Singleton token acquisition with token cache serialization results in duplicate data in cache entries #2349
Description
Microsoft.Identity.Web Library
Microsoft.Identity.Web.TokenCache
Microsoft.Identity.Web version
2.13.1
Web app
Sign-in users
Web API
Protected web APIs call downstream web APIs
Token cache serialization
Distributed caches
Description
This issue affects singleton token acquisition / MSAL instance with token serialization cache enabled and cache synchronization enabled.
In MSAL, when new token is saved into the internal cache collection, cache serialization event handler for read is called first. This should clear the internal cache collection and load data relevant to the request cache key. If read doesn't find any data in serialized cache, internal cache should just be just cleared. The new tokens are then added to the internal collection and the whole collection is serialized into the external cache via write event handler.
The issue is that if the the read handler doesn't find any data in the external cache, MsalAbstractTokenCacheProvider.OnBeforeAccessAsync doesn't call Msal.Deserialize, so any data from previous requests in the internal cache is not cleared.
The change in the Id.Web.TokenCache was made here.
Reproduction steps
- Create a web app/API.
- Enable singleton token acquisition.
- Enable token cache serialization using Id.Web.TokenCache.
- Enable CacheSynchronization.
- Do some operation that will end up writing to the serialized cache.
- Do some other operation that will write to the cache (make sure the cache key is different, so for ex. different user).
To repro I modified this test runner to hit this web API with multiple users in parallel.
Error message
No response
Id Web logs
No response
Relevant code snippets
-Regression
2.0.2-preview
Expected behavior
The serialized cache entries should only have relevant tokens. MsalAbstractTokenCacheProvider.OnBeforeAccessAsync should always call Msal.Deseralize even if the read operation returned nothing.