The acquire_token_silent method sometimes does not return the idtoken and id_token_claims

[arthur00]

I have an application where I can cache (using SerializableTokenCache) the user's tokens. When I load the token cache back in, I do acquire_token_silent to refresh the access token.

The issue is I've seen two different behaviors from this line:
newtoken = self.app.acquire_token_silent(["https://database.windows.net//.default"],
account=self.account)

1. I get idtoken and id_token_claims from the acquire_token_silent method (Good)
2. I get only access_token, token_type, and expires_in, as in the image below: (Bad)

This second case makes my life harder because I need a way to access the IdToken (and to decode it so I can get the user given name). I could technically dig on the token_cache object to get the IdToken then find the decoding function deep inside the msal library to get the user given name, but I'm guessing this is not intended behavior.

I'm not sure why I get these two different behaviors yet - must be something to do with refreshing the tokens, but I can't reproduce case 1 at will (I'm not getting any id_tokens now).

Let me know if I'm missing something here.

[arthur00]

Not sure if it helps, but when I dug through I noticed that in the method _acquire_token_silent_from_cache_and_possibly_refresh_it, when the self.token_cache.find returns matches, I do not get an id_token, since it returns an exact list:
return { # Mimic a real response "access_token": entry["secret"], "token_type": entry.get("token_type", "Bearer"), "expires_in": int(expires_in), # OAuth2 specs defines it as int }

But if this token_cache search fails, than _acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family is called, which decorates the scope to retrieve the id_token data:

return self._acquire_token_silent_by_finding_rt_belongs_to_me_or_my_family(
authority, decorate_scope(scopes, self.client_id), account,
**kwargs)

[arthur00]

I did a workaround for now (where account comes from ConfidentialClientApplication.get_accounts)

from msal.oauth2cli.oidc import decode_id_token
tcache = SerializableTokenCache()
tcache.deserialize(cache)
idtoken = tcache.find(tcache.CredentialType.ID_TOKEN, query={
                        "home_account_id": account['home_account_id'],
                    })[0]['secret']
idclaim = decode_id_token(idtoken)

[rayluo]

Hi @arthur00, thanks for bringing this to our attention.

Your observation is indeed the case. A more precise description is:

1. acquire_token_silent() will return a cached access token and such access token only, during the its lifespan (typically 1 hour).
2. And then, the first call AFTER its expiry, will actually hit the wire and return a new access token, which happens to come with an id token, for free.

In ADAL/MSAL Python, historically we did not return an id token from acquire_token_silent() in scenario 1, partially because we assumed that when you call acquire_token_silent(..., account, ...), you are supposed to already know the identity of the current account. That said, it doesn't harm to also pull an id token from cache to return in acquire_token_silent(). We will mark this as an enhancement, and will plan for it.

Meanwhile, Arthur, you are already a member of this exclusive club. And your triaging and workaround above are already promising. Feel free to come up with a PR for it, if you happen to be in the right mood. :-)

UPDATE 2020-4-25: On-hold. Need more thoughts on this.

[bgavrilMS]

MSALs are supposed to return the ID Token on AcquireTokenSilent.