Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[Bug] "offline_access" "openid" scope causes token cache misses

See original GitHub issue

Which Version of MSAL are you using ? Microsoft Identity 4.7.1

Platform Xamarin.Forms on iOS and Android

What authentication flow has the issue?

Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)

Other? - AcquireTokenSilent

Is this a new or existing app? This is a new app.

Repro Login to AD B2C with email credentials. Create a loop that calls AcquireTokensSilent repeatedly. Notice that a new access token is returned every time, even though it is not close to expiring.

        public async Task<UserContext> AcquireAccessToken()
        {
            IEnumerable<IAccount> accounts = await PCA.GetAccountsAsync();

            AuthenticationResult authResult = await PCA.AcquireTokenSilent(_configuration.Scopes, GetAccountByPolicy(accounts, _configuration.PolicySignUpIn))
               .WithB2CAuthority(_configuration.AuthoritySignInUp)
               .ExecuteAsync();

            var newContext = UpdateUserInfo(authResult);

            AccessToken = newContext.AccessToken;
            Debug.WriteLine($"Access token is {newContext.AccessToken}");

            return newContext;
        }

Expected behavior I expected that the access token would be pulled from cache and not refreshed.

Actual behavior Access token is refreshed every time, even when it doesn’t need to be.

Issue Analytics

State:
Created 4 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

henrik-mecommented, Jan 6, 2020

As per internal discussion seems like we have to improve the cache lookup filtering out OIDC scopes? I don’t think we should ask people to do anything we should be able to filter correctly and do appropriate cache lookup.

1reaction

bgavrilMScommented, Jan 6, 2020

Yeah, I think this is the problem. MSAL requests offline_access but ESTS when it responds does not add offline_access to the response (mind you, it does give you a refresh token). This causes a problem in the token cache.

@jmprieur @henrik-me, @shoatman - I think we can make a small fix for this in MSAL, i.e. if the developer asks for offline_access, do not use this scope to look in the cache. Alternatively, we can ban people from explicitly asking for offline_access, but that is more intrusive.