microsoft-authentication-library-for-js: ClientAuthError: multiple_matching_tokens error when cache kept more than 2 users
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
1.5.0
Wrapper Library
Not Applicable
Wrapper Library Version
None
Description
When using a “singleton instance of confidentialClientApplication” we have found the “case that in cache there is two accounts, third account try to make first time a OBO and we get multiple_matching_tokens error.”
Originally posted by @CrazyBaran in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4158#issuecomment-944152234
With my team, we have found exactly the same issue… Maybe important to say that the cache has exactly 12 items when it happens.
@sameerag We are wondering if the potential solution is still alive, for it seems recently to be more or less without activity: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4081
And by the way, the only quick workaround we’ve found so far is to always clear the cache XD Have you by chance found another one @CrazyBaran ?
MSAL Configuration
const config: Configuration = {
auth: {
clientId: 'our clientId',
authority: 'https://login.microsoftonline.com/our tenantId',
clientSecret: 'our clientSecret',
},
};
this.cca = new ConfidentialClientApplication(config);
Relevant Code Snippets
const cachedAccount: AccountInfo = await this.cca
.getTokenCache()
.getAccountByLocalId((jwtDecode(token) as UserPayload).oid);
if (cachedAccount?.localAccountId) {
return await this.cca.acquireTokenSilent({
account: cachedAccount,
scopes: ['https://vault.azure.net/.default'],
authority: 'https://login.microsoftonline.com/our tenantId',
});
}
return this.cca.acquireTokenOnBehalfOf({
oboAssertion: token.split(' ').pop(),
scopes,
authority: 'https://login.microsoftonline.com/our tenantId',
});
Identity Provider
Azure AD / MSA
Source
External (Customer)
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 26 (8 by maintainers)
Commits related to this issue
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bumps @azure/msal-node from 1.9.0 to 1.10.0 Addresses issue with caching multiple tokens for same user (AzureAD/microsoft-authentication-library-for-js#4486). — committed to Azure/BatchExplorer by gingi 2 years ago
- Bump version to 2.15.0 (#2535) * Revert "Update to call List Supported Virtual Machine and Cloud Service SKUs (#2400)" This reverts commit 7e9ce2e5dd4becf9892a09db78bf1e1f2b08e57c. * Update pat... — committed to Azure/BatchExplorer by cRui861 2 years ago
#4691 is a work in progress, ETA 4/22
Thanks @sameerag - any new updates on targeted release?
I was working on that few months ago. Found out that
multiple_matching_tokens
is thrown due to that part of the code: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/60e2cfc0e9daa3c24e994617b4ac42aef6880b74/lib/msal-common/src/client/OnBehalfOfClient.ts#L107accessTokenFilter
is the same for all accounts, there is nothing “account specific” during generation of that token. Our workaround was to completely disable the cache.@tnorling @sameerag any updates here?
@sameerag thank you! As this is blocking a client project would it be possible for us to share an ETA on the fix?
We are adding an enhancement in OBO and will be pushing a PR soon that should potentially resolve this issue. Please watch this space for the updates, I am tracking this issue.
@hastudillo Thanks for the data. We think this is a bug in access token filtering, which should include account matching. I am marking this as a bug and will follow up with a PR.