Microsoft.IdentityWeb - Impossible to keep LR OBO session with auto generated key #3382
Description
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
3.8.1
Web app
Sign-in users and call web APIs
Web API
Protected web APIs call downstream web APIs
Token cache serialization
In-memory caches
Description
Inability to keep a long running OBO session when using auto generated session key.
Depending on the implementation on partner side, can also lead to performance issues by initiating a new long running session each time.
Additional details here: https://identitydivision.visualstudio.com/Engineering/_workitems/edit/3219367/
Reproduction steps
-
Configure TokenAcquisition and IAuthorizationHeaderProvider (DefaultAuthorizationHeaderProvider) for calling downstream API.
-
Create AuthorizationHeaderProviderOptions where AcquireTokenOptions.LongRunningWebApiSessionKey is set to "AllocateForMe"
-
Call DefaultAuthorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync sending in the options created in step 2, and also sending in ClaimsPrincipal. (this call will initiate new LR session)
-
Call DefaultAuthorizationHeaderProvider.CreateAuthorizationHeaderForUserAsync, sending in options with the same session key as before, but do not pass ClaimsPrincipal in the call. (this call will try to acquire token from already initiated LR process)
-
This LR session was already initiated in step 3, so call in step 4 should succeed, however it will throw MsalClientException with error code MsalError.OboCacheKeyNotInCacheError.
Error message
No response
Id Web logs
No response
Relevant code snippets
Regression
No response
Expected behavior
IdWeb should return the token cached by the initial CreateAuthorizationHeaderForUserAsync but it throws an error instead