10

I have a service that uses Azure access tokens that we retrieve using ADAL. We have several hundred customers, but for some reason there are two of them that sporadically generate this error when we try to retrieve an AuthenticationResult for them:

multiple_matching_tokens_detected: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements (e.g. UserId).

I have no idea why only these two folks out of hundreds have this issue and really can't find much about it on the net. Our code to acquire a token looks like this (simplified):

AuthenticationContext authContext = new AuthenticationContext(authority, new MyCustomTokenCache());
ClientCredential credential = new ClientCredential(myClientId, myPassword);
authContext.AcquireTokenSilent(resourceUri, credential, UserIdentifier.AnyUser);

Why does this error occur and what is the "suggested" solution to resolve it? I have been leaning towards trying to fix it by acquiring a token like so but really would like to know what the error really is all about:

authContext.AcquireTokenSilent(mr.ResourceUri, credential, new UserIdentifier("usersUPN@foo.com", UserIdentifierType.UniqueId));
Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
Steve Peschka
  • 1,015
  • 11
  • 25

3 Answers3

9

If this is still relevant, I had similar problem with multiple_matching_tokens_detected error and I found this:

https://developercommunity.visualstudio.com/content/problem/17315/cant-add-new-account-with-vsts-online-failed-to-re.html

As Alex at the answer there mentioned (You need to do this on the client machine) :

  1. Close all Visual Studio instances (In your case - close all client apps I suppose).
  2. Delete %LOCALAPPDATA%\.IdentityService.
  3. Enjoy.

Worked for me like magic

jurl
  • 2,504
  • 1
  • 17
  • 20
2

This error is usually accurate, as in - it is actually reporting that there are multiple tokens for the same authority/resource/clientid combination for different users. There are many possible reasons for which you might end up with such tokens, and in fact there are scenarios for which it is perfectly legitimate (say one mail app that supports multiple mailboxes for multiple users at once). In your specific case I can think of two possible culprits. One is that MyCustomTokenCache might not enforce isolation between web sessions, ending up pooling tokens from different callers. Another possibility is that those two users might have had their UPN reassigned, and now you have multiple cache entries with both the old and new UPN. I would recommend inspecting the cache looking for such duplicates and, if they are there, clean up accordingly.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • Hmm, thanks Vittorio, that's interesting. For the way in which we are using it the culprits you describe would not be in play, but I understand you are saying there could be many possible reasons. Given that, is the last code snippet I pasted "the right" way to try and resolve the issue (replacing the AnyUser with a specific UPN)? Or are there other alternatives I should be exploring? – Steve Peschka Aug 14 '15 at 18:25
  • It is the right approach, but you must match the correct identifier type with UserIdentifierType. if you want to pass the UPN value you need to pass UserIdentifierType.OptionalDisplayableId (if you want this to be just a hint) or RequiredDisplayableId (if you want to mandate that the returned token must match with the identifier you are providing). UniqueId is used with the corresponding user opaque identifier value you find in UserInfo when you get an AuthenticationResult.UniqueId is preferable because it is non reassignable, but you do need to have it stored somewhere. – vibronet Aug 14 '15 at 19:02
0

Solution for this is to catch error message, and in case error is multiple_matching_tokens_detected, then run AuthenticationContext.TokenCache.Clear(); and ask customer to repeat the login.

lesyk
  • 3,979
  • 3
  • 25
  • 39