The ID for the cosmos cache entry is a random string instead of the account identifier when using AquireTokenOnBehalfOf [Bug]

Logs and Network traces Without logs or traces, it is unlikely that the team can investigate your issue. Capturing logs and network traces is described at https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/logging

Which Version of MSAL are you using ? Microsoft.Identity.Client 4.25.0

Platform .Net Framework 4.7.2

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Daemon App
  • Service to Service calls

Other? - please describe;

This is when adding msal to an existing app. Msal is not in production on the app currently.

Repro

var your = (code) => here;

Expected behavior AcquireTokenSilent successfully retrieves token from the cache.

Actual behavior When using AquireTokenByAuthorisationCode the id of the cosmos cache entry is the account identifier (objectId.tenantId). Then when I call AcquireTokenSilent the token is successfully retrieved from the cache.

However when using AquireTokenOnBehalfOf the id of the cosmos cache entry is (what looks like) a random string e.g. “JwCRE_PxyK4t2A76iuST6W_jewmNE-1epMH8yAXFPMg” or “DpUHeYQg5xT52Tdk62t_shU5m1Lm2BIVkbhQ6EtzucE”. The rest of the cache entry looks correct. Then when I call AcquireTokenSilent, the retrieval fails with “No Refresh Token found in the cache”, which makes sense since it is trying to use the account identifier to retrieve the token from the cache but that account identifier doesnt exist.

Possible Solution

Additional context/ Logs / Screenshots Add any other context about the problem here, such as logs and screebshots.