Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cannot migrate ADALV3 cachetokens to MSALV3 when multiple resourceId's are used
See original GitHub issueWhich Version of MSAL are you using ? MSAL 4.13.0 ADAL 5.2.7
Platform Net 4.7
What authentication flow has the issue?
- Desktop / Mobile
- Interactive
- Integrated Windows Auth
- Username Password
- Device code flow (browserless)
- Web App
- Authorization code
- OBO
- Web API
- OBO
Is this a new or existing app? The app is in production, and I am working on upgrading from ADALV5 to MSALV4.
Repro I have a confidential application which stores ADALV3 tokens in a custom SQL TokenCache storage. I try to upgrade to MSALV4. But I’m having issues migrating the stored ADALV3 tokens to MSALV3.
The ADALV3 contains 2 tokens for the same audience but different resourceId’s, one for https://graph.microsoft.com and one for https://outlook.office.com.
I have this code to migrate the token:
public void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
var state = GetFromSQL();
try
{
// new version
args.TokenCache.DeserializeMsalV3(state, true);
}
catch
{
// old version, will be migrated to new version
args.TokenCache.DeserializeAdalV3(state);
}
}
This works without errors but when I retrieve an access token with this:
var account = (await app.GetAccountsAsync()).FirstOrDefault();
if (account != null)
{
var result = await app.AcquireTokenSilent(defaultScope, account)
.ExecuteAsync();
}
Then I get this error:
MSAL.Desktop.4.13.0.0.MsalClientException: ErrorCode: invalid_adal_cache
Microsoft.Identity.Client.MsalClientException: The ADAL cache is invalid as it contains multiple refresh token entries for one user. Mitigation: Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.
Expected behavior A possible migration path of stored ADALV3 tokens to MSALV3 tokens.
Actual behavior Error after ADALV3 token is migrated to MSALV3 token:
MSAL.Desktop.4.13.0.0.MsalClientException: ErrorCode: invalid_adal_cache
Microsoft.Identity.Client.MsalClientException: The ADAL cache is invalid as it contains multiple refresh token entries for one user. Mitigation: Delete the ADAL cache. If you do not maintain an ADAL cache, this may be a bug in MSAL.
Possible Solution There is a groupby in MSAL on environment which is actually audience. Maybe it should also take resourceId into account? Or maybe just pick the first refresh token that is found instead of throwing exception?
Additional context/ Logs / Screenshots
Issue Analytics
- State:
- Created 3 years ago
- Comments:9 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@bgavrilMS no, I have removed my clientid and secret from the zip before I uploaded it 😃 You can use your own app registrations to test it.
@HaroldH76 - is it safe to place a secret in the sample itself on GitHub? Are you using a test tenant with absolutely no access to protected resources? If not, please go to your app registration ASAP and revoke the secret. You can send me a new secret by email at bogavril at microsoft.com and I’ll share it with Jean-Marc and Jenny.