
@serge2021 I was hoping they may have removed the requirement, or increased the allowed difference. Looking at the other replies, that's not the case though.
Nov 18 2021 07:08 AM
Nov 18 2021 07:59 AM
Nov 18 2021 02:56 PM
@petetheman My region is Australia
Nov 19 2021 05:59 AM
Hi,
A few things to note:
Here's a graph for one of our customers, where the problem starts around Nov 16. You can see how the token duration for both Teams and Graph tokens (which we obtain simultaneously) initially (and for a long time before the data presented here) have a duration of 3900 sec and the difference in expiry time (the blue line) is always ~ zero and between the 180 (red dot) boundary. Then everything goes nuts:
Nov 19 2021 01:26 PM
Our hack workaround still seems to be working. It requires an average of over 5 token requests to get an acceptable expiry time difference less than 180.
Microsoft has provided an explanation on our case, which is pretty much what we expected:
Our internal mentioned that they recently got some similar cases with this error. Our team has already isolated the root cause of the issue which is increase in Access token refresh time from 1h token can now be anywhere between 65m -95minutes. Below there is the complete explanation of the root cause.
This is due to a recently enabled ESTS Jittering feature to add a random minutes (0-30 minutes) to the default 1H token, i.e, the default 1h token can now be anywhere between 65m -95minutes ( 5 more minutes for clock skew). The change of ESTS is to reduce the spike in token requests at peak hour and thus reduce ESTS peak hour cost. Apps with a logic to compare two tokens' expiration time have to change their codes accordingly, as ESTS has never committed to make two successive tokens with a fixed time difference.
In other words, one part of Microsoft (ESTS) made this change to reduce the number of tokens they have to provide, and smooth out their load. And they are telling the other part of Microsoft (Teams or Azure) that "your code is broken for making any assumption about these token expiry times." What teamwork!
No word yet on when the Teams/Azure/whoever people will make the 5-minute code change to remove the 180 sec check.
Nov 23 2021 06:04 AM
More news from Microsoft regarding the token expiry fiasco:
As per the latest update and after analyzing all the internal cases with our product group for the same issue, we can confirm that it is a bug and I also crossverified with the engineering team.
However, the ETA for implementing the change is January 2022 as we don’t have any preview releases for this year.
They also recommended using -Credential argument instead of -AccessTokens, which is completely pointless for our asynchronous, server-based PowerShell tooling.
So I would recommend implementing some sort of hack, as we have, unless you can wait until next year (maybe).
Nov 26 2021 01:34 AM
Nov 30 2021 08:24 AM
Nov 30 2021 08:24 AM