[Bug] AADSTS50020 error if signing out then into another tenant without restarting the app

[osolo]

Which Version of MSAL are you using ?
MSAL 4.3.1

Platform
all

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive

Description

In UWP apps (possibly also in non-UWP), if you execute the following sequence, an AADSTS50020 is issued:

1. AcquireTokenInteractive() [user logs in successfully to CompanyA.com]
2. AcquireTokenSilent() [this is required for the bug to appear]
3. Log out (see code below)
4. AcquireTokenInteractive() [user tries to login into CompanyB.com]

The user should be able to log into CompanyB, however we get this error:

AADSTS50020: User account '[someemail]' from identity provider 'https://sts.windows.net/[some_guid]/' does not exist in tenant '[some name]' and cannot access the application '[some_guid]'(AppName) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Logout looks like this:

var accounts = await _graphApp.GetAccountsAsync();
while (accounts.Any())
{
	await _graphApp.RemoveAsync(accounts.FirstOrDefault());
	accounts = await _graphApp.GetAccountsAsync();
}

Additional Information

1. If you restart the app between steps 3 and 4, things work as expected (user can log into CompanyB).
2. Adding .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs) to the app builder does not resolve the problem.

I have provided a sample app to demonstrate this problem. You must supply your own AppId.

[bgavrilMS]

I do not understand the repro steps, please clarify. You have a user e.g. john@companyA.com that is member of 2 tenants - companyA and companyB (home tenant companyA and guest tenant companyB).

How does the user login to "companyA" and to "companyB"?

[osolo]

Separate users in separate tenants.

For example, using the provided app, log in with your work (@microsoft.com) account. Then log out and try to log in using any private/home Microsoft Account or an account on any other tenant (such as a demo tenant).

[bgavrilMS]

Can repro.

[bgavrilMS]

Can repro on other platforms, not just UWP.

[bgavrilMS]

Workaround: re-create the public client application before each request i.e.

var pca = PublicClientApplicationBuilder .Create(AppId) .Build();

This is a bug where we update the authority with the tenant ID in AcquireTokenSilent. The same authority (tenanted to companyA) is then re-used to issue a request for a token for a user in companyB.

[osolo]

I can confirm that the workaround indeed works :)

[adamedx]

FYI, I hit this same problem, looking forward to a release with the fix and will share results once I get to try it out. Glad this issue was filed as I had been spending time trying to debug -- I assumed it was my fault as I was in the process of migrating from the older MSAL with explicit caches to the new builder model with implicit cache.

[henrik-me]

@osolo and @adamedx Included in the 4.4.0 release

[adamedx]

Yes, I updated shortly after it was released and everything works now :). I was able to incorporate it into a release (was originally planning on just relnoting the bug). Thanks very much for the quick turnaround on diagnosis, fix, and release.

[jmprieur]

Thanks for the update @adamedx. Much appreciated!