Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ProfileEdit no logout

See original GitHub issue

Core Library

MSAL.js v2 (@azure/msal-browser)

Core Library Version

2.20.0

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

2.0.6

Description

I have tried implementing the Profile Edit flow from Azure AD B2C: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/samples/msal-angular-v2-samples/angular11-b2c-sample/src/app/app.component.ts.

I would like not to let my users log in and out, and instead do a UI refresh by setting the active account. Therefore I have changed the implementation when subscribing to msalSubject$ to:

this.msalBroadcastService.msalSubject$
  .pipe(
    filter((msg: EventMessage) => msg.eventType === EventType.LOGIN_SUCCESS || msg.eventType === EventType.ACQUIRE_TOKEN_SUCCESS),
    takeUntil(this._destroying$)
  )
  .subscribe((msg: EventMessage) => {
    const payload: Payload = <AuthenticationResult>msg.payload;

    if (payload.idTokenClaims.acr === b2cPolicies.names.editProfile) {
        const all = this.authService.instance.getAllAccounts();
        if (all.length === 0) {
          return null;
        }
    
        let latest = all[0];
        all.forEach((element) => {
          if (element.idTokenClaims["exp"] > latest.idTokenClaims["exp"]) {
            latest = element;
          }
        });
        this.authService.instance.setActiveAccount(latest);
    }

    return msg;
  });

After editing the profile I have two entries in local storage, one from my signin signup flow and one from my profile edit flow. I would expect the token MsalInterceptor uses for auth to use the token of the account I have set. However, as I read the code the MsalInterceptor calls getActiveAccount https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-angular/src/msal.interceptor.ts#L52 and getActiveAccount asks the BrowserCacheManager which uses the local storage https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/7dd8b323288fcbae97e8f7a34de8a9888cab4934/lib/msal-browser/src/cache/BrowserCacheManager.ts#L401. The active account key in local storage has a fixed value, something along the lines of msal.{clientId}.active-account https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/7dd8b323288fcbae97e8f7a34de8a9888cab4934/lib/msal-browser/src/cache/BrowserCacheManager.ts#L688. The value of this key is the localAccountId of the account I have both signed in with, and edited.

When I call my backend I can see that even though I have set my active account to be the new edited profile account, I’m still sending with the old account. Maybe the behavior of getActiveAccount doesn’t accommodate for two accounts with same localAccountId but from different authorities?

I couldn’t find documentation on this anywhere. Is it good practice to let the user logout, after editing their profile?

Error Message

None of help.

Msal Logs

No response

MSAL Configuration

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: '46e5ada6-cb9e-4bd8-8644-4b6971080ede',
      authority: b2cPolicies.authorities.signUpSignIn.authority,
      redirectUri: '/',
      postLogoutRedirectUri: '/',
      navigateToLoginRequestUrl: true,
      knownAuthorities: [b2cPolicies.authorityDomain],
    },
    cache: {
      cacheLocation: BrowserCacheLocation.LocalStorage,
    },
    system: {
      loggerOptions: {
        loggerCallback,
        logLevel: LogLevel.Verbose,
        piiLoggingEnabled: false,
      },
    },
  });
}

Relevant Code Snippets

Look in the description

Reproduction Steps

Add a Profile Edit flow
Sign in
After finishing edit flow, pipe on msalSubject$ where we filter for msg.eventType === EventType.LOGIN_SUCCESS || msg.eventType === EventType.ACQUIRE_TOKEN_SUCCESS.
When the acr is the name of your edit profile flow, set the active profile to be the latest of profiles.
MsalInterceptor does not use the correct token, but the signin signup token

Expected Behavior

Use the token of the account I have set as active by calling setActiveAccount.

Identity Provider

Azure B2C Custom Policy

Browsers Affected (Select all that apply)

Firefox

Regression

No response

Source

External (Customer)

Issue Analytics

State:
Created 2 years ago
Comments:20 (9 by maintainers)

Top GitHub Comments

4reactions

jo-arroyocommented, Aug 4, 2022

@julian-code @ranzolinrafa @davidspiess @deryost @francesconi Thank you for your patience. This issue was addressed in PR #5004, and was released with @azure/msal-browser@2.28.0. Please upgrade to the newest version of msal-browser to access this fix. This issue will now be closed. Please open a new issue if you encounter further problems.

3reactions

jo-arroyocommented, Mar 11, 2022

@ranzolinrafa Yes, this issue will stay open and updated with progress of the fix.