-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acquireToken uses caching, despite documentations states this method skips cache lookup #2197
Comments
Hi @roman-behul, a few questions to understand your use case better:
|
Hi @shahzaibj , let me add more context before answering your questions: We are implementing LOB mobile native app (FE app) , which is available via work profile - Intune company portal. Our issue is, that in returned token is not correct nonce, because it seems that token is returned from some cache. AcquireToken method, should obtain token interactive way (no silent). This is also mentioned in documentation. So our IDP is EntraID. Our users are defined there. (No federation in this use case)
|
Issue Report: Unexpected Behavior with
acquireToken
Method in MSAL SDKDescribe the bug
Our app is in development. We are using MSAL SDK version
com.microsoft.identity.client:msal:5.1.0
to retrieve tokens via thecreateSingleAccountPublicClientApplication
andacquireToken
methods. We utilize thewithAuthorizationQueryStringParameters
method to add a nonce to the requested token. Our goal is to add a different nonce with eachacquireToken
call to prevent replay attacks. However, when the device has the Company Portal installed, the nonce in the JWT token remains the same as the first call toacquireToken
. This suggests that some caching is being applied, despite the documentation stating that the interactive flow will skip the cache lookup.Smartphone (please complete the following information):
com.microsoft.identity.client:msal:5.1.0
Stacktrace
We have found these logs when running the app with no Company Portal app installed - case when everything works as expected. We see no logs/tags when running the app on a device with the Company Portal installed.
To Reproduce
Steps to reproduce the behavior:
acquireToken
method withwithAuthorizationQueryStringParameters
to add a nonce.acquireToken
multiple times with different nonces.Expected behavior
We expect to always receive the actual nonce that was added when calling
acquireToken
. Exposing some of the underlying Java SDK API that allows us to clear or disable the cache might also help.Actual Behavior
The nonce in the jwt token remains the same as the first call to
acquireToken
, indicating that some caching is being applied.Code Snippets:
Method for calling
acquireToken
:Method for initializing
ISingleAccountPublicClientApplication
:Screenshots
Additional context
acquireToken
withAuthorizationQueryStringParameters
The text was updated successfully, but these errors were encountered: