ConfidentialClient - web api (AcquireTokenOnBehalfOf)
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
It seems that when the OBO supplier attempts to acquire the token silently from the cache it doesn't pass the Tenant ID in the SilentParameters which means that the token cannot be found in the cache.
I'm sending OnBehalfOfParameters with the Tenant ID:
2024-11-22T11:56:56.127Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : SkipCache set to false. Attempting cache lookup
2024-11-22T11:56:56.128Z DEBUG 24 --- [app] [onPool-worker-3] c.m.a.m.AcquireTokenByOnBehalfOfSupplier : Cache lookup failed: Token not found in the cache
However if I dig a little deeper I can see that the cache miss is because the cached token realm doesn't match the authority tenant here. If I follow this back I can see that the authority tenant can come from the request parameters here. However it looks like this isn't happening because the OnBehalfOfSupplier doesn't add the tenant to the SilentParametershere.
Relevant code snippets
val userAssertion = new UserAssertion(???)
val scopes = Set(???)
val tenantId = ???
val parameters = OnBehalfOfParameters.builder(scopes, userAssertion).tenant(tenantId).build
// Call confidential client with below parameters and request should succeed and write OBO token to cache
client.acquireToken(parameters)
// Call confidential client with again with same parameters and request does not find previous token from cache
client.acquireToken(parameters)
Expected behavior
The second request should be able to retrieve the token from the cache
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Library version used
1.17.2
Java version
17.0.11
Scenario
ConfidentialClient - web api (AcquireTokenOnBehalfOf)
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
It seems that when the OBO supplier attempts to acquire the token silently from the cache it doesn't pass the Tenant ID in the SilentParameters which means that the token cannot be found in the cache.
I'm sending OnBehalfOfParameters with the Tenant ID:
This is all I'm seeing in the logs:
However if I dig a little deeper I can see that the cache miss is because the cached token realm doesn't match the authority tenant here. If I follow this back I can see that the authority tenant can come from the request parameters here. However it looks like this isn't happening because the
OnBehalfOfSupplierdoesn't add the tenant to theSilentParametershere.Relevant code snippets
Expected behavior
The second request should be able to retrieve the token from the cache
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response