Microsoft-authentication-library-for-js: Calling two backend APIs not possible with interceptor => "The cache contains multiple tokens satisfying the requirements"

im having the exact same problem rn.

previous version which worked:

"msal": "1.3.0",
"@azure/msal-angular": "^1.0.0-beta.5",

ClientAuthError: Cache error for scope openid,profile: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements like authority.

fyi

I am having the same problem. I think it has something to do with this commit: https://github.com/AzureAD/microsoft-authentication-library-for-js/commit/23ddd4ab6632d932a8fd4dd276b39c7c8202ff6c#diff-a7db5bdfe2343db691caf7a7c5ad8671

In this commit a change was made in UserAgentApplication.cs (method getCachedAccessToken()) to filter the correct cached token. But this incorrectly adds both tokens.
This only happens when using MsalGuard in routing configuration. This is because in that case clientId is added as scope to acquireTokenSilent() which is stripped off and replaced by openid,profile. And those scopes are default and are again stripped off when matching the right accesss token.

Code where both access tokens are added:

            const searchScopes = ScopeSet.removeDefaultScopes(scopes);
            if (searchScopes.length === 0 && ScopeSet.containsScope(cachedScopes, scopes)) {
                filteredItems.push(cacheItem);
            } else if (ScopeSet.containsScope(cachedScopes, searchScopes)) {
                filteredItems.push(cacheItem);
            }

When searchScopes is empty, it will always be added to the list.

Hopefully @hectormmg and @jasonnutter can confirm this.

Previous version that worked for me:

"@azure/msal-angular": "^1.1.1",
"msal": "^1.4.0",

Yes, same for me! 1.4.0 works fine

@hectormmg Is this an issue you are currently working on? This could be a bug introduced between 1.4.0 and 1.4.1 from what I see above.

Hi everyone. There is a related bug in 1.4.1 which I have a fix for in #2376 pending some refactoring (it affects both access and ID token lookup). I need to investigate a bit further to confirm if it's the same issue, but either way this should be fixed in 1.4.2

Waiting for 1.4.2 also... :)

Same issue here.

Same

same problem

Same issue - does anyone have a way around it? Use 1.4.0?

Same issue - does anyone have a way around it? Use 1.4.0?

Yes, using 1.4.0 will do the job.

I have the same error with version "msal": "^1.4.1" and "msal": "^1.4.2"

Version "msal": "^1.4.0", work for me.

I also still have the same error with 1.4.2:

global-error-handler.ts:23 Error: Uncaught (in promise): ClientAuthError: Cache error for scope openid,profile: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements like authority..
ClientAuthError: Cache error for scope openid,profile: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements like authority..

I downgraded to MSAL 1.4.0 and even lower and am still getting it....

downgrading to 1.3.0 helped.

I downgraded to MSAL 1.4.0 and even lower and am still getting it....
Maybe something in Azure AD has changed?
We have our own organisational tenant.

When I went back to 1.4.0, mine started working again.

Hi everyone. It seems the problem you are all experiencing may be unrelated to the fix in 1.4.2. I'm having trouble reproducing this specific scenario, so I would really appreciate it if someone could post a screenshot or snapshot of what the keys in the cache look like when this error comes up. If anyone could reproduce this with one of our samples that would also be very helpful.

@web265p3 could you confirm whether or not 1.4.2 fixed this issue for you? I'd like to make sure we're all discussing the same issue here.

MSAL.txt

I have attached token cache and requested scopes.
Interesting: openid, profile & mail were not specified in my scopes. Maybe attached by MSAL?

I have also attached the token cache and scopes (with actual token values removed). I didn't think you needed the actual values.
msal.txt

I have implemented it in angular:

delete package-lock.json adn execute the following commands if you are using these npm:
npm i @azure/[email protected]
npm i [email protected]
npm i @microsoft/[email protected]
npm i

With the above versions it is working fine.
if the versions of these packages are above and beyond this causing the issue.

I have implemented it in angular:

delete package-lock.json adn execute the following commands if you are using these npm:
npm i @azure/[email protected]
npm i [email protected]
npm i @microsoft/[email protected]
npm i

With the above versions it is working fine.
if the versions of these packages are above and beyond this causing the issue.

can confirm downgrading to msal 1.3.0 it starts working again

Downgrading to [email protected] with @azure/[email protected] allows the usage calling of 2 APIs. I encountered this problem on the msal-angular. The msal-browser implementation for angular doesn't have this problem.

For our project, reverting to [email protected] was also enough (we kept @azure/[email protected]).

Hi, I'm getting the same error when calling our backend API and the MS Graph API we're using msal 1.4.3 and msal-angular 1.1.1. The app works initially and when calls are made to each API we get an access token for each added to local storage the keys vary only in scopes. The problem occurs when we navigate routes or refresh the page, this results in the following:

• MsalGuard.canActivate() is called and acquireTokenSilent() is called with the client id as the scope. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/55d41e6cd550561d1aa983ea395e6d2abfbf03ef/lib/msal-angular/src/msal-guard.service.ts#L88-L90
• Then RequestUtils.validateRequest() calls ScopeSet.translateClientIdIfSingleScope() which replaces the client id scope with the openid and profile scopes. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/55d41e6cd550561d1aa983ea395e6d2abfbf03ef/lib/msal-core/src/utils/RequestUtils.ts#L51
• Eventually UserAgentApplication.getCachedAccessToken() calls AuthCacheUtils.filterTokenCacheItemsByScope() and when filtering the cached tokens ScopeSet.removeDefaultScopes() is called to populate searchScopes this results in an empty array returned as only the default scopes are present. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/f013c0410bf21825b9fec6704d897b3347848159/lib/msal-core/src/utils/AuthCacheUtils.ts#L17
• This results in an empty array being passed to ScopeSet.containsScope() and Array.every() being called on an empty array which will always return true. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/f013c0410bf21825b9fec6704d897b3347848159/lib/msal-core/src/ScopeSet.ts#L38
• The return condition for the cached token filter() in AuthCacheUtils.filterTokenCacheItemsByScope() is therefore always true for all cached tokens due to the return statement doing an or comparison. https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/f013c0410bf21825b9fec6704d897b3347848159/lib/msal-core/src/utils/AuthCacheUtils.ts#L17-L22

@AquilaSands Thanks for the detailed explanation of what's going on here. I've linked a PR which should address this, if you or anyone else can build this branch locally and confirm whether or not it fixes this issue it would be much appreciated! We'll aim to include this in the next patch release

@tnorling I've tested the dev branch with this fix locally and it has solved the issue I was experiencing.

installed 1.4.4 and it works again!
Thanks for this swift reaction and bugfixing, folks!