Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[Bug] AADSTS50020 error if signing out then into another tenant without restarting the app
See original GitHub issueWhich Version of MSAL are you using ? MSAL 4.3.1
Platform all
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
Description
In UWP apps (possibly also in non-UWP), if you execute the following sequence, an AADSTS50020 is issued:
AcquireTokenInteractive()[user logs in successfully to CompanyA.com]AcquireTokenSilent()[this is required for the bug to appear]- Log out (see code below)
AcquireTokenInteractive()[user tries to login into CompanyB.com]
The user should be able to log into CompanyB, however we get this error:
AADSTS50020: User account ‘[someemail]’ from identity provider ‘https://sts.windows.net/[some_guid]/’ does not exist in tenant ‘[some name]’ and cannot access the application ‘[some_guid]’(AppName) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
Logout looks like this:
var accounts = await _graphApp.GetAccountsAsync();
while (accounts.Any())
{
await _graphApp.RemoveAsync(accounts.FirstOrDefault());
accounts = await _graphApp.GetAccountsAsync();
}
Additional Information
- If you restart the app between steps 3 and 4, things work as expected (user can log into CompanyB).
- Adding
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)to the app builder does not resolve the problem.
I have provided a sample app to demonstrate this problem. You must supply your own AppId.
Issue Analytics
- State:
- Created 4 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Yes, I updated shortly after it was released and everything works now 😃. I was able to incorporate it into a release (was originally planning on just relnoting the bug). Thanks very much for the quick turnaround on diagnosis, fix, and release.
FYI, I hit this same problem, looking forward to a release with the fix and will share results once I get to try it out. Glad this issue was filed as I had been spending time trying to debug – I assumed it was my fault as I was in the process of migrating from the older MSAL with explicit caches to the new builder model with implicit cache.