Microsoft-authentication-library-for-dotnet: [Bug] AADSTS50020 error if signing out then into another tenant without restarting the app
Which Version of MSAL are you using ?
MSAL 4.3.1
Platform
all
What authentication flow has the issue?
- Desktop / Mobile
- [X] Interactive
Description
In UWP apps (possibly also in non-UWP), if you execute the following sequence, an AADSTS50020 is issued:
AcquireTokenInteractive()[user logs in successfully to CompanyA.com]AcquireTokenSilent()[this is required for the bug to appear]- Log out (see code below)
AcquireTokenInteractive()[user tries to login into CompanyB.com]
The user should be able to log into CompanyB, however we get this error:
AADSTS50020: User account '[someemail]' from identity provider 'https://sts.windows.net/[some_guid]/' does not exist in tenant '[some name]' and cannot access the application '[some_guid]'(AppName) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Logout looks like this:
var accounts = await _graphApp.GetAccountsAsync();
while (accounts.Any())
{
await _graphApp.RemoveAsync(accounts.FirstOrDefault());
accounts = await _graphApp.GetAccountsAsync();
}
Additional Information
- If you restart the app between steps 3 and 4, things work as expected (user can log into CompanyB).
- Adding
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)to the app builder does not resolve the problem.
I have provided a sample app to demonstrate this problem. You must supply your own AppId.
osolo
All 10 comments
I do not understand the repro steps, please clarify. You have a user e.g. [email protected] that is member of 2 tenants - companyA and companyB (home tenant companyA and guest tenant companyB).
How does the user login to "companyA" and to "companyB"?
bgavrilMS
on 4 Sep 2019
Separate users in separate tenants.
For example, using the provided app, log in with your work (@microsoft.com) account. Then log out and try to log in using any private/home Microsoft Account or an account on any other tenant (such as a demo tenant).
osolo
on 4 Sep 2019
Can repro.
bgavrilMS
on 4 Sep 2019
Can repro on other platforms, not just UWP.
bgavrilMS
on 4 Sep 2019
Workaround: re-create the public client application before each request i.e.
var pca = PublicClientApplicationBuilder
.Create(AppId)
.Build();
This is a bug where we update the authority with the tenant ID in AcquireTokenSilent. The same authority (tenanted to companyA) is then re-used to issue a request for a token for a user in companyB.
bgavrilMS
on 4 Sep 2019
I can confirm that the workaround indeed works :)
osolo
on 4 Sep 2019
FYI, I hit this same problem, looking forward to a release with the fix and will share results once I get to try it out. Glad this issue was filed as I had been spending time trying to debug -- I assumed it was my fault as I was in the process of migrating from the older MSAL with explicit caches to the new builder model with implicit cache.
adamedx
on 6 Sep 2019
@osolo and @adamedx Included in the 4.4.0 release
henrik-me
on 21 Sep 2019
Yes, I updated shortly after it was released and everything works now :). I was able to incorporate it into a release (was originally planning on just relnoting the bug). Thanks very much for the quick turnaround on diagnosis, fix, and release.
adamedx
on 6 Oct 2019
Thanks for the update @adamedx. Much appreciated!
jmprieur
on 6 Oct 2019
Related issues
chrisevans9629
路
5Comments
jennyf19
路
5Comments
yhvicey
路
3Comments
bemartin
路
3Comments
jmprieur
路
4Comments
Most helpful comment
Yes, I updated shortly after it was released and everything works now :). I was able to incorporate it into a release (was originally planning on just relnoting the bug). Thanks very much for the quick turnaround on diagnosis, fix, and release.