Can you please sign in again?

[Jacob-Burckhardt]

Describe the bug
Every few days, it says "Can you please sign in again?" as shown in the screenshot. It also says:

Session ID: 4b975c13-8ae6-e640-343f-41a7b1439384
Error Code: interaction_required|AADSTS160021: Application requested a user session which does not exist.

Sometimes I don't notice the problem for hours during which I miss calls from my coworkers.

Some issues reported in the bug database say that Teams asked them to sign in after they closed and restarted Teams. But in my case, I did not close Teams. I left it running and then it eventually showed the request to sign in again.

To Reproduce

Login to Teams For Linux and let it keep running for a few days.

Expected behavior
I expected to remain signed in as long as teams remained running.

Screenshots

Desktop (please complete the following information):

• OS: Debian GNU/Linux 12
• Installation package: deb package from "Vendor: Ismael Martinez [email protected]"
• Version 1.3.22

[IsmaelMartinez]

I believe that would be due your company policy (how long the session lasts). It is true that the app should handle better this but I am really not sure where to start.

[KKomara62]

I am having the same issue. Started when my company enabled MFA. Here is the error I get every few hours:

Session ID: c80b10a8-4f9e-2e3d-4839-a332fca66453
Error Code: interaction_required|Seamless single sign on failed for the
user. This can happen if the user is unable to access on premises AD or
intranet zone is not configured correctly.

Here is something I read about this issue and a possible fix:

---

Hi,
I figured out what the problem is:
All users with this exception has 3rd party cookies disabled. There is a document about this problem:

https://docs.microsoft.com/de-de/azure/active-directory/develop/reference-third-party-cookies-spas

The error messages is maybe misleading or my understanding is not right. To prevent this, is one solution to add the authorization side from MS to the intranet-zone so it is not third-party?

---

Does this make any sense with this app ?

I know you are using the MS Teams Web app wrapped in Electron. Is there a way to test this by "enabling 3rd party cookies" in Electron ?

Sorry if this is a stupid idea...
Thanks,
Kevin K.

[KKomara62]

Did not hear from anyone on this issue ? Still get nag to re-authenticate many many times a day > 25. Driving me CRAZY !! Please help !

[IsmaelMartinez]

You can try using the certificates if your company allows that. Using clientCertPath clientCertPassword from the config options https://github.com/IsmaelMartinez/teams-for-linux/tree/develop/app/config

[mikedld]

Every once in a while (usually once in the middle of the day) Teams all of a sudden starts opening URLs in my web browser:

This may or may not be connected to the fact that my organization has a setup that leads to login session expiring every 4 hours (so I have a feeling that I'm meant to login for the second time in a day at that point); I'm saying it may not be related because when I exit Teams and start it back, it continues to function without asking me to login, and once I do something innocent, like open a conversation thread and scroll up and down, it starts opening URLs in my web browser again; then if I just idle for some more minutes and not touch anything, it finally shows the dialog inviting me to (re)login.

The URLs in that screenshot above are (the final ones, not sure if redirections are happening along the way):

1. https://statics.teams.cdn.office.net/teams-modular-packages/hashed-assets/cortex-topics-bootstrapper-topics-sdk-493c2f1668dbfec5.js
2. https://statics.teams.cdn.office.net/teams-modular-packages/hashed-assets/topics-sdk-aria-sdk-c4aba381a172c84e.js
3. https://teams.microsoft.com/_#/conversations/... (this one loads the usual Teams interface as a web page in my browser)
4. https://trouter2-sece-2-a.trouter.teams.microsoft.com/socket.io/1/?sr=...&issuer=prod-2&sp=connect&se=1706099823104&st=1705504914104&sig=...&v=v4&tc=...&timeout=40&auth=true&epid=...&ccid=...&dom=teams.microsoft.com&cor_id=...&con_num=1705505213703_1&t=1705505214355
5. https://statics.teams.cdn.office.net/hashed/audio/ring-fb90357.mp3
6. https://browser.pipe.aria.microsoft.com/Collector/3.0?qsp=true&content-type=application%2Fbond-compact-binary&client-id=NO_AUTH&sdk-version=AWT-Web-JS-1.8.6&x-apikey=8f7cccc3c534426e8894f45b76e666b9-b80f2549-ddb1-4588-8602-f54037a070e7-7552&client-time-epoch-millis=1705505221535&time-delta-to-apply-millis=use-collector-delta (this one gets blocked by uBlock Origin)
7. https://teams.events.data.microsoft.com/OneCollector/1.0/?cors=true&content-type=application/x-json-stream&content-encoding=gzip

Tried updating couple times in the past, last try today with 1.4.4 (AppImage), same behavior.

[ckujau]

The same happens here for a while now, and still with 1.4.6 installed:

Can you please sign in again? Sorry for any inconvenience.
Session ID: 3994ea00-0bf0-6e85-051a-2f29bbc524af
Error Code: interaction_required|AADSTS160021: Application requested a user session which does not exist.

And yes, while the error appears to be documented this doesn't really help:

AADSTS160021 AppSessionSelectionInvalidSessionNotExist -
Application requested a user session which does not exist. This issue can be resolved by creating new Azure account.

[jijojosephk]

This happens when the session times out and the webapp launches some url probably to re-login. To avoid external urls being opened in the same context teams-for-linux launches it outside the app. That's what you see now. Different users see this at different intervals depends on the settings by each individual's organisation. This needs a fix but I'm quite busy recently and not getting time. Someone can come forward and submit a PR. I'll also try during my free time.

[jijojosephk]

@mikedld can you try 1.4.13 ?

[mikedld]

@jijojosephk, seeing an unintrusive notification instead of links being opened in a browser, so seems that it's working. Manually opening other links (external, or internal to e.g. channels) still works as expected too. And I'm still asked to relogin a bit later, after a few such notifications, which is good. I suppose the notification is there for debugging purposes and isn't strictly necessary, but I don't mind either way — it's much better than before now. Thanks! ;)

Just in case, my issue was with those links being opened, not with me being asked to re-login which is expected in my case. Performing automatic re-login will supposedly require you to store the credentials somewhere and use them to satisfy the request in the background which the official client doesn't do (as it'll defeat the security feature that expects human interaction to happen), and which also may be an unnecessary complication for you, so I'm not that interested in it (although won't mind it either). Still, it's not what OP asked for.

[SuperTux88]

The new 1.4.13 version fixed the randomly opened browser tabs, and it looks like nothing broke. And I don't have the "please sign in again" problem (and didn't have it before). Also, what is the plan with the blocked URLs to go forward? As the changelog says it's only a temporary solution, but it's already helping a lot how it is now.

[KKomara62]

1.4.13 has really made a positive improvement. I don’t get the “Please sign in again” errors anymore either !!! Thanks !!! This works AWESOME !!! Kevin K. From: Benjamin Neff ***@***.***> Sent: Tuesday, March 5, 2024 6:07 PM To: IsmaelMartinez/teams-for-linux ***@***.***> Cc: KKomara62 ***@***.***>; Comment ***@***.***> Subject: Re: [IsmaelMartinez/teams-for-linux] Can you please sign in again? (Issue #1045) The new 1.4.13 version fixed the randomly opened browser tabs, and it looks like nothing broke. And I don't have the "please sign in again" problem (and didn't have it before). Also, what is the plan with the blocked URLs to go forward? As the changelog says it's only a temporary solution, but it's already helping a lot how it is now. — Reply to this email directly, view it on GitHub <#1045 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/BE2IHQ7AU6UJZUM4FDI76LLYWZFXRAVCNFSM6AAAAABAYEE3WSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZZG44DSMZXGQ> . You are receiving this because you commented. <https://github.com/notifications/beacon/BE2IHQ5ZSMPN7CAD7Q4BIILYWZFXRA5CNFSM6AAAAABAYEE3WSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTWAEYD4.gif> Message ID: ***@***.*** ***@***.***> >

[jijojosephk]

Thanks @mikedld @SuperTux88 @KKomara62 for trying out the new build.

@SuperTux88, I mentioned temporary because the problem was super annoying and I personally wanted to ease the pain for people who face this while we figure out what could be the best possible solution. Like, should we allow the URLs instead of blocking. Like I mentioned in other comments, if we allow the requests, it's possible that you'd lose an ongoing meeting because the page might reload. We can try it by allowing a whitelisted URLs. Which one's to be allowed? the teams-for-linux-blocked.log file at .config folder would tell you that now. In the next release we'd allow whitelisted URLs so the user can customize what to be allowed. They can try and analyze how the app behaves. If it refreshes the page, don't allow it. But notification will let you know some URLs are blocked and possibly the session is expired but continue with the current meeting when you get time, do a re-login.

[SuperTux88]

It looks like none of the blocked URLs are supposed to be opened in an external browser, as they don't work there and only open pages showing error messages (because the browser doesn't have the session that is active in teams-for-linux). But at the moment it looks like it's also not breaking anything if these requests are just blocked? But maybe opening them in an (invisible) iframe or something where they have access to the teams session might be a solution, in case these requests are still important for something? 🤔

[nneul]

I suspect it's a 1/2 or 1/3 lifetime token refresh or similar, where it's doign a refresh operation to keep it current, but if it's missed, it still continues to work until the full expiration. (Think renewing a dhcp lease.)

[jijojosephk]

It looks like none of the blocked URLs are supposed to be opened in an external browser, as they don't work there and only open pages showing error messages (because the browser doesn't have the session that is active in teams-for-linux). But at the moment it looks like it's also not breaking anything if these requests are just blocked? But maybe opening them in an (invisible) iframe or something where they have access to the teams session might be a solution, in case these requests are still important for something? 🤔

Yes, in the next release we'll add the ability to allow certain URLs then we can study the behavior.

[IsmaelMartinez]

In the past we had to open URLs in the background (I don't remember what it was for). I suspect these are either token refresh or sending analytics to Microsoft. Great job Jijo!

…

On Thu, Mar 7, 2024 at 8:34 AM Jijo Joseph ***@***.***> wrote: It looks like none of the blocked URLs are supposed to be opened in an external browser, as they don't work there and only open pages showing error messages (because the browser doesn't have the session that is active in teams-for-linux). But at the moment it looks like it's also not breaking anything if these requests are just blocked? But maybe opening them in an (invisible) iframe or something where they have access to the teams session might be a solution, in case these requests are still important for something? 🤔 Yes, in the next release we'll add the ability to allow certain URLs then we can study the behavior. — Reply to this email directly, view it on GitHub <#1045 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADJHEGXO5FUBTWBPBQYPW3YXARCHAVCNFSM6AAAAABAYEE3WSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOBSHE2DEMZUGQ> . You are receiving this because you commented.Message ID: ***@***.***>

[SuperTux88]

Yes, I think these URLs would be needed to be opened in the background somehow, as opening them in an external browser doesn't do anything if it's for stuff like token refresh (as the browser doesn't have access to the session/tokens). So a config to allow certain URLs wouldn't help, if these allowed URLs then are still opened in an external browser.

[jijojosephk]

Yes, I think these URLs would be needed to be opened in the background somehow, as opening them in an external browser doesn't do anything if it's for stuff like token refresh (as the browser doesn't have access to the session/tokens). So a config to allow certain URLs wouldn't help, if these allowed URLs then are still opened in an external browser.

It's to allow internally. No more external browser.

[yermulnik]

I'm suffering from re-sing-in thing too (teams-for-linux 1.4.14). It just popups amid the meeting in the middle of the day and you can do nothing about it and it won't let you sign-in unless you quit with clear storage option selected and restart app 😢

[IsmaelMartinez]

hi @yermulnik , this is probably your company policy asking to re-authenticate every few hours, but that is blocked, so your token expires.

In theory, enabling this URLs to go in the background might sort the re-authentication problem, but MS keeps changing and/or adding URLs every now and then, making this an annoying task.

If you can use a certificate (as describe in one of the comments above) this should remove the problem (as it should not require re-authentication, as far as I am aware).

I am not sure when we will be able to make that "open those urls in the background" change, but we are more than happy for contributors to step in.

[yermulnik]

@IsmaelMartinez Got it. Thanks for the details.

[yermulnik]

In theory, enabling this URLs to go in the background might sort the re-authentication problem, but MS keeps changing and/or adding URLs every now and then, making this an annoying task.

FWIW and just for tracking:

[20/03/2024, 17:01:51]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:01:52]: Blocked 'https://teams.microsoft.com/go#error=interaction_required&error_description=AADSTS160021%3a+Application+requested+a+user+session+which+does+not+exist.+Trace+ID%3a+[CENSORED_UUID]+Correlation+ID%3a+[CENSORED_UUID]+Timestamp%3a+2024-03-20+15%3a01%3a52Z&state=eyJpZCI6ImM2ZmRlODJmLTE3YmMtNDFmMC1iNzdiLTk4MjRmMmM3YjJkOSIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19'
[20/03/2024, 17:01:55]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:01:57]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:02:05]: Blocked 'https://api.flightproxy.teams.microsoft.com/api/v2/ep/broker-usce-05-prod-aks.broker.skype.com/api/v1/subscribe/[CENSORED_UUID]/0?i=10-60-33-121'
[20/03/2024, 17:02:26]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:02:28]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/authorize?client_id=[CENSORED_UUID]&scope=https%3A%2F%2Fnoam.presence.teams.microsoft.com%2F%2F.default%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Fteams.microsoft.com%2Fgo&client-request-id=[CENSORED_UUID]&response_mode=fragment&response_type=code&x-client-SKU=msal.js.browser&x-client-VER=2.19.3&x-client-OS=&x-client-CPU=&client_info=1&code_challenge=[CENSORED_CODE_CHALLENGE]&code_challenge_method=S256&prompt=none&sid=[CENSORED_UUID]&X-AnchorMailbox=Oid%3A[CENSORED_UUID]%40[CENSORED_UUID]&nonce=[CENSORED_UUID]&state=eyJpZCI6IjliNTg0Y2UwLTk0YTktNDNkYy04YTYxLTA0YTlkMzI4OWM1ZCIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19&claims=%7B%22access_token%22%3A%7B%22xms_cc%22%3A%7B%22values%22%3A%5B%22CP1%22%5D%7D%7D%7D'
[20/03/2024, 17:02:30]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:02:32]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:02:35]: Blocked 'https://teams.microsoft.com/go#error=interaction_required&error_description=AADSTS160021%3a+Application+requested+a+user+session+which+does+not+exist.+Trace+ID%3a+[CENSORED_UUID]+Correlation+ID%3a+[CENSORED_UUID]+Timestamp%3a+2024-03-20+15%3a02%3a35Z&state=eyJpZCI6ImYzODg0NTk4LTVhNzgtNGM4Mi05OTRmLWU5YzViODdmMjQwYSIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19'
[20/03/2024, 17:31:50]: Blocked 'https://teams.microsoft.com/go#error=interaction_required&error_description=AADSTS160021%3a+Application+requested+a+user+session+which+does+not+exist.+Trace+ID%3a+[CENSORED_UUID]+Correlation+ID%3a+[CENSORED_UUID]+Timestamp%3a+2024-03-20+15%3a31%3a50Z&state=eyJpZCI6IjVkMGViMzkwLTllMjctNGVlMy04Njc5LWJjYzJjMDQ3NWQ3ZiIsIm1ldGEiOnsiaW50ZXJhY3Rpb25UeXBlIjoic2lsZW50In19'
[20/03/2024, 17:31:52]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:31:55]: Blocked 'https://loki.delve.office.com/api/v2/configuration?useNetCoreEndpoint=true&culture=en-gb'
[20/03/2024, 17:31:58]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[20/03/2024, 17:32:08]: Blocked 'https://api.flightproxy.teams.microsoft.com/api/v2/ep/broker-usce-05-prod-aks.broker.skype.com/api/v1/subscribe/[CENSORED_UUID]/0?i=10-60-33-121'
[27/03/2024, 16:34:05]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[27/03/2024, 16:34:09]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[27/03/2024, 16:34:09]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[27/03/2024, 16:34:13]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[28/03/2024, 18:49:18]: Blocked 'https://statics.teams.cdn.office.net/evergreen-assets/personal-expressions/v2/assets/emoticons/yes/default/30_anim_f.png?v=v70'
[28/03/2024, 18:49:19]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[28/03/2024, 18:49:22]: Blocked 'https://loki.delve.office.com/api/v2/configuration?useNetCoreEndpoint=true&culture=en-gb'
[28/03/2024, 18:59:48]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[28/03/2024, 18:59:52]: Blocked 'https://login.microsoftonline.com/[CENSORED_UUID]/oauth2/v2.0/token'
[28/03/2024, 19:01:18]: Blocked 'https://noam.presence.teams.microsoft.com/v1/pubsub/subscriptions/[CENSORED_UUID]'
[28/03/2024, 19:01:19]: Blocked 'https://teams.microsoft.com/api/mt/part/amer-03/beta/users/8:orgid:[CENSORED_UUID]/profilepicturev2?displayname=Fordahl,%20Paul&size=HR64x64'
[28/03/2024, 19:01:21]: Blocked 'https://teams.microsoft.com/api/mt/part/amer-03/v2.0/me/calendars/default/calendarView?StartDate=2024-03-24T22:00:00.000Z&EndDate=2024-03-29T22:00:00.000Z&shouldDecryptData=true'
[28/03/2024, 19:01:24]: Blocked 'https://substrate.office.com/KnowledgeGraph/api/v1.0/Capabilities?provider=Yggdrasil'
[28/03/2024, 19:04:17]: Blocked 'https://noam.presence.teams.microsoft.com/v1/pubsub/subscriptions/[CENSORED_UUID]'
[28/03/2024, 19:04:17]: Blocked 'https://api.flightproxy.teams.microsoft.com/api/v2/ep/broker-usea-04-prod-aks.broker.skype.com/api/v1/subscribe/[CENSORED_UUID]/0?i=10-60-20-146'
[28/03/2024, 19:04:19]: Blocked 'https://noam.presence.teams.microsoft.com/v1/pubsub/subscriptions/[CENSORED_UUID]'
[28/03/2024, 19:04:21]: Blocked 'https://substrate.office.com/KnowledgeGraph/api/v1.0/Capabilities?provider=Yggdrasil'

[storm9c1]

Note that after switching to Teams 2.0, this is no longer an issue for me (or has been reduced to a minor annoyance). Instead of getting the white screen of death "Can you please sign in again" prompt (almost daily with 1.0), it seems like Teams 2.0 will simply display a non-invasive red bar at the top reading "We weren't able to connect. Sign in and we'll try again." Then clicking on the "Sign in" button to the right of the message seems to work fine, getting me back in without fuss. And then I'm good for a few days. So far I haven't been thrown off in the middle of a meeting. Whereas with 1.0, this would happen often and only a "Clear storage" would fix the problem.

In fact, I haven't needed to "Clear storage" once since moving to Teams 2.0 in March.

In the end, I feel 2.0 handles this more gracefully. Hopefully others can confirm. YMMV.

[yermulnik]

In the end, I feel 2.0 handles this more gracefully. Hopefully others can confirm. YMMV.

Yep, I can confirm the same improvement.

[IsmaelMartinez]

Not sure if using the inTune login might be useful for some of you? See https://github.com/IsmaelMartinez/teams-for-linux/pull/1280/files

[IsmaelMartinez]

From my understanding, this is now sort of fixed. I am going to close this as it does look like the blocking of URLs does the job. I prefer to keep them block so we reduce tracking capabilities by MS (so you are a tiny bit safer). But do write back if this is still not working and I can re-open.