search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.37k stars 337 forks source link

[Feature Request] Need a method to Clear App Token Cache for Confidential Client #4854

Open msJinLei opened 1 month ago

msJinLei commented 1 month ago

MSAL client type

Confidential

Problem statement

The customers sometimes want to actively clear token cache for security concern. We have received several asks from the customers. However, there is currently no way for us to clear app token cache. MSAL.net does provide the interface to remove app token by account. But don't provide the interface to list all the accounts from confidential client.

        /// <summary>
        /// Get the <see cref="IAccount"/> by its identifier among the accounts available in the token cache and of the same
        /// environment (authority host) as <see cref="Authority"/>.
        /// </summary>
        /// <param name="identifier">Account identifier. The value of the identifier will probably have been stored value from the
        /// value of the <see cref="AccountId.Identifier"/> property of <see cref="AccountId"/>.
        /// You typically get the account ID from an <see cref="IAccount"/> by using the <see cref="IAccount.HomeAccountId"/> property.</param>
        Task<IAccount> GetAccountAsync(string identifier);

Proposed solution

Alternatives

Please give this item a high priority as it is a security ask. Thanks

isra-fel commented 1 month ago

The two options to clear (app) token cache are both obsolete.

        private async Task ClearCacheAsync()
        {
            StorageCreationProperties storageProperties;
            (await MsalCacheHelper.CreateAsync(storageProperties)).Clear(); // obsolete

            IConfidentialClientApplication app;
            foreach (var account in await app.GetAccountsAsync()) // also obsolete
            {
                await app.RemoveAsync(account);
            }
        }
bgavrilMS commented 1 month ago

A similar ask was done on MSAL Python - https://github.com/AzureAD/microsoft-authentication-library-for-python

Solution there is to add an API like "RemoveAppTokens".

Note: there are no "accounts" in app 2 app communication.

bgavrilMS commented 1 month ago

CC @localden and @jmprieur for the feature request from Az.PS team. Similar request was made on Az.CLI team.

@isra-fel - can you please say a few more words about the scenario? Why do customers want to reomve app tokens?

rayluo commented 1 month ago

Indeed, a similar ask was done by remove_tokens_for_client() on MSAL Python PR 666.

Proposed solution

  • Provide an interface to clear app token cache and user token cache

Alternatives

  • or Provide an interface to just clear app token cache
  • or Provide an interface to list all the accounts created from confidential client.

Note that the remove_tokens_for_client() removes app tokens (a.k.a. "service-to-service token") only. But there is already a GetAccountsAsync() that can return a list of all user accounts.