How does Authorization Code flow remember the user after cached state is cleared?

[jdolearydl]

Library

• @azure/msal-browser@2.8.0

Description

Given an app using Oauth 2.0 Authorization Code Flow via msal-browser, I login by providing my credentials. Then I fully clear my browser's state, cache, local/session storage, and refresh the page so that the single page application doesn't know I'm logged in, but I'm still logged in with the Microsoft backend.

When I initiate another login, it is able to do so silently, without re-asking me for my credentials.

Apparently, via a request to https://login.microsoftonline.com/redacted/oauth2/v2.0/token, the Microsoft backend can authenticate me as the same user even though I cleared the js memory and all cache/session/local storage

How does this request get a valid code / code_verifier to send to the Authorization Server in order to get an Access Token back for a user without re-entering credentials?

---

More details:

The following does require me to re-enter my credentials (as I would expect it to):

• a private/incognito tab
• closing the browser and reopening it
• using a different browser on the same computer

The following does not require me to re-enter my credentials and can log on silently:

• authenticating in a new tab with cleared local state
• authenticating in a new window of the same browser with cleared local state
• refreshing the tab and clearing local state

I would expect the 3 "not" scenarios to require credentials, but they do not. How can I be authenticated without the browser keeping any local state?

Source

• Internal (Microsoft)
• Customer request

(Note: Also posted on stack overflow)

[tnorling]

@jdolearydl When you first authenticate the AAD service drops a session cookie in your browser. When you clear local/session storage for your app you are removing the tokens from your app context but are not closing the session with AAD. When you try to re-authenticate with the same browser, AAD reads the session cookie it dropped earlier and re-establishes the existing session.

If you would like to sign out and require re-authentication you should call the logout api instead of clearing storage.

[jdolearydl]

Hi @tnorling, thank you for the response. I'm aware of needing to call the logout api to truly logout. I am simply curious about what's going on behind the scenes. How does the session cookie remain in my browser even after I clear my browser's cookies?

[tnorling]

@jdolearydl Can you clarify, did you clear all browser cookies or just those for your app? The cookie in question here is owned by AAD, not by your app.

[jdolearydl]

@tnorling Ah that was the point of confusion, I was only clearing the cookies for my app. Once I clear all cookies, it asks for my credentials as I would expect. Thank you!