switching between apps on same domain does not get reauthenticate. There by ID token is not fetched

[RajaHyd2024]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.15.0

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

none

Public or Confidential Client?

Public

Description

We are using msal browser with session storage. We have multiple applications on same domain so different applications load based on route. If one of our applications is authenticated and we try to navigate to other application by simply updating route in same window, idTokenClaims becomes undefined however accounts are defined. Hence screen is stuck in the loop and never gets the token for new client.

If we can identify switching of apps and remove item from session storage with key ""msal.account.keys" everything works as expected. Looks like we should add validation on token instead of accounts for fetching new token as accounts does not rely on clientId. 

Error Message

No response

MSAL Logs

Working logs:

Failur logs:

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

applicationTitle: appManifest.name,
					applicationIconName: "Home",
					baseUrl: `${window.location.origin}${appManifest.path}`,
					authConfig: {
						authentication: "aad2",
						tenantId: appSettings.TenantId,
						clientId: appSettings.MsalClientId,
						authorityURL: appSettings.MsalAuthorityUri,
						loginType: LoginType.Redirect,
						interactionType: InteractionType.Redirect,
						browserCacheLocation: "sessionStorage"
					}

Relevant Code Snippets

applicationTitle: appManifest.name,
					applicationIconName: "Home",
					baseUrl: `${window.location.origin}${appManifest.path}`,
					authConfig: {
						authentication: "aad2",
						tenantId: appSettings.TenantId,
						clientId: appSettings.MsalClientId,
						authorityURL: appSettings.MsalAuthorityUri,
						loginType: LoginType.Redirect,
						interactionType: InteractionType.Redirect,
						browserCacheLocation: "sessionStorage"
					}

Reproduction Steps

1. Navigate to application1
2. User successfully login and application loads as expected
3. Navigate to aplication2 hosted on same domain and using same code base.
4. Application does not load as idTokenClaims object in account is undefined and page crashes

Expected Behavior

Application2 should also load as expected

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Edge

Regression

No response

Source

Internal (Microsoft)

[tnorling]

This is working as designed. Accounts are not tied to a particular clientId and idTokenClaims are not required to be present on the account. The presence of an account object, or even claims for that matter, is not an indication that the user is currently authenticated for a given clientId. To make that determination you should be using one of the acquireToken APIs to actually get a token.

[RajaHyd2024]

So on what basis we should acquireToken ? Also I am referring to IDToken here if that matters.

[tnorling]

It does not matter - call acquireTokenSilent and if that fails fallback to acquireTokenRedirect or acquireTokenPopup

[RajaHyd2024]

Sorry for late response.
Can you help us understand on what basis we should call above methods. Currently we are relying and waiting on existence of accounts for checking if authentication is successfully done. What property or method we should rely on to identify if authentication is done for the respective client id.

[ravitejagGitHub]

@tnorling : Could you please let us know on what basis we can identify and call acquireTokenSilent when a new app (client ID) is loading within the same session?