Microsoft-authentication-library-for-js: Getting `A silent sign-in request was sent but no user is signed in` in multiple app sign-in environment

Can you provide both of your msal configs for your two apps in this use case? Additionally, when you say "when the user is logged in and switches to demo", does that mean you logout of prod and login to demo?

Do you not see this functionality if you only do it after having the initial app open for a few minutes, instead of a few hours?

@jasonnutter do you have any thoughts here regarding popup being automatically called after an acquireTokenSilent failure? I would assume there is a way to choose what happens afterwards, though I couldn't find it at a quick glance.

Hello @jmckennon.. Thanks for getting back.

The only difference between the 2 Apps (Demo, Prod) is the Different ClientID and URL's (The Config I mentioned is for my local development environment)

```imports: [ HttpClientModule, MsalModule],
providers: [
MSAL_HTTP_INTERCEPTOR,
{
provide: MSAL_CONFIG,
useFactory: getMSALConfigFactory,
deps: [AppConfig],
},
{
provide: MSAL_CONFIG_ANGULAR,
useFactory: getMSALAngularConfigFactory,
deps: [AppConfig],
},
MsalService,
],

getMSALConfigurations =
{
"auth": {
"clientId":"",
"authority":"https://login.microsoftonline.com/common/",
"validateAuthority":true
,"redirectUri":"http://localhost:4200/admin"
,"postLogoutRedirectUri":"http://localhost:4200/admin",
"navigateToLoginRequestUrl":true
},
"cache":{
"cacheLocation":"localStorage",
"storeAuthStateInCookie":false
},
"framework":{
"isAngular":true
},
"system":{
"logger":{"level":0,"correlationId":"","piiLoggingEnabled":false}
}
}"

getMSALAngularConfigFactory = "{"consentScopes":`["",user.read"],
"extraQueryParameters":{},
"popUp":true,
"protectedResourceMap":[["http://localhost:4200",[""]],
["https://graph.microsoft.com/v1.0/me",
["user.read"]]],"unprotectedResources":
["http://localhost:4200/admin/assets/i18n/.json","http://localhost:4200/admin/assets/lib/.json"]}"
```

To answer your question,

1. I didn't logout of my Prod to switch to Demo. The use case is, while i used my Prod site in a Tab and open a new tab for Demo site
2. I am not seeing this issue when I log in Demo and Prod within minutes. I am seeing this issue only after I logged into prod for more than 4 hours or so and then log to my Demo site.. (Apologies, I don't know the exact time but I am sure it is in hours.)

Hope this helps.

For now, as a workaround, you should be able to fallback to loginRedirect (rather than popup, if that's your use case) if acquireTokenSilent fails. Please let me know if you're unable to do this in your code, as you stated it may be automatically using a popup.

I'll be moving this over as a possible bug, as I think we could have some wonky logic in getAccount() and how expirations work.

Thank you @jmckennon ..

Yes, I can manually catch the error and force loginRedirect.. I will keep posted if i find some specific details/cases. Thanks..

After deploying msal-angular 1.0.0 to production I saw a spike in AADSTS50058: A silent sign-in request was sent but no user is signed in. errors.

AAD is configured to use two e-mail addresses for each user:

• first.[email protected] (primary)
• [email protected] (alias, used for login)

This is my current approach for catching the errors:

    this.subscription = this.broadcastService.subscribe('msal:loginFailure', (payload) => {
      this.msalService.loginRedirect();
    });

@jenurius @blumk You could also try passing in sid with your request. It identifies a session based on SID rather than with AAD metadata, like those email addresses.

I am also experiencing a similar issue. I'm trying to develop a POC in react with msal.js library and when the access token renewal happens I get the following error.
InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in.. But getAccount() returns the signed in user.

This happens to me in Chrome because in Firefox the .acquireTokenSilent({scopes}) does not throw any error.

I am using the following code to acquire a new access token:

export const msalAuth = new UserAgentApplication({
  auth: {
    clientId: config.appId,
    redirectUri: config.redirectUri
  },
  cache: {
    cacheLocation: 'sessionStorage',
    storeAuthStateInCookie: true,
  },
})

function getAccessToken(scopes) {
    return msalAuth
      .acquireTokenSilent({scopes})
      .then(response => response.accessToken)
      .catch(err => {
        console.error(err) // InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in.

        // if there is no user signed in, why is this console.log printing the user to the console ??
        console.log('account: ', msalAuth.getAccount())

        if (isInteractionRequired(err)) {
          return msalAuth
            .acquireTokenRedirect({scopes})
            .then(response => response.accessToken)
        } else {
          return Promise.reject(err)
        }
      })
  }

@marinvirdol can you provide the console log from the browser in this case? Including all of the msal logging. I've been unable to repro this.

Are you also on the most recent version, [email protected]?

Causing an issue for me too. Most recent version:

InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).
Trace ID: 9d2b3e42-c326-4d0b-a2ab-b6cb14735200
Correlation ID: 63d2910e-1b1a-4c39-9e9e-a86e475cda70
Timestamp: 2020-07-02 14:35:10Z
    at InteractionRequiredAuthError.AuthError [as constructor] (webpack-internal:///../../node_modules/msal/lib-es6/error/AuthError.js:26:28)
    at InteractionRequiredAuthError.ServerError [as constructor] (webpack-internal:///../../node_modules/msal/lib-es6/error/ServerError.js:27:28)
    at new InteractionRequiredAuthError (webpack-internal:///../../node_modules/msal/lib-es6/error/InteractionRequiredAuthError.js:29:28)
    at UserAgentApplication.saveTokenFromHash (webpack-internal:///../../node_modules/msal/lib-es6/UserAgentApplication.js:1415:25)
    at UserAgentApplication.processCallBack (webpack-internal:///../../node_modules/msal/lib-es6/UserAgentApplication.js:971:29)
    at UserAgentApplication.handleAuthenticationResponse (webpack-internal:///../../node_modules/msal/lib-es6/UserAgentApplication.js:1023:14)
    at UserAgentApplication.eval (webpack-internal:///../../node_modules/msal/lib-es6/UserAgentApplication.js:767:34)
    at step (webpack-internal:///../../node_modules/tslib/tslib.es6.js:123:23)
    at Object.eval [as next] (webpack-internal:///../../node_modules/tslib/tslib.es6.js:104:53)
    at fulfilled (webpack-internal:///../../node_modules/tslib/tslib.es6.js:94:58)
_callee$ @ client.js?7ed9:45

You say pass in the sid too but it returns undefined:

sid: undefined

@sidhuko could you open a new issue with your msal versions, configs, and usage? Thanks!

Closing this as the other issues are being tracked in new tickets, and it looks like the original problem has been solved. For anyone with more questions, please open a new issue. Thanks!

@jmckennon .. Might not be related to this, but after this issue is been closed, I am seeing a weird error in Chrome Incognito mode alone (all of a sudden) related to this (might be related to this fix).

InteractionRequiredAuthError: AADSTS50058: A silent sign-in request was sent but no user is signed in. The cookies used to represent the user's session were not sent in the request to Azure AD. This can happen if the user is using Internet Explorer or Edge, and the web app sending the silent sign-in request is in different IE security zone than the Azure AD endpoint (login.microsoftonline.com).

I am not seeing this in Chrome regular mode or Firefox (Private window/normal window) and Edge as well..

The behavior i am seeing is that, in local storage there are no cookies been set for Chrome incognito mode but cookies been set in other browsers.

UPDATE: It seems to be a problem with Chrome latest Version. The latest version by default sets Block third-party cookies in Incognito to true.. Need to switch to Allow all cookies to solve this issue.

Question, is there any chance for the MSAL Angular to handle this scenario, because I am not seeing this is MSAL used in C#.

I have the exact same issue. Happens in Chrome 84.0.4147.105 Incognito only! Any resolution or workaround for this one?

@jenurius @sundeep22 Chrome Incognito recently updated to block third-party cookies. The silent flow in Msal.js version 1.x relies on third party cookies to work and thus is expected not to work in browsers where this is blocked. You need to either call an interactive method, enable third-party cookies or update to Msal-browser v2.0 which implements the auth code flow and does not rely on third-party cookies in most scenarios.

@tnorling Thank you. I’ll look at the msal-browser thing. Seems to fix the issue without browser hacks or having to modify code. This is going to replace my msal package in code, correct?

Correct you'll find the migration guide here