AzureAD · tnorling · May 5, 2020 · Apr 28, 2020 · Apr 28, 2020 · Apr 29, 2020
diff --git a/lib/msal-common/src/auth/ScopeSet.ts b/lib/msal-common/src/auth/ScopeSet.ts
@@ -153,7 +153,15 @@ export class ScopeSet {
         if (!otherScopes) {
             throw ClientAuthError.createEmptyInputScopeSetError(otherScopes);
         }
-        return this.unionScopeSets(otherScopes).size < (this.scopes.size + otherScopes.getScopeCount());
+
+        const unionScopes = this.unionScopeSets(otherScopes);
+
+        // Do not allow offline_access to be the only intersecting scope
+        const sizeOtherScopes = otherScopes.containsScope(Constants.OFFLINE_ACCESS_SCOPE)? otherScopes.getScopeCount() - 1 : otherScopes.getScopeCount();
+        const sizeThisScopes = this.containsScope(Constants.OFFLINE_ACCESS_SCOPE)? this.getScopeCount() - 1: this.getScopeCount();
+        const sizeUnionScopes = unionScopes.has(Constants.OFFLINE_ACCESS_SCOPE)? unionScopes.size - 1: unionScopes.size;
+
+        return sizeUnionScopes < (sizeThisScopes + sizeOtherScopes);
     }
 
     /**

@@ -167,32 +167,31 @@ export class ResponseHandler {
         // If no items in cache with these parameters, set new item.
         if (accessTokenCacheItems.length < 1) {
             this.logger.info("No tokens found, creating new item.");
-            const newTokenKey = new AccessTokenKey(
-                authority, 
-                this.clientId, 
-                serverTokenResponse.scope, 
-                resource, 
-                clientInfo && clientInfo.uid, 
-                clientInfo && clientInfo.utid, 
-                this.cryptoObj
-            );
-            this.cacheStorage.setItem(JSON.stringify(newTokenKey), JSON.stringify(newAccessTokenValue));
         } else {
             // Check if scopes are intersecting. If they are, combine scopes and replace cache item.
             accessTokenCacheItems.forEach(accessTokenCacheItem => {
                 const cachedScopes = ScopeSet.fromString(accessTokenCacheItem.key.scopes, this.clientId, true);
                 if(cachedScopes.intersectingScopeSets(responseScopes)) {
                     this.cacheStorage.removeItem(JSON.stringify(accessTokenCacheItem.key));
-                    cachedScopes.appendScopes(responseScopeArray);
-                    accessTokenCacheItem.key.scopes = cachedScopes.printScopes();
+                    responseScopes.appendScopes(cachedScopes.asArray());
                     if (StringUtils.isEmpty(newAccessTokenValue.idToken)) {
                         newAccessTokenValue.idToken = accessTokenCacheItem.value.idToken;
                     }
-                    this.cacheStorage.setItem(JSON.stringify(accessTokenCacheItem.key), JSON.stringify(newAccessTokenValue));
                 }
             });
         }
 
+        const newTokenKey = new AccessTokenKey(
+            authority, 
+            this.clientId, 
+            responseScopes.printScopes(), 
+            resource, 
+            clientInfo && clientInfo.uid, 
+            clientInfo && clientInfo.utid, 
+            this.cryptoObj
+        );
+        this.cacheStorage.setItem(JSON.stringify(newTokenKey), JSON.stringify(newAccessTokenValue));
+
         // Save tokens in response and return
         return {
             ...originalTokenResponse,

diff --git a/lib/msal-common/test/auth/ScopeSet.spec.ts b/lib/msal-common/test/auth/ScopeSet.spec.ts
@@ -3,6 +3,7 @@ import { ScopeSet } from "../../src/auth/ScopeSet";
 import { TEST_CONFIG } from "../utils/StringConstants";
 import { ClientConfigurationError, ClientConfigurationErrorMessage, Constants, ClientAuthError, ClientAuthErrorMessage } from "../../src";
 import sinon from "sinon";
+import { IdToken } from "../../src/auth/IdToken";
 
 describe("ScopeSet.ts", () => {
 
@@ -316,6 +317,15 @@ describe("ScopeSet.ts", () => {
             expect(newScopeSet.intersectingScopeSets(requiredScopeSet)).to.be.false;
         });
 
+        it("intersectingScopeSets() returns false if ScopeSets have no scopes in common other than offline_access", () => {
+            const testScope2 = "testScope2";
+            const newScopeSet = new ScopeSet([testScope2], TEST_CONFIG.MSAL_CLIENT_ID, true);
+
+            expect(newScopeSet.asArray()).to.contain("offline_access");
+            expect(requiredScopeSet.asArray()).to.contain("offline_access");
+            expect(newScopeSet.intersectingScopeSets(requiredScopeSet)).to.be.false;
+        });
+
         it("getScopeCount() correctly returns the size of the ScopeSet", () => {
             expect(requiredScopeSet.getScopeCount()).to.be.eq(2);
             expect(nonRequiredScopeSet.getScopeCount()).to.be.eq(4);