Cache driver should update refresh token entries based on user id and authority

[Isaac-Lee-msft]

Bug occurred when trying to login to a container in a private cloud environment and azure-cli used a cached refresh token for a different cloud environment. Upon further inspection, it appeared that the refresh tokens were all being updated to the same token in the cache for different cloud environments. The fix is to also verify the authority with the id when updating the cached refresh token entries.

Bug reproduction steps: az cloud set --name privatecloud az login az cloud set --name publiccloud az login -- wait for access token to expire -- az acr login --debug --name <containerOnPrivate>

AADSTS9002313: Invalid request. Request is malformed or invalid.

Please edit this line and possibly others to include the authority: https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/a4366c5e81a20d60d8e018a6fe24d0971f0cd02d/adal/cache_driver.py#L217

[rayluo]

Thanks for bringing this to our attention.

• ADAL Python's cache mechanism was developed 4 years ago (before April 2016). It predates National Cloud feature (which was planned and implemented in some of our SDKs during 2017). And now ADAL Python will not receive any new feature, all feature development will be in MSAL Python going forward.

• We already implemented the new cache mechanism, but it is only available in ADAL Python's successor, the MSAL Python. Azure CLI team plans to integrate with MSAL Python.

• Meanwhile, the workaround would be to explicitly re-login to the chosen cloud, by: az cloud set --name the_cloud_i_want & az login

[rayluo]

CCing @jiasli for awareness on this topic. And we (ADAL Python team) would probably close this issue soon, since it is not actionable from our side here.

[rayluo]

Closing as this is not actionable from ADAL Python