ClientAuthError: multiple_matching_tokens error when cache kept more than 2 users

Core Library

MSAL Node (@azure/msal-node)

Core Library Version

1.5.0

Wrapper Library

Not Applicable

Wrapper Library Version

None

Description

When using a “singleton instance of confidentialClientApplication” we have found the “case that in cache there is two accounts, third account try to make first time a OBO and we get multiple_matching_tokens error.”

Originally posted by @CrazyBaran in https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4158#issuecomment-944152234

With my team, we have found exactly the same issue… Maybe important to say that the cache has exactly 12 items when it happens.

@sameerag We are wondering if the potential solution is still alive, for it seems recently to be more or less without activity: https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/4081

And by the way, the only quick workaround we’ve found so far is to always clear the cache XD Have you by chance found another one @CrazyBaran ?

MSAL Configuration

const config: Configuration = {
  auth: {
    clientId: 'our clientId',
    authority: 'https://login.microsoftonline.com/our tenantId',
    clientSecret: 'our clientSecret',
  },
};
this.cca = new ConfidentialClientApplication(config);

Relevant Code Snippets

const cachedAccount: AccountInfo = await this.cca
      .getTokenCache()
      .getAccountByLocalId((jwtDecode(token) as UserPayload).oid);
    if (cachedAccount?.localAccountId) {
      return await this.cca.acquireTokenSilent({
        account: cachedAccount,
        scopes: ['https://vault.azure.net/.default'],
        authority: 'https://login.microsoftonline.com/our tenantId',
      });
    }
	return this.cca.acquireTokenOnBehalfOf({
      oboAssertion: token.split(' ').pop(),
      scopes,
      authority: 'https://login.microsoftonline.com/our tenantId',
    });

Identity Provider

Azure AD / MSA

Source

External (Customer)