Microsoft-authentication-library-for-dotnet: [Bug] Account deleted from MSAL cache when a bad_token result is received

Created on 10 Dec 2020  路  5Comments  路  Source: AzureAD/microsoft-authentication-library-for-dotnet

Logs and Network traces
Without logs or traces, it is unlikely that the team can investigate your issue. Capturing logs and network traces is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging

Which Version of MSAL are you using ?
4.17.1

Platform
.net, .net core

What authentication flow has the issue?

  • Desktop / Mobile

    • [x ] Interactive

    • [ ] Integrated Windows Auth

    • [ ] Username Password

    • [ ] Device code flow (browserless)

  • Web App

    • [ ] Authorization code

    • [ ] OBO

  • Daemon App

    • [ ] Service to Service calls

Other? - please describe;

Is this a new or existing app?
Visual studio
Repro
1) Have a user in multiple tenants where in one of the tenants the user is disabled.
2) Have an account with a short refresh token lifetime where an expired token message is sent from the server with a bad_token sub error

Expected behavior
Account should remain in the cache, but silent token acquisition attempts should throw an exception

Actual behavior
Account is deleted from the MSAL cache causing a cascading delete in VS.

Fixed P2 bug Desktop
Source
picture crmann1

Most helpful comment

Work to do:

  1. Create a branch 4.17.1.1 out of 4.17.1
  2. In that branch, revert a commit shipped in 4.11.0 (where MSAL.NET started removing both the refresh token and the associated account if the suberror is "bad_token" to avoid unnecessary calls to AzureAD). The PR was https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/1720 related to issue https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1505
  3. Prepare for a release of 4.17.1.1. @bgavrilMS @henrik-me : is it what we want to do?
  4. Apply the same fix to master
picture jmprieur on 12 Jan 2021
🚀1 👍1

All 5 comments

@trwalke - we need to agree on how to handle "bad_token" suberror with the other MSAL teams, so marking this as blocked.

bgavrilMS picture bgavrilMS on 11 Dec 2020
👍1

ok, thanks @bgavrilMS
ill look at something else

trwalke picture trwalke on 11 Dec 2020

We need to remove special handling of "bad_token" status until we can reach consensus of how to properly handle this.

bgavrilMS picture bgavrilMS on 11 Jan 2021

Work to do:

  1. Create a branch 4.17.1.1 out of 4.17.1
  2. In that branch, revert a commit shipped in 4.11.0 (where MSAL.NET started removing both the refresh token and the associated account if the suberror is "bad_token" to avoid unnecessary calls to AzureAD). The PR was https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/pull/1720 related to issue https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1505
  3. Prepare for a release of 4.17.1.1. @bgavrilMS @henrik-me : is it what we want to do?
  4. Apply the same fix to master
jmprieur picture jmprieur on 12 Jan 2021
🚀1 👍1

This is included in MSAL 4.25.0 release.

pmaytak picture pmaytak on 20 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chrisevans9629 picture chrisevans9629  路  4Comments
bemartin picture bemartin  路  3Comments
johanalex566 picture johanalex566  路  3Comments
yhvicey picture yhvicey  路  3Comments
jmprieur picture jmprieur  路  4Comments