microsoft-authentication-library-for-js icon indicating copy to clipboard operation
microsoft-authentication-library-for-js copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Cache not used for getting token if scopes are empty

Open ram-gupta opened this issue 1 year ago • 2 comments
trafficstars

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

2.30.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

1.4.9

Public or Confidential Client?

Public

Description

With code snippet belwo:

import { useAccount, useMsal } from '@azure/msal-react';

const { instance, accounts } = useMsal();
const account = useAccount(accounts[0]);

const loginRequest = {
  scopes: []
};

let response = await instance.acquireTokenSilent({
        ...loginRequest,
        account
});

If no scopes are specified while getting the token, cache is not looked up even though tokens are cached. This is due to scope validation error at ScopeSet.ts#L77.

If scopes are mandatory then its better to fail acquireTokenSilent then behave in an unexpected way and cause avoidable API requests to Azure AD. If scopes are not mandatory then cache should be used.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

  • [ ] Sent
  • [ ] Pending

MSAL Configuration

export const msalConfig = {
  auth: {
    clientId: <>
    authority: 'https://login.microsoftonline.com/<>',
    redirectUri: <>
  },
  cache: {
    cacheLocation: 'localStorage',
    storeAuthStateInCookie: false
  }
};

Relevant Code Snippets

import { useAccount, useMsal } from '@azure/msal-react';

const { instance, accounts } = useMsal();
const account = useAccount(accounts[0]);

const loginRequest = {
  scopes: []
};

let response = await instance.acquireTokenSilent({
        ...loginRequest,
        account
});

Reproduction Steps

  1. Use acquireTokenSilent to get token with empty scopes.

Expected Behavior

Cache should be used even with empty scopes.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Edge

Regression

No response

Source

External (Customer)

ram-gupta avatar Mar 24 '24 10:03 ram-gupta

@ram-gupta AccessTokens provided a time-bound access to specific resources aka scopes. It is by design the tokens are cached based on scopes.

sameerag avatar Mar 25 '24 15:03 sameerag

@sameerag thanks for clarifying and makes sense. So if no scopes are provided in the request, is it an expected behaviour for tokens to be cached but not used from cache? Is this behaviour documented? At least this behaviour wasn't obvious, and I spent few hours digging through msal-react code. If this is documented, then can you please share the link for reference.

ram-gupta avatar Mar 25 '24 15:03 ram-gupta