-
Notifications
You must be signed in to change notification settings - Fork 337
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Incorrect suggestedCache key for removeAsync(account) in confidential client apps #2643
Comments
closing as duplicate |
Not sure if it is a duplicate. When a call to In any case, the fix is trivial, the key is account.HomeAccountId |
@abhidnya13 and I synced off-line on this. It's not an exact duplicate but related. |
Thx @jennyf19 - I'm a bit surprised that nobody using M.I.W. didn't complain about this, since |
@bgavrilMS It does work. We get the account info from the httpContext for the currently signed-in user. @abhidnya13 and i were discussing the OBO use case, which doesn't remove an account because we don't have a cache key, but rather rely on eviction policies from the cache itself. How does oid_tid get into the httpContext? It's because we call the user info endpoint, which gives that info, which is needed for guest scenarios. |
Ah, it works because you call https://github.com/AzureAD/microsoft-identity-web/blob/b106d9a9250522d0bf9ed0e78e0e3dbd376d8170/src/Microsoft.Identity.Web/TokenAcquisition.cs#L515 Got it. |
RemoveAsync(account)
in confidential client apps returns an empty cache key.The cache key, I think should be
home_accout_id
Reference:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/src/client/Microsoft.Identity.Client/Cache/SuggestedWebCacheKeyFactory.cs#L23-L26
The text was updated successfully, but these errors were encountered: