I have a Node.js & Express web application where users sign in and acquire a token for Microsoft Graph API using MSAL. The authentication generally works, but sometimes the token acquisition fails randomly.
Setup:
- The app follows Microsoft's tutorial.
- Session storage is used to persist authentication state.
- The app is integrated with Opera Cloud, where users navigate from Opera Cloud to our page via SSO.
- Users are validated upon navigation and then redirected accordingly.
Issue: Sometimes, the token is successfully retrieved, and everything works fine. Other times, the token is missing or invalid. A debug route was added to check session values, showing that session data is being stored, but the token is occasionally missing. Session Configuration:
app.use(
session({
secret: 'XXXXXXXX',
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
maxAge: 24 * 60 * 60 * 1000, // 1 Day
sameSite: 'None',
secure: process.env.NODE_ENV === 'production' && !process.env.LOCAL, // true in production
},
})
);
Debugging Steps Tried:
- Verified that session values are stored correctly.
- Ensured token retrieval logic is being executed properly.
- Checked the Opera Cloud integration to confirm that SSO redirection works as expected. I looked into potential session loss issues but haven't found a clear pattern.
Questions: What could cause the token to intermittently fail even though session storage appears to be working? Are there known issues with MSAL in Node.js that might lead to this behavior? Could there be any Opera Cloud-specific constraints affecting token persistence? Any recommended debugging steps or session storage alternatives? Any insights would be greatly appreciated!