Decide to completely disable RT removal

AzureAD · Mar 3, 2021 · d5cd692 · d5cd692
1 parent 26f0689
commit d5cd692
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/msal/application.py b/msal/application.py
@@ -926,12 +926,9 @@ def _acquire_token_silent_by_finding_specific_refresh_token(
             logger.debug("Cache attempts an RT")
             response = client.obtain_token_by_refresh_token(
                 entry, rt_getter=lambda token_item: token_item["secret"],
-                on_removing_rt=(rt_remover or self.token_cache.remove_rt)
-                    if  # we can remove a RT when a single scope is an exact match
-                        len(scopes) == 1
-                        and set(entry.get("target", "").split()) <= set(scopes)
-                    else  # otherwise keep the RT as it might work for a subset of scopes
-                        lambda rt_item: None,  # No OP
+                on_removing_rt=lambda rt_item: None,  # Disable RT removal,
+                    # because an invalid_grant could be caused by new MFA policy,
+                    # the RT could still be useful for other MFA-less scope or tenant
                 on_obtaining_tokens=lambda event: self.token_cache.add(dict(
                     event,
                     environment=authority.instance,