Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

MSAL 1.32.0 Issue #1140

Closed
RogerSelwyn opened this issue Mar 14, 2025 · 12 comments
Closed

MSAL 1.32.0 Issue #1140

RogerSelwyn opened this issue Mar 14, 2025 · 12 comments

Comments

@RogerSelwyn
Copy link
Contributor

I mentioned this issue in the JWT thread, but this is separate. Currently python-o365 requires msal>=1.13.1. Version 1.32.0 of msal was released on Wednesday, and some of my users (including myself) have been re-building containers as part of natural release cycles and this has pulled the newer release.

It seems with the newer release, the access token (not sure about refresh) is not getting updated when it expires. Or at least there is no update being done to the stored file system tokens. Pining msal to 1.13.1 seems to solve the issue.

I'm afraid debugging msal is beyond my reach at too layers down, especially since I have no real knowledge of how it works. Of course if there is anything I can do to help, you know I will.

I get this error in my logs if it is of use, of course the file system token still exists, but I can't tell about the cache.

2025-03-14 21:30:28.805 ERROR (MainThread) [custom_components.ms365_teams.integration.coordinator_integration] Unexpected error fetching MS365 Teams data
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 816, in _internal_request
    response.raise_for_status()  # raise 4XX and 5XX error codes.
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/site-packages/requests/models.py", line 1024, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/v1.0/me/chats?%24top=20
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 900, in oauth_request
    return self._internal_request(self.session, url, method, **kwargs)
           ~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 833, in _internal_request
    raise TokenExpiredError('Oauth Token is expired')
O365.connection.TokenExpiredError: Oauth Token is expired
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/helpers/update_coordinator.py", line 380, in _async_refresh
    self.data = await self._async_update_data()
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/config/custom_components/ms365_teams/integration/coordinator_integration.py", line 120, in _async_update_data
    await self._async_teams_chat_update(key)
  File "/config/custom_components/ms365_teams/integration/coordinator_integration.py", line 147, in _async_teams_chat_update
    chats = await self.hass.async_add_executor_job(
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        ft.partial(self._account.teams().get_my_chats, limit=20)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/concurrent/futures/thread.py", line 59, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.13/site-packages/O365/teams.py", line 877, in get_my_chats
    response = self.con.get(url, params=params)
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 920, in get
    return self.oauth_request(url, 'get', params=params, **kwargs)
           ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 904, in oauth_request
    if self.refresh_token():
       ~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/site-packages/O365/connection.py", line 710, in refresh_token
    raise RuntimeError('Access Token not found. You will need to re-authenticate.')
RuntimeError: Access Token not found. You will need to re-authenticate.
s6-rc: info: service legacy-services: stopping
@LightToDo
Copy link

for me,Pining msal to 1.31.1 to solve the issue.

@alejcas
Copy link
Member

alejcas commented Mar 17, 2025

I will look into this tomorrow

@RogerSelwyn
Copy link
Contributor Author

No rush for me, I have pinned it within my app requirements.

@alejcas
Copy link
Member

alejcas commented Mar 18, 2025
edited
Loading

I know what's happening.

In msal 1.32.0 they don't return expired access tokens when looking for them.

AzureAD/microsoft-authentication-library-for-python@60144d5

So even when you have an access_token, if it's expired you no longer get it and it end up being deleted.
This is a problem since the only way to know if the refresh token is expired is getting the access token expires_on timestamp and add 90 days to it.

Since I can no longer get the access token expire_on timestamp I can no longer tell if the refresh token is expired.

This requires quite a large change in the way the library works and we can't certainly tell if refresh tokens are expired anymore, so the user will need to find out by just trying...

@RogerSelwyn
Copy link
Contributor Author

Do you just assume that if there is no token that you should just try to renew and if that fails then request authorisation. I think you will understand what is possible far better than me.

@alejcas
Copy link
Member

alejcas commented Mar 18, 2025

Do you just assume that if there is no token that you should just try to renew and if that fails then request authorisation. I think you will understand what is possible far better than me.

I'm changing the code so if a refresh token is present we will consider it's valid:
If the user uses it and it's valid -> all ok
If the user users it and it's not valid anymore -> auth error

@RogerSelwyn
Copy link
Contributor Author

Ok, I think that is fine. Let me know if you want me to test anything. I should be able to support you until the end of next week, then I have a week out.

@RogerSelwyn
Copy link
Contributor Author

I suspect this change will probably solve the duplicate access token issue

alejcas added a commit that referenced this issue Mar 18, 2025
@alejcas
msal v1.32.0 automatically removes expired access tokens.
0ac0133 
This will avoid errors with this unexpected change.
Reported on #1140
@alejcas
Copy link
Member

alejcas commented Mar 18, 2025

I think I got it right. Tomorrow I will test the refresh token method and report back.

@RogerSelwyn still hoping to look into the docs PR soon.

@RogerSelwyn
Copy link
Contributor Author

@RogerSelwyn still hoping to look into the docs PR soon.

I've still got something to do on Groups, I'll see if I can get that done today/tomorrow am. Then I think you should have everything unless you want any changes. If you want to talk about it at all, let me know. My email is my userid - hotmail.com

@alejcas
Copy link
Member

alejcas commented Mar 20, 2025

Fixed and I have released version 2.1.1 on pypi

@RogerSelwyn
Copy link
Contributor Author

I’ve tested this and it seems fine.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RogerSelwyn @alejcas @LightToDo