AzureAD
No cached accounts found for the supplied homeAccountId and clientId
Bug description When acquiring token silently in android app(development mode), we are getting the issue No cached accounts found for the supplied homeAccountId and clientId. Although with the same set of configurations we are able to acquire token interactively.
Smartphone (please complete the following information):
- Device: Emulator(Nexus 5X)
- Android Version: [API Level - 29]
- Browser [Chrome]
- MSAL Version 2.2.3
trace
2022-03-04 18:48:39.032 15558-15600/<app-bundleId> W/MsalOAuth2TokenCache:getAccount: [2022-03-04 13:18:39 - thread_name : pool-1-thread-3, correlation_id : UNSET] No matching account found. Android 29
2022-03-04 18:48:39.067 15558-15600/<app-bundleId> W/SilentTokenCommandParameters: [2022-03-04 13:18:39 - thread_name : pool-4-thread-1, correlation_id : xxxx] The account set on silent operation parameters is NULL. Android 29
2022-03-04 18:48:39.115 15558-15558/<app-bundleId> D/B2CModeFragment: Authentication failed: com.microsoft.identity.client.exception.MsalClientException: No cached accounts found for the supplied homeAccountId and clientId
Expected behavior After acquiring token interactively for the first time, application should be able to refresh token by acquiring token silently.
Actual Behavior Acquire token silently throws exception No cached accounts found for the supplied homeAccountId and clientId
Additional context
mMultipleAccountApp.acquireTokenSilentAsync(getScopes(),
selectedAccount,
selectedAccount.getAuthority(),
getAuthSilentCallback());
Using above code snippet for acquiring token silently.
// Return the sought Account matching the supplied homeAccountId and realm, if applicable
for (final AccountRecord account : allAccounts) {
if (homeAccountId.equals(account.getHomeAccountId())
&& (null == realm || realm.equals(account.getRealm()))) {
return account;
}
}
While debugging we found that the above snippet of code from MsalOAuth2TokenCache.java tries to compare realm with the account level realm which in our case belongs to the b2c tenantId and idp tenantId which would be always different for us.
Hi @kuladeepu-pillaappalasurya-by
May I ask how you load the account object? I'm assuming you're using
/**
* Returns the AccountRecord matching the supplied criteria.
*
* @param environment The environment to which the sought AccountRecord is associated.
* @param clientId The clientId to which the sought AccountRecord is associated.
* @param homeAccountId The homeAccountId of the sought AccountRecord.
* @param realm The tenant id of the targeted account (if applicable).
* @return The sought AccountRecord or null if it cannot be found.
*/
public abstract AccountRecord getAccount(final String environment,
final String clientId,
final String homeAccountId,
final String realm
);
If so, what realm are you using? and what is the value you're seeing in the cache?
It would really be helpful if you can wire up MSAL logs (+ set log level to verbose and enable PII). Repro the issue and forward the logs to [email protected].
Thanks, Dome
Hi, Thanks for the reply.
We are using SDK method to silently login into B2C Mode,
void acquireTokenSilentAsync(@NonNull final AcquireTokenSilentParameters acquireTokenSilentParameters);
not the below mentioned method for getting the Account.
public abstract AccountRecord getAccount(final String environment,
final String clientId,
final String homeAccountId,
final String realm
);
we already tried on the sample application with our credentials, able to login successfully but getting the same error in case of silent login only.
we have sent the logs to [email protected].
Thanks
Do we have any updates on this? @wainaina @rpdome @rpdome we have already shared the logs through Email
Hey @negoe, @wainaina , @rpdome any update on this issue. This has been pending since a long time and we are still waiting for the resolution for this.
When you acquire a token interactively for the first time, MSAL caches the account information locally on the device. When you subsequently try to acquire a token silently, MSAL looks for the cached account based on the home account ID and client ID provided in the parameters.
In your case, it seems that the cached account is not being found when you try to acquire the token silently. One possible reason for this could be that the cached account has expired or has been removed from the cache due to some other reason.
To resolve this issue, you can try the following steps:
Ensure that the home account ID and client ID provided in the parameters are correct and match the ones used during the interactive token acquisition.
Check if the cached account has expired or has been removed from the cache. You can do this by checking the expiration time of the cached token and comparing it with the current time. You can also try to clear the cache and acquire a new token interactively to refresh the cached account information.
Make sure that the realm information provided in the parameters matches the realm information associated with the cached account. If the realm information is different, MSAL may not be able to find the cached account and will throw the exception you are seeing.
