Skip to content

feat(apps): expose skipCache option on token acquisition methods#494

Open
SidU wants to merge 1 commit intomicrosoft:mainfrom
SidU:feat/token-manager-skip-cache
Open

feat(apps): expose skipCache option on token acquisition methods#494
SidU wants to merge 1 commit intomicrosoft:mainfrom
SidU:feat/token-manager-skip-cache

Conversation

@SidU
Copy link
Copy Markdown
Contributor

@SidU SidU commented Mar 29, 2026

Summary

  • Add optional skipCache parameter to getBotToken(), getGraphToken(), and getAppGraphToken() that threads through to MSAL's acquireTokenByClientCredential({ skipCache })
  • Covers both credential paths that use acquireTokenByClientCredential: client credentials and federated identity credentials
  • Fully backward-compatible — skipCache defaults to false

Motivation

MSAL caches tokens with a ~5 minute expiry buffer. A token can become stale between when it's fetched from cache and when the API call completes — particularly during long-running operations (file uploads, streaming sessions, proactive messaging). When this happens, the caller gets a 401 and wants to retry with a fresh token, but calling getBotToken() / getGraphToken() again returns the same cached token because MSAL still considers it valid.

This change lets callers pass skipCache: true on retry to force MSAL to acquire a fresh token from Azure AD.

Closes #493

Changes

File Change
token-manager.ts Add skipCache? param to getBotToken, getGraphToken, getToken, getTokenWithClientCredentials, getTokenWithFederatedCredentials; pass through to acquireTokenByClientCredential({ scopes, skipCache })
app.ts Add skipCache? param to getBotToken, getAppGraphToken; pass through to TokenManager
token-manager.spec.ts 4 new tests for skipCache behavior + 4 existing assertions updated for skipCache: false

Test plan

  • All 207 existing tests pass
  • 4 new tests verify skipCache: true is forwarded to MSAL for both bot and graph tokens
  • 4 new tests verify skipCache: false (default) behavior is unchanged
  • tsc build passes clean

@SidU
feat(apps): expose skipCache option on token acquisition methods
841e39e 
Add optional `skipCache` parameter to `getBotToken()`, `getGraphToken()`,
and `getAppGraphToken()` that threads through to MSAL's
`acquireTokenByClientCredential({ skipCache })`.

This allows callers to bypass the MSAL token cache after receiving a 401,
forcing a fresh token acquisition from Azure AD. Without this, retry-on-401
logic is ineffective because MSAL returns the same cached (stale) token.

Covers all three credential paths that use `acquireTokenByClientCredential`:
- Client credentials (clientId + clientSecret)
- Federated identity credentials (managed identity + client assertion)

Fully backward-compatible — `skipCache` defaults to `false`, so all
existing callers are unaffected.

Closes microsoft#493
@heyitsaamir
Copy link
Copy Markdown
Collaborator

heyitsaamir commented Mar 29, 2026

This looks good to me.

  1. Can we use forceRefresh instead of skipCache?
  2. Instead if making it positional, make it an optional object. (options?: TokenOptions). This way this is extendible.

@rido-min rido-min mentioned this pull request Mar 29, 2026
Open
rido-min
rido-min requested changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rido-min rido-min left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

holding this PR while we get a good repro, and answers to this comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rido-min rido-min rido-min requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TokenManager: expose skipCache option for token refresh after 401

3 participants

@SidU @heyitsaamir @rido-min