Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identity: Unable to log into multiple accounts using the Token Cache #28896

Open
1 of 6 tasks
Apollo3zehn opened this issue Mar 12, 2024 · 15 comments · May be fixed by #32134
Open
1 of 6 tasks

Identity: Unable to log into multiple accounts using the Token Cache #28896

Apollo3zehn opened this issue Mar 12, 2024 · 15 comments · May be fixed by #32134
Assignees
@KarishmaGhiya
Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
2024-12

Comments

@Apollo3zehn
Copy link

  • Package Name: "@azure/identity"
  • Package Version: 4.0.1
  • Operating system: Ubuntu 23.10
  • nodejs
    • version: 18.17.1 (VS Code Extension)
  • browser:
    • name/version:
  • typescript
    • version:
  • Is the bug related to documentation in

Describe the bug
I am developing a VSCode extension and try to use Microsoft Graph to access Outlook resources of two different Microsoft accounts and cache the tokens using the @azure/identity-cache-persistence package (v1.0.0) and the InteractiveBrowserCredential.

With the token cache enabled, I can log into the first account (the browser opens) and give access to an OAuth application to some Outlook resources. I do this by manually calling authenticationRecord = credential.authenticate(...)

Since this is the first log in, no AuthenticationRecord can be provided to the InteractiveBrowserCredential.

Now I try to log into the second account (by setting InteractiveBrowserCredential.loginHint to another value) and again without providing any AuthenticationRecord because it is not available yet. What happens then is that the AuthenticationRecord of the first account is being returned without opening the browser and thus without giving me the chance to log into that second account.

My workaround for now is to disable the token cache when no authentication record is available (i.e. for the first log in) and enable it for all subsequent login attempts. But that leads to the inconvenience that I need to log in twice into every account instead of only once because only for the second log in, the token cache is enabled.

To Reproduce
Below is the code that does not work for me, i.e. the token cache is always enabled. Run it twice with different user accounts (set loginHint to a different account each run). Azure Identity will ask the user only once to log in.

const loginHint = `<the Microsoft account>`;
const authenticationRecordFolderPath = path.join(os.homedir(), ".IdentityService");
const authenticationRecordFilePath = path.join(authenticationRecordFolderPath, `cortex_notes@${loginHint}.json`);

let authenticationRecord: AuthenticationRecord | undefined;

try {

    const jsonString = await fs.readFile(authenticationRecordFilePath, {
        encoding: 'utf8'
    });

    authenticationRecord = JSON.parse(jsonString);
} catch (err) {
    // ignore
}

const scopes = ['Mail.ReadWrite', 'Calendars.Read'];

const credential = new InteractiveBrowserCredential({
    tenantId: 'common',
    clientId: 'f470bc86-5748-46ef-8d92-450964420fb9',
    tokenCachePersistenceOptions: {
        enabled: true,
    },
    loginHint: loginHint,
    authenticationRecord: authenticationRecord
});

if (!authenticationRecord) {
    authenticationRecord = await credential.authenticate(scopes);

    try {

        await fs.mkdir(authenticationRecordFolderPath, {
            recursive: true
        });

        let jsonString = JSON.stringify(authenticationRecord);

        await fs.writeFile(authenticationRecordFilePath, jsonString);
    } catch (error) {
        // ignore
    }
}

const authProvider = new TokenCredentialAuthenticationProvider(credential, {
    scopes: scopes,
});
    
const graphClient = Client.initWithMiddleware({ authProvider: authProvider });

Expected behavior
I expect a possibility to enforce authentication, i.e. ignore the token cache, but at the same time update it when the authentication was successful so it is populated when the user needs to authenticate the next time.

More specifically, I would expect that the token cache is (optionally) bypassed when no AuthenticationRecord is available so that the user is forced to authenticate manually.

Screenshots

Additional context
@github-actions github-actions bot added Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Mar 12, 2024
@github-actions GitHub Actions
Copy link

@KarishmaGhiya @maorleger

@github-actions GitHub Actions
Copy link

Thank you for your feedback. Tagging and routing to the team member best able to assist.

@joshfree joshfree moved this from Untriaged to Not Started in Azure Identity SDK Improvements Oct 16, 2024
@KarishmaGhiya KarishmaGhiya added this to the 2024-12 milestone Nov 13, 2024
@KarishmaGhiya
Copy link
Member

KarishmaGhiya commented Dec 10, 2024
edited
Loading

Hello, I have figured what the problem is. I'll be working on a fix for this soon. @Apollo3zehn

@KarishmaGhiya KarishmaGhiya linked a pull request Dec 10, 2024 that will close this issue
Open
2 tasks
@Apollo3zehn
Copy link
Author

Great, thank you!

@KarishmaGhiya
Copy link
Member

KarishmaGhiya commented Dec 12, 2024
edited
Loading

@Apollo3zehn Can you provide me with the logs of the above sample. You can do this by

import { setLogLevel } from "@azure/logger";
setLogLevel("verbose");

Also in your sample, i don't see you trying to provide two different accounts. I see the authenticationRecord and loginHint pointing to the same credential login account

@KarishmaGhiya KarishmaGhiya added needs-author-feedback Workflow: More information is needed from author to address the issue. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Dec 17, 2024
@github-actions GitHub Actions
Copy link

Hi @Apollo3zehn. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@KarishmaGhiya
Copy link
Member

KarishmaGhiya commented Dec 18, 2024
edited
Loading

@Apollo3zehn Also, I did try the sample above. For me it does prompt me with the dialog box when I try to create a credential with a different email address (loginHint). I would recommend you to compare your two authentication records, if they have different contents when created. If they have the same content it means - it's taking in the same account (tenant, client id and email) credentials for login. Compare the two authentication records created locally and let me know what your content really looks like.

@Apollo3zehn
Copy link
Author

I will test again today and report my findings!

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Dec 18, 2024
@Apollo3zehn
Copy link
Author

Apollo3zehn commented Dec 18, 2024
edited
Loading

Please find the logs below. I tried first to access [email protected] for which I got a login request which succeeded. Then I tried to access [email protected] for which I did not get asked again to login (no browser page opened). And the end result is that I am logged only into [email protected] where I can access my mails.

Here is the comparison of the authentication records. They are equal:

Image

false
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info MsalClient => getToken() => Attempting to acquire token interactively
azure:identity:info InteractiveBrowserCredential => getToken() => Creating new PublicClientApplication with CAE disabled.
azure:identity:info InteractiveBrowserCredential => getToken() => No cached account found in local state, attempting to load it from MSAL cache.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Info - getTokenCache called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Info - getAuthCodeUrl called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - initializeRequestScopes called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - createAuthority called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - Auth code client created
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:40:53 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - createAuthCodeUrlQueryString: No account, adding login_hint from request
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Info - acquireTokenByCode called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - initializeRequestScopes called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - createAuthority called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:21 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:21 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - Auth code client created
azure:core-rest-pipeline retryPolicy:info Retry 0: Attempting to send request bb3a26b2-e48b-4907-8a54-f79144e4ddf3
azure:core-rest-pipeline:info Request: {
  "url": "https://login.microsoftonline.com/common/oauth2/v2.0/token?client-request-id=REDACTED",
  "headers": {
    "content-type": "application/x-www-form-urlencoded;charset=utf-8",
    "x-anchormailbox": "REDACTED",
    "accept-encoding": "gzip,deflate",
    "user-agent": "azsdk-js-identity/4.5.0 core-rest-pipeline/1.18.1 Node/20.18.0 OS/(x64-Linux-6.12.4-arch1-1)",
    "x-ms-client-request-id": "bb3a26b2-e48b-4907-8a54-f79144e4ddf3"
  },
  "method": "POST",
  "timeout": 0,
  "disableKeepAlive": false,
  "withCredentials": false,
  "abortSignal": {},
  "requestId": "bb3a26b2-e48b-4907-8a54-f79144e4ddf3",
  "allowInsecureConnection": false,
  "enableBrowserStreams": false
}
azure:core-rest-pipeline:info No cached TLS Agent exist, creating a new Agent
azure:core-rest-pipeline:info Response status code: 200
azure:core-rest-pipeline:info Headers: {
  "cache-control": "no-store, no-cache",
  "pragma": "no-cache",
  "content-type": "application/json; charset=utf-8",
  "expires": "-1",
  "strict-transport-security": "max-age=31536000; includeSubDomains",
  "x-content-type-options": "nosniff",
  "p3p": "CP=\"DSP CUR OTPi IND OTRi ONL FIN\"",
  "x-ms-request-id": "97d5aa6b-5fec-47da-9c82-07856b610803",
  "x-ms-ests-server": "2.1.19683.3 - NEULR1 ProdSlices",
  "x-ms-clitelem": "1,0,0,,",
  "x-ms-srs": "1.P",
  "content-security-policy-report-only": "object-src 'none'; base-uri 'self'; script-src 'self' 'nonce-DEvL3U_YDeUZAZQmCbLbgg' 'unsafe-inline' 'unsafe-eval' https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; img-src 'self' data: https://*.msauth.net https://*.msftauth.net https://*.msftauthimages.net https://*.msauthimages.net https://*.msidentity.com https://*.microsoftonline-p.com https://*.microsoftazuread-sso.com https://*.azureedge.net https://*.outlook.com https://*.office.com https://*.office365.com https://*.microsoft.com https://*.bing.com 'report-sample'; report-uri https://csp.microsoft.com/report/ESTS-UX-All",
  "x-xss-protection": "0",
  "set-cookie": "fpc=AkZTDNjysiJGg8ElvhMqQfQqIoFUAQAAABDW9N4OAAAA; expires=Fri, 17-Jan-2025 14:41:21 GMT; path=/; secure; HttpOnly; SameSite=None",
  "date": "Wed, 18 Dec 2024 14:41:21 GMT",
  "connection": "close",
  "content-length": "3459"
}
azure:core-rest-pipeline retryPolicy:info Retry 0: Received a response from request bb3a26b2-e48b-4907-8a54-f79144e4ddf3
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing 2 retry strategies.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy throttlingRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info Retry 0: Processing retry strategy exponentialRetryStrategy.
azure:core-rest-pipeline retryPolicy:info Retry 0: Skipped.
azure:core-rest-pipeline retryPolicy:info None of the retry strategies could work with the received response. Returning it.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - setCachedAccount called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - Persistence enabled, calling beforeCacheAccess
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [021744dd-203f-4115-bddd-4580f82d8ea0] : @azure/[email protected] : Verbose - Persistence enabled, calling afterCacheAccess
azure:identity:info InteractiveBrowserCredential => getToken() => SUCCESS. Scopes: Mail.ReadWrite, Calendars.Read.
azure:identity:info MsalClient => getToken() => Attempting to acquire token interactively
azure:identity:info InteractiveBrowserCredential => getToken() => Existing PublicClientApplication found in cache, returning it.
azure:identity:info InteractiveBrowserCredential => getToken() => Attempting to acquire token silently
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [b92a19cd-eb10-430b-9a47-5881b376d43c] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [b92a19cd-eb10-430b-9a47-5881b376d43c] : @azure/[email protected] : Verbose - createAuthority called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:22 GMT] : [b92a19cd-eb10-430b-9a47-5881b376d43c] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:22 GMT] : [b92a19cd-eb10-430b-9a47-5881b376d43c] : @azure/[email protected] : Verbose - Silent flow client created
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Info - CacheManager:getAccessToken - Returning access token
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:22 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
azure:identity:info InteractiveBrowserCredential => getToken() => SUCCESS. Scopes: Mail.ReadWrite, Calendars.Read.
azure:core-client:warning The baseUri option for SDK Clients has been deprecated, please use endpoint instead.
azure:identity:info MsalClient => getToken() => Attempting to acquire token interactively
azure:identity:info InteractiveBrowserCredential => getToken() => Creating new PublicClientApplication with CAE disabled.
azure:identity:info InteractiveBrowserCredential => getToken() => No cached account found in local state, attempting to load it from MSAL cache.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - getTokenCache called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
azure:identity:info InteractiveBrowserCredential => getToken() => Attempting to acquire token silently
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [30dd37d3-e23c-44c9-8939-b3a6e35fcd3c] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [30dd37d3-e23c-44c9-8939-b3a6e35fcd3c] : @azure/[email protected] : Verbose - createAuthority called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [30dd37d3-e23c-44c9-8939-b3a6e35fcd3c] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [30dd37d3-e23c-44c9-8939-b3a6e35fcd3c] : @azure/[email protected] : Verbose - Silent flow client created
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - CacheManager:getAccessToken - Returning access token
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
azure:identity:info InteractiveBrowserCredential => getToken() => SUCCESS. Scopes: Mail.ReadWrite, Calendars.Read.
azure:identity:info MsalClient => getToken() => Attempting to acquire token interactively
azure:identity:info InteractiveBrowserCredential => getToken() => Existing PublicClientApplication found in cache, returning it.
azure:identity:info InteractiveBrowserCredential => getToken() => Attempting to acquire token silently
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - initializeRequestScopes called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [3ff6ba92-a506-4e43-95c7-f5c5dd5ec13c] : @azure/[email protected] : Verbose - buildOauthClientConfiguration called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [3ff6ba92-a506-4e43-95c7-f5c5dd5ec13c] : @azure/[email protected] : Verbose - createAuthority called
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get cloud discovery metadata  from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Did not find cloud discovery metadata in the config... Attempting to get cloud discovery metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Found cloud discovery metadata from hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Attempting to get endpoint metadata from authority configuration
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Verbose - Did not find endpoint metadata in the config... Attempting to get endpoint metadata from the hardcoded values.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [3ff6ba92-a506-4e43-95c7-f5c5dd5ec13c] : @azure/[email protected] : Info - Building oauth client configuration with the following authority: https://login.microsoftonline.com/common/oauth2/v2.0/token.
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 verbose message: [Wed, 18 Dec 2024 14:41:35 GMT] : [3ff6ba92-a506-4e43-95c7-f5c5dd5ec13c] : @azure/[email protected] : Verbose - Silent flow client created
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - CacheManager:getAccessToken - Returning access token
azure:identity:info InteractiveBrowserCredential => MSAL Node V2 info message: [Wed, 18 Dec 2024 14:41:35 GMT] : [] : @azure/[email protected] : Info - CacheManager:getIdToken - Returning ID token
azure:identity:info InteractiveBrowserCredential => getToken() => SUCCESS. Scopes: Mail.ReadWrite, Calendars.Read.

@Apollo3zehn
Copy link
Author

Apollo3zehn commented Dec 18, 2024
edited
Loading

To me it looks like the login-hint being ignored.

@KarishmaGhiya
Copy link
Member

KarishmaGhiya commented Dec 20, 2024
edited
Loading

To it looks like the login-hint being ignored.

Yeah, first, you need the prompt with the specified login hint right? My PR will address that. That way it won't appear like silent auth is happening, when not needed.

Second, I wanted to check with you is - Are both the emails approved for logging into the app registration account (the tenant-id and client-id provided above in the sample)? If your second email doesn't have the permission to authenticate to that app registration, then the login may fail even with the fix. So make sure you have the appropriate set up or use the correct tenant and client id required for the second email account.

Also thank you for providing the logs.

@Apollo3zehn

@KarishmaGhiya KarishmaGhiya added needs-author-feedback Workflow: More information is needed from author to address the issue. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Dec 20, 2024
@github-actions GitHub Actions
Copy link

Hi @Apollo3zehn. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@Apollo3zehn
Copy link
Author

Yeah, first, you need the prompt with the specified login hint right? My PR will address that. That way it won't appear like silent auth is happening, when not needed.

That is great, it would solve my problem!

Second, I wanted to check with you is - Are both the emails approved for logging into the app registration account (the tenant-id and client-id provided above in the sample)? If your second email doesn't have the permission to authenticate to that app registration, then the login may fail even with the fix. So make sure you have the appropriate set up or use the correct tenant and client id required for the second email account.

Yes, both are approved. If I switch the order of the emails I use to log in, I can access mails of that other email address. It is always the second address which does not work, no matter what order they have.

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. labels Dec 20, 2024
@KarishmaGhiya
Copy link
Member

KarishmaGhiya commented Jan 1, 2025
edited
Loading

@Apollo3zehn
I am addressing the second issue that you mentioned in my current PR.

One more thing, while addressing the first issue, it will ALWAYS show the login dialog box as well. Is that the experience you are looking for? I vaguely remember that a few customers had complained over the amount of times they saw the login dialog in the past.

Once my PR is merged, I can provide you with an alpha build that you can test and verify and give feedback.

@Apollo3zehn
Copy link
Author

Apollo3zehn commented Jan 1, 2025
edited
Loading

Thanks for your work so far! What I want as a user of this library is: Show the login dialog once per Microsoft account I specify in the config file of my VS Code extension. This extension allows its users to access their emails (and more). The extension's purpose is a TODO management hub to help organise myself in the face of too much work. I have many different Microsoft email accounts and I need access to all of them in parallel from within the extension.

It is OK to re-show the login dialog once in while but it would be annoying if it shows up for each account everytime I launch the VS Code extension mentioned above.

@KarishmaGhiya KarishmaGhiya moved this from Not Started to In Progress in Azure Identity SDK Improvements Jan 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KarishmaGhiya KarishmaGhiya

Labels
Azure.Identity Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Azure Identity SDK Improvements
Status: In Progress
Milestone
2024-12
Development

Successfully merging a pull request may close this issue.

[Identity] update fix multiple accounts logic in IBC KarishmaGhiya/azure-sdk-for-js
2 participants
@KarishmaGhiya @Apollo3zehn