Comments (7)
@HenningRoigaard it was actually a bug when using guest accounts. The fix got merged already.
Thanks
from active-directory-aspnetcore-webapp-openidconnect-v2.
I am aware of the Guest user issue , and this is something else. Fix issue 130 does not fix this.
This issue can be reproduced with fix 130, both for guest and regular accounts. The issue remains that UserTokenCacheAfterAccessNotification is invoked after cache is cleared, with a dirty (args.HasStateChanged) but empty cache. The code as is, persists that empty cache, and as a result, we will accumulate accountids.
I would like to reopen this issue, but I do not have the option!?
from active-directory-aspnetcore-webapp-openidconnect-v2.
@HenningRoigaard I used this sample, https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/2-WebApp-graph-user/2-2-TokenCache, to test and after logging out, I had an empty table on the DB.
So, could you please tell me how did you get this empty cache persisted?
from active-directory-aspnetcore-webapp-openidconnect-v2.
I have tested using 2-2, and you are correct: there is no entry in the database after logout. However, this is due to some lucky but most likely unintentional programming :)
The flow from the point of view of MSALPerUserSqlTokenCacheProvider when signing out is:
- Create instance of MSALPerUserSqlTokenCacheProvider
- Invoke UserTokenCacheBeforeAccessNotification, which invokes ReadCacheForSignedInUser, and thus initializes InMemoryCache with my credentials
- Invoke Clear, which deletes from database but leaves InMemoryCache initialized with my credentials
- Invoke UserTokenCacheAfterAccessNotification with empty cache (as described previously).
This is where the luck part comes in: Because the same instance is used for both Clear and subsequent UserTokenCacheAfterAccessNotification (itโs the same โscopeโ), the InMemoryCache remains initialized, and we then try to persist the empty token as an update. As it does not exist, this result in and DbUpdateConcurrencyException, which we catch and ignore.
Clearing InMemoryCache as part of Clear will not solve the problem. It will simply result in us persisting an empty cache.
from active-directory-aspnetcore-webapp-openidconnect-v2.
After investigating it further more with the engineering team, we could reproduce what you pointed out but this behavior is actually by design. So, when you clear the cache, MSAL doesn't exclude the entry but saves an empty JSON of the cache entry.
The bytes that you are seeing when inspecting the memory cache is this JSON:
"{\"AccessToken\":{},\"RefreshToken\":{},\"IdToken\":{},\"Account\":{},\"AppMetadata\":{\"appmetadata-login.windows.net-{GUID}\":{\"environment\":\"login.windows.net\",\"client_id\":\"{GUID}\"}}}"
So, the access token, refresh token and id token are being cleared properly and there is no "random garbage" being saved. It is just the empty JSON of the token entry class.
I hope it answers your question.
Thanks for pointing that out though.
from active-directory-aspnetcore-webapp-openidconnect-v2.
@TiagoBrenck I can accept that MSAL callbacks with an empty cache by design.
However, I still believe it would be a good idea to do cleanup of empty caches, e.g., by not persisting them in the first place. From a storage perspective, it probably doesn't matter. However, I fear that accumulation might result in some GDPR compliance issue, and more generally, I would like to do it simply because of best practice housekeeping/cleanup.
If TokenAcquisition.RemoveAccount remains inchanged, it will be the responsibility of a custom cacheprovider to identify and avoid persisting empty caches if so desired.
- What is a good criteria for identifying an empty cache in UserTokenCacheAfterAccessNotification? The ITokenCache s not null, and it doesn't have an "IsEmpty" property or anything like it...
Alternatively, it could be handled centrally in TokenAcquisition.RemoveAccount, by changing the order of Clear and RemoveAsync, so that we can freely persist the empty token only to delete it in Clear.
- Would that have any unwanted sideeffects?
from active-directory-aspnetcore-webapp-openidconnect-v2.
@TiagoBrenck, please open an issue on MSAL.NET so that the persistance callback help this scenario. We would not want to pass null for public client applications, as Mark explained in the private thread. I like the IsEmpty property on the Token cache serialization argument.
cc: @MarkZuber
from active-directory-aspnetcore-webapp-openidconnect-v2.
Related Issues (20)
- System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://XXX.onmicrosoft.com/XXX_SignUp_SignIn/v2.0/.well-known/openid-configuration'. HOT 5
- [Feature Request] Update 2-WebApp-graph-user/2-3-Multi-Tenant to Graph SDK 5 HOT 1
- 1-5-B2C Returning 'Unauthorized_client' error HOT 2
- Fix graphic on 3-Web-app-multi-apis & 4-1
- Why is the secret necessary in sample 2-1-Call-MSGraph? HOT 4
- AADSTS501461 on 4-1-MyOrg HOT 2
- Please update your client sample to use Blazor Web App in .NET 8 HOT 2
- Notes: Notes.md
- [Feature Request] HOT 1
- [Azure AD B2C] AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow HOT 1
- Error when redirecting to Graph API deployed to Azure Web Apps HOT 3
- SecurityTokenSignatureKeyNotFoundException: IDX10503: Signature validation failed. HOT 1
- Querying the MS Graph as part of the OnTokenValidated fails with error that "Input id_token cannot be used as ..."
- Configure.sp1
- [Feature Request]
- Code example does not handle OData error to process the CAE challenge from Microsoft Graph. HOT 1
- mongodb HOT 1
- Required step to add owner is missing in documentation
- Revoke session/Reset password not Asking relogin even enabled CAE in WebAPP code
- Should app registrations be defined in a B2C Active Directoy for the example found in 4-WebApp-your-API/4-1-MyOrg?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from active-directory-aspnetcore-webapp-openidconnect-v2.