Does MSAL.js support multiple accounts using acquireTokenSilent?
IainAdamsLabs opened this issue · comments
Library
-
msal@1.x.xor@azure/msal@1.x.x -
@azure/msal-browser@2.x.x -
@azure/msal-angular@0.x.x -
@azure/msal-angular@1.x.x -
@azure/msal-angularjs@1.x.x
Description
I want my application to support multiple MS accounts at once.
In my application the user logs in outside of MSAL, however, the session is still valid on the Authentication server.
I am following the instructions at https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-js-sso#sso-without-msaljs-login to retrieve an Access Token using acquireTokenSilent.
const config = {
scopes: [
"User.ReadBasic.All"
],
loginHint: this.user.email
}
return this.msalClient.acquireTokenSilent(config)
.then((resp) => {
return resp.accessToken;
})
.catch((error: AuthError) => {
if (error.errorCode === "consent_required" || error.errorCode === "interaction_required" || error.errorCode === "login_required") {
return this.msalClient.acquireTokenPopup(config)
.then((resp) => resp.accessToken);
} else {
throw error;
}
});
The first user login is fine and the access token is retrieved. However, the second call to acquireTokenSilent (which uses a different loginHint) returns the access token from the first account.
I am not sure whether you support multiple accounts. If so, I believe this is a bug - I would expect the access token returned to respect the login_hint param as well as the scope.
Thanks
Iain
Unfortunately we don't have multiple account support at this time, but we are working on adding this feature soon.
You can switch accounts by calling loginRedirect or loginPopup with your login_hint, but MSAL currently only keeps track of the most recently acquired account.
Thank you so much for getting back to me @pkanher617 . Looking forward to it being supported!