AadHttpClient or MSGraphClient does not work with multiple live accounts

[edijsf]

Category

• Question
• Typo
• Bug
• Additional article idea

Expected or Desired Behavior

When multiple accounts found user interaction for choosing correct account should be provided

Observed Behavior

When multiple live account logged in or when current service account does not match any live account you get error.

Steps to Reproduce

When you are logged in SharePoint where SFPX web part exists that connects to Azure services wither using AadHttpClient or MSGraphClient client and check it works fine. Then open in new browser tab Azure portal do sign-out and log in with different account and switch to SharePoint tab and refresh.
Or when multiple live accounts found you will get similar issue.

Following errors are not processed.
Error in case of multiple live accounts found:
AADSTS70002: Error validating credentials. AADSTS16000: Request is ambiguous: multiple user identities are available for the current request
Error in case of account mismatch
AADSTS50058: A silent sign-in request was sent but none of the currently signed in user(s) match the requested login hint

Proposed solution

Solution @microsoft/sp-http

// AdalAuthContext.js
67: AdalAuthContext.prototype._fetchAccessTokenSilent = function (resourceEndpoint) {`
.
.
73: if (_this._authContext._getItem(_this._authContext.CONSTANTS.STORAGE.ERROR) === 'interaction_required') {

Only one error is processed "interaction_required", but should process also when above mentioned errors are found.

[araver]

They can also avoid the login prompt by adding the "extraQueryParamter" to config of the "AuthenticationContext" constructor that hints at the current user.

var authContext = new AuthenticationContext({
    clientId: clientId,
    tenant: aadTenantId,
    redirectUri: window.location.origin + '/_forms/spfxsinglesignon.aspx',
    extraQueryParameter: 'login_hint=user@contoso.com'
});

[pkmelee337]

Just ran into the same problem. Logged in with 2 microsoft account.

[araver]

This is how i did it using ADAL

async getToken(headers: Headers) {
        var tp = await this.context.aadTokenProviderFactory.getTokenProvider();
        var config = tp["_defaultConfiguration"];
        var user = this.context.pageContext.user.loginName;
        var aadInstanceUrl = config.aadInstanceUrl[length - 1] === "/" ? config.aadInstanceUrl : config.aadInstanceUrl + "/";
        var ctx = new AuthenticationContext({
            tenant: config.aadTenantId,
            clientId: config.servicePrincipalId,
            instance: aadInstanceUrl,
            redirectUri: config.redirectUri,
            extraQueryParameter: "login_hint=" + encodeURIComponent(user),
            loadFrameTimeout: 60000
        });

        var cu = ctx.getCachedUser();
        console.log("USER", cu, user, ctx);
        if (cu && cu.userName.toLowerCase() !== user.toLowerCase()) {
            ctx.clearCache();
        }
        var token = await this.acquireToken(ctx, this.resource);
        if(headers.has("Authorization")){
            headers.set("Authorization", "Bearer " + token)
        }else{
            headers.append("Authorization", "Bearer " + token);
        }
    }

    private acquireToken(ctx: AuthenticationContext, resource: string){
        return new Promise<string>((resolve, reject) => {
            ctx.acquireToken(resource, (message, token) =>{
                if(!token){
                    reject(message)
                }else{
                    resolve(token);
                }
            });

        });
    }

[VesaJuvonen]

As this is not really an end-user scenario as they typically have one account, how often you'd really run into this issue unless you are a consultant with multiple accounts... and in this case incognito and profiles would help. Are we missing something on this? Sure - it could be a better implementation, but is this really a common scenario?

[araver]

My only concern is for a client that might have a shared workstation and the users don't clear the browser cache.

[pkmelee337]

Well, we did have some end users running in this problem allready. Most of them having some kind of admin and a normal account. After some time they did understand what caused it and that a normal user won't bump into this problem, but it's quite hard to explain.

[kasgit]

It works for all browsers except IE 11 for us. We are using SPFx 1.6. Below is the error message we are getting. @VesaJuvonen, Problem is we have multiple O365 tenants in our company and users who still use IE11 will face this issue. It works in IE11 inprivate. But we can't ask all the users to use InPrivate mode.

I have noticed that it is not sending login_hint with authorize request.

AADSTS70002: Error validating credentials. AADSTS16000: Request is ambiguous: multiple user identities are available for the current request.

[lucmoco]

We experienced the same problem with a regular user: in addition to our company tenant, he had added credentials for a school where he's attending some courses. And he experienced an error while using our web part, which is using the aadHttpClient to connect to a back-end API.

[michel-weber]

@VesaJuvonen It seems to be a problem for some of our end-users ... although it seems to be an edge case and will not affect a majority of our users it still is a blocking issue for some of them. As far as I know we do not have a work-around at the moment (I work in the same team as @lucmoco).

Any update on this? I believe we are seeing a similar issue on our end. Is there any way to force login_hint within SPFx without resorting to ADAL?

[baywet]

@VesaJuvonen end users are having the problem as well. Imagine they used their private account (either Hotmail or Gmail) to log on a consumer service/B2C partner tenant (like I don't know the school board of their district typically) and they are logged in with their corporate account on the corp tenant at the same time.