0

In my react app, I am using login and edit profile useflow of azure b2c using msal loginPopup by passing different authorities.

When I am signing in, a new ID token is getting generated with claims. After login when I am editing my profile using msal loginPopup(editProfile authority) I am able to change the profile and successfully getting a new ID token with updated claims in the browser. Now I have 2 ID token in the browser one generated via login and the other via edit profile. Since key of ID token in randomValue, is there any way I can remove ID token generated via login.

Springy Developer
  • 268
  • 5
  • 17

1 Answers1

0

As per your scenario and setup, the ID token generated during both the attempts at login and edit profile should be ideally cached as you are using the ‘loginPopup’ method for credential validation.

The ‘loginPopup’ method opens a pop-up window with the Microsoft identity platform endpoint to prompt and validate the user's credentials. After a successful sign-in, msal.js initiates the authorization code flow. At this point, a PKCE-protected authorization code is sent to the CORS-protected token endpoint and is exchanged for tokens. An ID token, access token, and refresh token are received by your application and processed by msal.js, and the information contained in the tokens is cached. When you acquire an access token using the Microsoft Authentication Library, the token is cached. When the application needs a token, it should first call the ‘AcquireTokenSilent’ method to verify if an acceptable token is in the cache. Clearing the cache is achieved by removing the accounts from the cache. This does not remove the session cookie, which is in the browser, though. MSAL maintains a token cache (or two caches for confidential client applications) and caches a token after it's been acquired. In many cases, attempting to silently get a token will acquire another token with more scopes based on a token in the cache. It's also capable of refreshing a token when it's getting close to expiration (as the token cache also contains a refresh token). Please refer the authorization code flow diagram below for better understanding: -

Authentication Protocol Diagram

Thus, you might need to check whether cache or cookie access is enabled in your browser or not, and if its enabled, then you might need to clear the cache in your browser so that tokens are managed accordingly.

Please find the below documentation links for your reference: -

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-clear-token-cache https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-acquire-cache-tokens https://learn.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-react https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

Thanking you,

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9