jo-arroyo
commented
3 years ago This may be an issue for the B2C service team. @nickgmicrosoft
Closed remns closed 3 years ago
jo-arroyo
commented
3 years ago This may be an issue for the B2C service team. @nickgmicrosoft
remns
commented
3 years ago If it helps, the console log from msal.js below. Another observed behaviour is that the mismatched (User 2's) accesstoken is not being saved to cache (at ClientA where User1 initially logged in), every subsequent call from ClientA to AcquireTokenSilent triggers a request to the b2clogin.com/xx/authorize endpoint, which delivers a new accesstoken (for User 2)
Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose AcquireTokenSilent has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Telemetry Event started: babf310c-994e-4abd-94aa-aae072c4fb0e_8233a898-a703-41db-addd-c75059d76ee7-msal.api_event
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Account set from MSAL Cache
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Response type: token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Finished building server authentication request
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Query parameters populated from existing SSO or account
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose GetCachedToken has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Getting all cached tokens of type ID Token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No matching tokens of type id_token found
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No tokens found
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Getting all cached tokens of type Access Token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No matching tokens of type access_token found
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No matching token found when filtering by scope and authority
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose GetUniqueAuthority has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Single authority used, setting authorityInstance
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No valid token found in cache lookup
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Cached metadata found for authority
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Renewing access token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose RenewToken has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Set window.renewState and requestType
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose monitorWindowForIframe polling started
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose monitorIframeForHash found url in hash
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose HandleAuthenticationResponse has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose GetResponseState has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Hash contains state. Creating stateInfo object
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose State does not match cached state, setting requestType to type from window
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Matching state found for request
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Obtained state from response
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Info ProcessCallBack has been called. Processing callback from redirect response
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose SaveTokenFromHash has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Info State status: true; Request type: RENEW_TOKEN
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Server returns success
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Info State is right
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Info Fragment has access token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose No idToken on fragment, getting idToken from cache
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose PopulateAuthority has been called
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Got authority from cache
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Fragment has clientInfo
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Account object created from response
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose AccountKey set
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose AcquireTokenAccountKey generated
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Status set to complete, temporary cache cleared
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Acquiring token interactive in progress
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Response tokenType set to access_token
AuthenticationUtils.ts:50 Fri, 15 Jan 2021 03:00:22 GMT:1.4.4-Verbose Calling callback provided to processCallback
AuthenticationUtils.ts:50 Hi, is there any updates on this issue?
jo-arroyo
commented
3 years ago @remns Thanks for the information. We are still waiting for an update from the B2C team regarding the issue. We would recommend upgrading to the MSAL 2.x library, as there is multiple account support, as well as a wrapper library for React currently in preview.
github-actions[bot]
commented
3 years ago This issue has not seen activity in 14 days. It will be closed in 7 days if it remains stale.
0lukasz0
commented
3 years ago I have same issue, using two external providers (all 3 providers are Azure AD B2C instances). It may be related with dropping login_hint parameter on redirecting to external provider issue - just my guess.
github-actions[bot]
commented
3 years ago This issue has not seen activity in 14 days. It will be closed in 7 days if it remains stale.
tnorling
commented
3 years ago @0lukasz0 Yes, this is likely the root cause. Unfortunately, we don't own the service so we cannot make the required changes. I would recommend opening a ticket with the B2C service team so they can take a look. Instructions on how to reach them directly can be found here
remns
commented
3 years ago @jo-arroyo I've taken your suggestion to use msal2, however the behaviour still doesn't work. I have the login hint set to UserA, but UserB's idtoken & access token are still being returned by acquiretokensilent(). Attempting to call acquiretokenredirect() with loginhint=UserA does not help either.
Is there any way to ensure that I will only get UserA's token?
0lukasz0
commented
3 years ago Hi, I changed from user flows to custom policies and managed to forward login_hint to external providers, but I still have the same erroneous behaviour. Moreover I'm also sending domain_hint parameter and access token which I'm getting is not only associated with different user but also comes from another identity provider then I asked for.
Righ now I have following workaround implemented for msalInstance.handleRedirectPromise:
if (!!this.currentLoginUserEmail && this.currentLoginUserEmail !== tokenEmail) {
if (window.confirm(`We have noticed you are trying to log in, but you are still logged-in as different user.\n\nDo you want to continue as ${this.currentLoginUserEmail}?`)) {
return msalInstance.loginRedirect({
...GRAPH_REQUESTS.LOGIN,
redirectUri: AppConsts.authorization.redirectUri,
loginHint: this.currentLoginUserEmail,
domainHint: domainHint,
prompt: "select_account"
}).catch(async error => {
await this.handleAuthErrors(error);
});
}
}prompt: "select_account" is showing to user select account page from Azure and let them choose the correct account. Then I use const accountInfo = msalInstance.getAccountByUsername(userEmail); to pick the correct account.
I have ticket opened on Azure issue tracker, but they are still investigating.
github-actions[bot]
commented
3 years ago This issue has not seen activity in 14 days. If your issue has not been resolved please leave a comment to keep this open. It will be closed in 7 days if it remains stale.
github-actions[bot]
commented
3 years ago This issue has been closed due to inactivity. If this has not been resolved please open a new issue. Thanks!
Library
msal@1.4.4
msal@1.x.xor@azure/msal@1.x.x@azure/msal-browser@2.x.x@azure/msal-node@1.x.x@azure/msal-react@1.x.x@azure/msal-angular@0.x.x@azure/msal-angular@1.x.x@azure/msal-angular@2.x.x@azure/msal-angularjs@1.x.xFramework
React 16
Description
I have 2 public client apps on the same B2C AD, both using msal.js. Scenario occurs while User 1 is logged in to Client A and User 2 subsequently logs in on Client B (same browser). When User1@ClientA next does an acquireTokenSilent call, the token that is returned is mismatched -> the idToken belongs to User1, but the accessToken has User 2's details (id, email, etc).
Error Message
MSAL Configuration
Reproduction steps
As in description
Expected behavior
Expect that some exception is thrown/access is denied
Identity Provider
Browsers/Environment
Regression
Security
Source