Checking for a Microsoft graph token expiration

Question

I'm using access and refresh token to do some Microsoft graph queries. When the access token expires, I do the standard token refresh procedure using the refresh token. When I make a query using an expired token, I get the following error:

{ 
"error": {
      "code": "InvalidAuthenticationToken",
      "message": "CompactToken validation failed with reason code: 80049228.", 
      "innerError": { 
          "request-id": "f4853bd8-1cf1-44eb-b4a6-b3c695223762", 
          "date": "2019-09-05T17:39:42" 
        }
    }
}

I've wrapped a query in a try/catch, and when I get an error I'm comparing the message, as InvalidAuthenticationToken can be found in more cases than just expiration. Is there a better way to check for access token expiration? Is there a reason the error code number itself isn't exposed?

I should add that this is OBO token I'm using on the server side. Put otherwise, the client has given their token and I've exchanged it for an access and refresh token, which is what I'm currently using. — Grey Haven

Paul Schaeflein Paul Schaeflein · Accepted Answer · 2019-09-05T21:28:00

The simplest approach is to use the MSAL SDK and let it handle the cache/refresh of tokens.

Alternatively, I would recommend simply trying to acquire a token, and upon failure (typically AADSTS700020) initiate a user action to re-acquire a token.

The reasoning is that tokens can become invalid due to circumstances beyond your control (certificate revocation, conditional access policy, multi-factor requirement). Simply checking the token expiration does not guarantee a successful result if you use the token.

Checking for a Microsoft graph token expiration

1 Answers