bgavrilMS
commented
6 months ago CC @jmprieur @localden @pmaytak @gladjohn @trwalke - let's discuss about this next time we meet.
Closed rayluo closed 4 months ago
bgavrilMS
commented
6 months ago CC @jmprieur @localden @pmaytak @gladjohn @trwalke - let's discuss about this next time we meet.
localden
commented
5 months ago @rayluo @bgavrilMS if the app tokens are purged and the user tokens are not, does it have any implications on the end-user experience?
We probably should spec this out.
rayluo
commented
5 months ago @rayluo @bgavrilMS if the app tokens are purged and the user tokens are not, does it have any implications on the end-user experience?
We probably should spec this out.
I believe app tokens and user tokens are independent with each other. This was also called out in the 3rd bullet point in this issue's description.
BTW, there was another github issue came in yesterday, which was actually the same topic. I was proposing a different function name remove_tokens_for_client() there.
bgavrilMS
commented
5 months ago @localden - to remove user tokens, the pattern is
var app = PublicClient or ConfidentialClient;
var accounts = await app.GetAccounts();
foreach (var acc in accounts)
app.Remove(acc);So the API is very much focused on the concept of "Account" which is a materialization of a user in a tenant. If you fetch app tokens, GetAccounts returns null.
To me it makes sense to not try to use the user token removal pattern for service principals, but would like to know your opinion.
localden
commented
5 months ago @localden - to remove user tokens, the pattern is
var app = PublicClient or ConfidentialClient; var accounts = await app.GetAccounts(); foreach (var acc in accounts) app.Remove(acc);So the API is very much focused on the concept of "Account" which is a materialization of a user in a tenant. If you fetch app tokens,
GetAccountsreturns null.To me it makes sense to not try to use the user token removal pattern for service principals, but would like to know your opinion.
Makes sense to keep the user and app token patterns somewhat separate. If we treat "Account" as materialization of users and tenants, what is the same alternative for apps?
rayluo
commented
5 months ago @localden - to remove user tokens, the pattern is
var app = PublicClient or ConfidentialClient; var accounts = await app.GetAccounts(); foreach (var acc in accounts) app.Remove(acc);So the API is very much focused on the concept of "Account" which is a materialization of a user in a tenant. If you fetch app tokens,
GetAccountsreturns null. To me it makes sense to not try to use the user token removal pattern for service principals, but would like to know your opinion.Makes sense to keep the user and app token patterns somewhat separate. If we treat "Account" as materialization of users and tenants, what is the same alternative for apps?
I think that "alternative" has long been implicitly established by its acquisition method's naming, AcquireTokenForClient(). So, they are "tokens for client", as opposite to "tokens for a user/account". That's also why I would suggest NOT bother inventing a new concept/noun, we can just have a new API following the same naming pattern as "RemoveTokensForClient()`.
Problem description: Historically, there is no api in MSAL to remove tokens obtained from
AcquireTokenForClient(). Therefore, there is no way for an app to "log out" a service principal.Proposal: MSALs add a new API ~
ConfidentialClientApplication.RemoveAppTokens()~ConfidentialClientApplication.remove_tokens_for_client().scopeparameter, because our intention is to purge all app tokens for the current app, regardless of their scopes.