Microsoft-authentication-library-for-dotnet: Cannot migrate ADALV3 cachetokens to MSALV3 when multiple resourceId's are used

Created on 13 May 2020 · 9Comments · Source: AzureAD/microsoft-authentication-library-for-dotnet

Which Version of MSAL are you using ?
MSAL 4.13.0
ADAL 5.2.7

Platform
Net 4.7

What authentication flow has the issue?

Desktop / Mobile
- [ ] Interactive
- [ ] Integrated Windows Auth
- [ ] Username Password
- [ ] Device code flow (browserless)
Web App
- [x] Authorization code
- [ ] OBO
Web API
- [ ] OBO

Is this a new or existing app?
The app is in production, and I am working on upgrading from ADALV5 to MSALV4.

Repro
I have a confidential application which stores ADALV3 tokens in a custom SQL TokenCache storage. I try to upgrade to MSALV4.
But I'm having issues migrating the stored ADALV3 tokens to MSALV3.

The ADALV3 contains 2 tokens for the same audience but different resourceId's, one for https://graph.microsoft.com and one for https://outlook.office.com.

I have this code to migrate the token:

public void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
    var state = GetFromSQL();
    try
    {
        // new version
        args.TokenCache.DeserializeMsalV3(state, true);
    }
    catch 
    {
        // old version, will be migrated to new version 
        args.TokenCache.DeserializeAdalV3(state);
    }
}

This works without errors but when I retrieve an access token with this:

var account = (await app.GetAccountsAsync()).FirstOrDefault();
if (account != null)
{
    var result = await app.AcquireTokenSilent(defaultScope, account)
        .ExecuteAsync();
}

Then I get this error:

MSAL.Desktop.4.13.0.0.MsalClientException:  ErrorCode: invalid_adal_cache
Microsoft.Identity.Client.MsalClientException: The ADAL cache is invalid as it contains multiple refresh token entries for one user. Mitigation: Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.

Expected behavior
A possible migration path of stored ADALV3 tokens to MSALV3 tokens.

Actual behavior
Error after ADALV3 token is migrated to MSALV3 token:

MSAL.Desktop.4.13.0.0.MsalClientException:  ErrorCode: invalid_adal_cache
Microsoft.Identity.Client.MsalClientException: The ADAL cache is invalid as it contains multiple refresh token entries for one user. Mitigation: Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.

Possible Solution
There is a groupby in MSAL on environment which is actually audience. Maybe it should also take resourceId into account? Or maybe just pick the first refresh token that is found instead of throwing exception?

Additional context/ Logs / Screenshots
-

Fixed ADAL to MSAL bug cache

Source

HaroldH76

All 9 comments

@HaroldH76 : did you have a look at this sample code: Token cache migration between ADAL.NET 3.x, ADAL.NET 4.x, and MSAL.NET ?

jmprieur on 13 May 2020

@jmprieur thx for the quick response!

The sample you provided works flawless :-) Also when I modify the ADALV3 console app to retrieve tokens for https://graph.microsoft.com and one for https://outlook.office.com I can still use the MSALV4 console app to retrieve the same tokens with no errors about duplicate refresh tokens.

But when I implement this in my application still get the same error about duplicate refresh tokens.

So I have to investigate why. Do you have any suggestions what it could be?

HaroldH76 on 13 May 2020

@HaroldH76 Do you have a repro you can share w/us?

jennyf19 on 14 May 2020

@jennyf19
Yes! I just managed to reproduce the issue in a new webapp. See attached zip. Some instructions:

all code is in the HomeController.cs
clientid, secret and tenantid are in HomeController.cs (and you should enter your own over there)
make sure the redirect url is registered in Azure app registration
make sure the cache folder exists or change it

To reproduce:

start the website
click on the first link to generate an ADAL cache with tokens for 2 different resources
click on the second link to read the ADAL cache with the MSAL code and it crashes with duplicate refresh tokens error

AdalMsalTestClean.zip

HaroldH76 on 14 May 2020

@HaroldH76 - is it safe to place a secret in the sample itself on GitHub? Are you using a test tenant with absolutely no access to protected resources? If not, please go to your app registration ASAP and revoke the secret. You can send me a new secret by email at bogavril at microsoft.com and I'll share it with Jean-Marc and Jenny.