Skip to content

Potential loss of sign-out #258

New issue
New issue
Closed
#262
Closed
Potential loss of sign-out#258
#262
Assignees
rayluo
Labels
bug
@rayluo

Description

@rayluo
rayluo
opened on Sep 29, 2020

Describe the bug
Loss-of-signout could happen.

To Reproduce
We did not see this in the wild. But these are steps to possibly hit the issue.

Steps to reproduce the behavior:

  1. app A and app B share same token cache (i.e. they belong to same family of apps)
  2. app B calls acquire_token_silent() and is in the middle of waiting network I/O to complete
  3. end user John Doe signs out in app A via remove_account() (and intend to lend the device to user Jane Doe)
  4. app B finishes network I/O, and adds the same account into cache, thus ends up still keeping John Doe's account for both app A and app B.

Expected behavior
App B should honor the sign out operation from app A.

What you see instead
We did not see this bug in the wild. But these are steps to possibly hit the issue.

The MSAL Python version you are using
All.

Additional context
A solution: to enforce that "save token" operation is always "UPDATE" operation in context of "Silent call". And not "ADD" operation.

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

MSAL Python Customer Trust

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions