[Identity] update fix multiple accounts login logic in IBC (#32134)

Author: KarishmaGhiya

common/config/rush/pnpm-lock.yaml

@@ -0,0 +1,71 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+/**
+ * @summary Authenticates using persistent token caching with Interactive Browser Credential
+ */
+import {
+  InteractiveBrowserCredential,
+  useIdentityPlugin,
+  AuthenticationRecord,
+} from "@azure/identity";
+import { cachePersistencePlugin } from "@azure/identity-cache-persistence";
+import path from "path";
+import fs from "fs";
+import dotenv from "dotenv";
+
+useIdentityPlugin(cachePersistencePlugin);
+
+dotenv.config();
+// The app registration client ID in the Microsoft Entra tenant
+const clientId = "APP-REGISTRATION-CLIENT-ID";
+// The tenant ID in Microsoft Entra ID
+const tenantId = "TENANT-ID";
+// The email address of the user
+const loginHint = `EMAIL-ADDRESS`;
+// The file path to save the authentication record
+const authenticationRecordFilePath = path.resolve(__dirname, "authenticationRecord.json");
+
+async function main() {
+  try {
+    const fileContents = await fs.promises.readFile(authenticationRecordFilePath, "utf8");
+    const authenticationRecord = JSON.parse(fileContents);
+    await doAuthenticate(authenticationRecord);
+  } catch (e) {
+    console.error(e);
+    await doAuthenticate();
+  }
+}
+
+async function doAuthenticate(authenticationRecord?: AuthenticationRecord): Promise<void> {
+  const scopes = ["Mail.ReadWrite", "Calendars.Read"];
+  const credential = new InteractiveBrowserCredential({
+    tenantId,
+    clientId,
+    tokenCachePersistenceOptions: {
+      enabled: true,
+    },
+    loginHint: loginHint,
+    authenticationRecord: authenticationRecord,
+  });
+
+  if (!authenticationRecord) {
+    console.log("No authentication record found");
+    authenticationRecord = await credential.authenticate(scopes);
+    try {
+      const jsonString = JSON.stringify(authenticationRecord);
+      await fs.promises.writeFile(authenticationRecordFilePath, jsonString);
+      console.log("The file has been saved!");
+    } catch (error) {
+      console.log(error);
+    }
+  } else {
+    console.log("Authenticating with authentication record");
+    await credential.getToken(scopes);
+    console.log("login successful");
+  }
+}
+
+main().catch((err) => {
+  console.error("The sample encountered an error:", err);
+});

sdk/identity/identity-cache-persistence/samples-dev/persistentCachingInteractiveBrowserCredential.ts

@@ -11,6 +11,9 @@
 - Fixed the logic to return authority without the scheme and tenant ID [#31540](https://github.com/Azure/azure-sdk-for-js/pull/31540)
 - Fixed an issue where an incorrect tenant ID was presented in multi-tenant authentication errors [#32505](https://github.com/Azure/azure-sdk-for-js/pull/32505)
 - `ManagedIdentityCredential` now throws an error when attempting to pass a user-assigned Managed Identity in a ServiceFabric environment instead of silently ignoring it. [#32841](https://github.com/Azure/azure-sdk-for-js/pull/32841)
+- Fixed the bug in silent authentication behavior to happen only in scenarios where an account is present either in the persistent cache (if tokenCachePersistence is enabled and authentication record is provided) or the in-memory cache, instead of silently picking up the first account found in token cache. [#32134](https://github.com/Azure/azure-sdk-for-js/pull/32134)
+- Fixed the bug in interactive authentication request to account for the correct user login prompt based on the login hint provided, in case there are multiple accounts present. [#32134](https://github.com/Azure/azure-sdk-for-js/pull/32134)
+- Incorporated the [fix by @azure/msal-node (v 3.2.1)](https://github.com/AzureAD/microsoft-authentication-library-for-js/pull/7469) for silent authentication to do token lookup in persistent cache.
 
 ### Other Changes
 

sdk/identity/identity/CHANGELOG.md

@@ -86,8 +86,8 @@
     "@azure/core-tracing": "^1.0.0",
     "@azure/core-util": "^1.11.0",
     "@azure/logger": "^1.0.0",
-    "@azure/msal-node": "^2.15.0",
-    "@azure/msal-browser": "^4.0.2",
+    "@azure/msal-node": "^3.2.1",
+    "@azure/msal-browser": "^4.2.0",
     "events": "^3.0.0",
     "jws": "^4.0.0",
     "open": "^10.1.0",

sdk/identity/identity/package.json

@@ -29,9 +29,9 @@
   },
   "homepage": "https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity",
   "dependencies": {
+    "@azure/core-rest-pipeline": "^1.19.0",
     "@azure/identity": "^4.2.1",
-    "dotenv": "latest",
-    "@azure/keyvault-keys": "^4.2.0",
-    "@azure/core-rest-pipeline": "^1.1.0"
+    "@azure/keyvault-keys": "latest",
+    "dotenv": "latest"
   }
 }

sdk/identity/identity/samples/v4/javascript/package.json

@@ -33,10 +33,10 @@
   },
   "homepage": "https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity",
   "dependencies": {
+    "@azure/core-rest-pipeline": "^1.1.0",
     "@azure/identity": "^4.2.1",
-    "dotenv": "latest",
     "@azure/keyvault-keys": "^4.2.0",
-    "@azure/core-rest-pipeline": "^1.1.0"
+    "dotenv": "latest"
   },
   "devDependencies": {
     "@types/node": "^18.0.0",

sdk/identity/identity/samples/v4/typescript/package.json

@@ -418,27 +418,8 @@ export function createMsalClient(
     options: GetTokenOptions = {},
   ): Promise<msal.AuthenticationResult> {
     if (state.cachedAccount === null) {
-      state.logger.getToken.info(
-        "No cached account found in local state, attempting to load it from MSAL cache.",
-      );
-      const cache = app.getTokenCache();
-      const accounts = await cache.getAllAccounts();
-
-      if (accounts === undefined || accounts.length === 0) {
-        throw new AuthenticationRequiredError({ scopes });
-      }
-
-      if (accounts.length > 1) {
-        state.logger
-          .info(`More than one account was found authenticated for this Client ID and Tenant ID.
-However, no "authenticationRecord" has been provided for this credential,
-therefore we're unable to pick between these accounts.
-A new login attempt will be requested, to ensure the correct account is picked.
-To work with multiple accounts for the same Client ID and Tenant ID, please provide an "authenticationRecord" when initializing a credential to prevent this from happening.`);
-        throw new AuthenticationRequiredError({ scopes });
-      }
-
-      state.cachedAccount = accounts[0];
+      state.logger.getToken.info("No cached account found in local state.");
+      throw new AuthenticationRequiredError({ scopes });
     }
 
     // Keep track and reuse the claims we received across challenges
@@ -466,7 +447,11 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
       silentRequest.resourceRequestUri = options.proofOfPossessionOptions.resourceRequestUrl;
     }
     state.logger.getToken.info("Attempting to acquire token silently");
-    return app.acquireTokenSilent(silentRequest);
+    try {
+      return await app.acquireTokenSilent(silentRequest);
+    } catch (err: any) {
+      throw handleMsalError(scopes, err, options);
+    }
   }
 
   /**
@@ -835,6 +820,7 @@ To work with multiple accounts for the same Client ID and Tenant ID, please prov
         loginHint: options?.loginHint,
         errorTemplate: options?.browserCustomizationOptions?.errorMessage,
         successTemplate: options?.browserCustomizationOptions?.successMessage,
+        prompt: options?.loginHint ? "login" : "select_account",
       };
     }