Skip to content

[Proof of Concept] Call remove_account when new account is created #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

[Proof of Concept] Call remove_account when new account is created #1

wants to merge 3 commits into from

Conversation

jiasli
Copy link
Owner

@jiasli jiasli commented Apr 6, 2021
edited
Loading

Fix AzureAD#335
Require AzureAD#339

Call remove_account when new account is created.

Because old access tokens are purged from the token cache, acquire_token_silent will no longer return revoked access tokens.

In other words,

  • All initial logins (auth code, device code, username password) will trigger remove_account
  • Silent refreshing will not trigger remove_account because of skip_account_creation=True

@jiasli jiasli changed the title [POC] Call remove_account when new account is created [Proof of Concept] Call remove_account when new account is created Apr 6, 2021
@chlowell
Copy link

chlowell commented Apr 7, 2021

One concern I have with this approach is that it may unintentionally invalidate the cache in normal usage. Removing an account from the cache entails removing all its associated tokens. It appears MSAL caches an account whenever it receives client_info and an ID token, and that it always requests these. I worry this might then be possible:

  1. user requests a token for scope A
  2. MSAL caches access token and account
  3. user requests a token for scope B
  4. MSAL acquires new access and ID tokens, evicts all the user's cached tokens
  5. user requests a token for scope A
  6. MSAL acquires new access and ID tokens, evicts all the user's cached tokens
  7. user requests a token for scope B...

@jiasli
Copy link
Owner Author

jiasli commented Apr 7, 2021

My change will not evict all the user's cached tokens when doing cross-scope refreshing, because skip_account_creation=True is specified (AzureAD#339).

jiasli
jiasli commented Apr 8, 2021
View reviewed changes
msal/token_cache.py
Comment on lines 153 to 154
if client_info and not event.get("skip_account_creation"):
account = {
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The order of adding tokens to the cache matters. Always create the account first so that old account can be removed first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Revoked ATs are returned after re-login
2 participants
@jiasli @chlowell