Open msJinLei opened 1 month ago
The two options to clear (app) token cache are both obsolete.
private async Task ClearCacheAsync()
{
StorageCreationProperties storageProperties;
(await MsalCacheHelper.CreateAsync(storageProperties)).Clear(); // obsolete
IConfidentialClientApplication app;
foreach (var account in await app.GetAccountsAsync()) // also obsolete
{
await app.RemoveAsync(account);
}
}
A similar ask was done on MSAL Python - https://github.com/AzureAD/microsoft-authentication-library-for-python
Solution there is to add an API like "RemoveAppTokens".
Note: there are no "accounts" in app 2 app communication.
CC @localden and @jmprieur for the feature request from Az.PS team. Similar request was made on Az.CLI team.
@isra-fel - can you please say a few more words about the scenario? Why do customers want to reomve app tokens?
Indeed, a similar ask was done by remove_tokens_for_client()
on MSAL Python PR 666.
Proposed solution
- Provide an interface to clear app token cache and user token cache
Alternatives
- or Provide an interface to just clear app token cache
- or Provide an interface to list all the accounts created from confidential client.
Note that the remove_tokens_for_client()
removes app tokens (a.k.a. "service-to-service token") only. But there is already a GetAccountsAsync()
that can return a list of all user accounts.
MSAL client type
Confidential
Problem statement
The customers sometimes want to actively clear token cache for security concern. We have received several asks from the customers. However, there is currently no way for us to clear app token cache. MSAL.net does provide the interface to remove app token by account. But don't provide the interface to list all the accounts from confidential client.
Proposed solution
Alternatives
Please give this item a high priority as it is a security ask. Thanks