microsoft-authentication-library-for-js: ClientAuthError: multiple_matching_tokens error when cache kept more than 2 users

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.5.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

When using a “singleton instance of confidentialClientApplication” we have found the “case that in cache there is two accounts, third account try to make first time a OBO and we get multiple_matching_tokens error.”

Originally posted by @CrazyBaran in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4158#issuecomment-944152234

With my team, we have found exactly the same issue… Maybe important to say that the cache has exactly 12 items when it happens.

@sameerag We are wondering if the potential solution is still alive, for it seems recently to be more or less without activity: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4081

And by the way, the only quick workaround we’ve found so far is to always clear the cache XD Have you by chance found another one @CrazyBaran ?

MSAL Configuration

const config: Configuration = {
  auth: {
    clientId: 'our clientId',
    authority: 'https://login.microsoftonline.com/our tenantId',
    clientSecret: 'our clientSecret',
  },
};
this.cca = new ConfidentialClientApplication(config);

Relevant Code Snippets

const cachedAccount: AccountInfo = await this.cca
      .getTokenCache()
      .getAccountByLocalId((jwtDecode(token) as UserPayload).oid);
    if (cachedAccount?.localAccountId) {
      return await this.cca.acquireTokenSilent({
        account: cachedAccount,
        scopes: ['https://vault.azure.net/.default'],
        authority: 'https://login.microsoftonline.com/our tenantId',
      });
    }
	return this.cca.acquireTokenOnBehalfOf({
      oboAssertion: token.split(' ').pop(),
      scopes,
      authority: 'https://login.microsoftonline.com/our tenantId',
    });

Identity Provider

Azure AD / MSA

Source

External (Customer)

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 26 (8 by maintainers)

Commits related to this issue

Most upvoted comments

#4691 is a work in progress, ETA 4/22

+3
sameerag on Apr 13, 2022

Thanks @sameerag - any new updates on targeted release?

+2
dillonbailey on May 3, 2022

I was working on that few months ago. Found out that multiple_matching_tokens is thrown due to that part of the code: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/60e2cfc0e9daa3c24e994617b4ac42aef6880b74/lib/msal-common/src/client/OnBehalfOfClient.ts#L107

accessTokenFilter is the same for all accounts, there is nothing “account specific” during generation of that token. Our workaround was to completely disable the cache.

+2
coder-pm on Feb 15, 2022

@tnorling @sameerag any updates here?

+1
dillonbailey on May 17, 2022

@sameerag thank you! As this is blocking a client project would it be possible for us to share an ETA on the fix?

+1
dillonbailey on Apr 3, 2022

We are adding an enhancement in OBO and will be pushing a PR soon that should potentially resolve this issue. Please watch this space for the updates, I am tracking this issue.

+1
sameerag on Apr 2, 2022

@hastudillo Thanks for the data. We think this is a bug in access token filtering, which should include account matching. I am marking this as a bug and will follow up with a PR.

+1
sameerag on Feb 22, 2022
Read more comments on GitHub
← microsoft-authentication-library-for-js: 'ClientAuthError: Invalid state' when returning from a redirect after login
microsoft-authentication-library-for-js: Docs should not recommend to developers to store secrets in code →