[Bug] Incorrect suggestedCache key for removeAsync(account) in confidential client apps

[abhidnya13]

RemoveAsync(account) in confidential client apps returns an empty cache key.

The cache key, I think should be home_accout_id

Reference:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/master/src/client/Microsoft.Identity.Client/Cache/SuggestedWebCacheKeyFactory.cs#L23-L26

[jennyf19]

closing as duplicate

[bgavrilMS]

Not sure if it is a duplicate. When a call to RemoveAccount is made, MSAL does not generate any suggested_cacke_key so we're unable to load the cache at all. So this affects Web app scenarios, not just web api calls downstream web api.

In any case, the fix is trivial, the key is account.HomeAccountId

[jennyf19]

@abhidnya13 and I synced off-line on this. It's not an exact duplicate but related.

[bgavrilMS]

Thx @jennyf19 - I'm a bit surprised that nobody using M.I.W. didn't complain about this, since TokenAcquisition.RemoveAccountAsync is broken. I guess ppl don't call this too often since it doesn't affect cookie state?

https://github.com/AzureAD/microsoft-identity-web/blob/b106d9a9250522d0bf9ed0e78e0e3dbd376d8170/src/Microsoft.Identity.Web/TokenAcquisition.cs#L514

[jennyf19]

@bgavrilMS It does work. We get the account info from the httpContext for the currently signed-in user. @abhidnya13 and i were discussing the OBO use case, which doesn't remove an account because we don't have a cache key, but rather rely on eviction policies from the cache itself.

How does oid_tid get into the httpContext? It's because we call the user info endpoint, which gives that info, which is needed for guest scenarios.

[bgavrilMS]

Ah, it works because you call https://github.com/AzureAD/microsoft-identity-web/blob/b106d9a9250522d0bf9ed0e78e0e3dbd376d8170/src/Microsoft.Identity.Web/TokenAcquisition.cs#L515

Got it.