microsoft-identity-web
microsoft-identity-web copied to clipboard
Non-distributed memory cache reuses old access token after logout/login
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
1.25.0
Web app
Sign-in users and call web APIs
Web API
Protected web APIs (validating tokens)
Token cache serialization
In-memory caches
Description
Summary
When a memory cache is added via builder.AddInMemoryTokenCaches()
, signing out and then in again of B2C uses the old cached access token
. This does not happen when using builder.AddDistributedTokenCaches()
Reproduction steps
-
Configure web app to call downstream api.
-
Log in and call downstream api
An
access token
is acquired from B2C -
Log out and log in again, and call downstream api
The
access token
is acquired from the cache
Error message
None
Id Web logs
After step 2 above:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.42.0.0 MSAL.NetCore .NET 6.0.7 Darwin 21.6.0 Darwin Kernel Version 21.6.0: ...
Fetched access token from host xxx.b2clogin.com.
After step 3 above:
info: Microsoft.Identity.Web.TokenAcquisition[0]
False MSAL 4.42.0.0 MSAL.NetCore .NET 6.0.7 Darwin 21.6.0 Darwin Kernel Version 21.6.0: ...
Access token is not expired. Returning the found cache entry.
Relevant code snippets
services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(
configuration.GetSection(B2CConstants.AzureADB2CSectionName),
subscribeToOpenIdConnectMiddlewareDiagnosticsEvents: true
)
.EnableTokenAcquisitionToCallDownstreamApi()
.AddInMemoryTokenCaches()
;
Regression
none
Expected behavior
After logout and subsequent login, access token
should be requested from B2C.
Observations
The distributed in memory cache works as expected.
Adding break points in class MsalMemoryTokenCacheProvider
reveals:
- the methods to add tokens and read tokens are never called
-
RemoveKeyAsync
is called, but_memoryCache
is empty
It's as though a different instance of MsalMemoryTokenCacheProvider
is used to store and retrieve tokens to the one that is called to remove tokens in the OnRedirectToIdentityProviderForSignOut
event
Adding break points in class MsalDistributedTokenCacheAdapter
reveals that all operations are performed as expected