microsoft-identity-web icon indicating copy to clipboard operation
microsoft-identity-web copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Non-distributed memory cache reuses old access token after logout/login

Open rollandjb opened this issue 1 year ago • 0 comments

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

1.25.0

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

In-memory caches

Description

Summary

When a memory cache is added via builder.AddInMemoryTokenCaches(), signing out and then in again of B2C uses the old cached access token. This does not happen when using builder.AddDistributedTokenCaches()

Reproduction steps

  1. Configure web app to call downstream api.

  2. Log in and call downstream api

    An access token is acquired from B2C

  3. Log out and log in again, and call downstream api

    The access token is acquired from the cache

Error message

None

Id Web logs

After step 2 above:

info: Microsoft.Identity.Web.TokenAcquisition[0]
        False MSAL 4.42.0.0 MSAL.NetCore .NET 6.0.7 Darwin 21.6.0 Darwin Kernel Version 21.6.0:  ...
        Fetched access token from host xxx.b2clogin.com.

After step 3 above:

info: Microsoft.Identity.Web.TokenAcquisition[0]
        False MSAL 4.42.0.0 MSAL.NetCore .NET 6.0.7 Darwin 21.6.0 Darwin Kernel Version 21.6.0:  ...
        Access token is not expired. Returning the found cache entry.

Relevant code snippets

services
   .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

   .AddMicrosoftIdentityWebApp(
         configuration.GetSection(B2CConstants.AzureADB2CSectionName),
         subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: true
   )

   .EnableTokenAcquisitionToCallDownstreamApi()

   .AddInMemoryTokenCaches()
;

Regression

none

Expected behavior

After logout and subsequent login, access token should be requested from B2C.

Observations

The distributed in memory cache works as expected.

Adding break points in class MsalMemoryTokenCacheProvider reveals:

  • the methods to add tokens and read tokens are never called
  • RemoveKeyAsync is called, but _memoryCache is empty

It's as though a different instance of MsalMemoryTokenCacheProvider is used to store and retrieve tokens to the one that is called to remove tokens in the OnRedirectToIdentityProviderForSignOut event

Adding break points in class MsalDistributedTokenCacheAdapter reveals that all operations are performed as expected

rollandjb avatar Aug 06 '22 08:08 rollandjb