fix: auto-clear MSAL cache on wrong-tenant token (WAM, issue #430)#444
Merged
Conversation
github-actions
Bot
added
bug
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a Windows WAM/MSAL failure mode where the CLI can silently acquire a Microsoft Graph token for the wrong Entra tenant when multiple cached work accounts exist, by validating the JWT tid claim and attempting an automatic cache-clear + single retry to self-heal (#430).
Changes:
- Added shared
JwtHelper.TryDecodeClaimand refactored existing JWT-claim decoding call sites to use it. - Implemented wrong-tenant (
tid) detection with cache clearing and retry in bothAuthenticationServiceandMicrosoftGraphTokenProvider. - Added/updated unit tests plus a changelog entry describing the new behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/MicrosoftGraphTokenProviderTests.cs | Adds tests for wrong-tenant self-heal behavior in the Graph token provider. |
| src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AuthenticationServiceTests.cs | Adds tests for wrong-tenant self-heal behavior in AuthenticationService. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/MsalBrowserCredential.cs | Uses a shared constant for the MSAL cache filename. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Internal/MicrosoftGraphTokenProvider.cs | Adds tid validation + cache clear + retry to mitigate wrong-tenant WAM account selection. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/Helpers/JwtHelper.cs | Introduces centralized Base64Url JWT claim decoding helper. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/GraphApiService.cs | Refactors token-claim decoding to use JwtHelper. |
| src/Microsoft.Agents.A365.DevTools.Cli/Services/AuthenticationService.cs | Adds tid validation + cache clear + retry; adjusts cached tenant handling. |
| src/Microsoft.Agents.A365.DevTools.Cli/Constants/AuthenticationConstants.cs | Introduces MsalCacheFileName constant. |
| CHANGELOG.md | Documents the fix under “Fixed” for the upcoming release. |
- Gate tid mismatch check on Guid.TryParse in both AuthenticationService and MicrosoftGraphTokenProvider; domain-form tenantIds (e.g. contoso.onmicrosoft.com) would previously always mismatch the JWT tid GUID, causing unnecessary cache clears - Fix TokenInfo.TenantId to store domain-form tenantId as-is rather than overwriting it with the decoded JWT tid GUID, preserving round-trip cache consistency - Throw InvalidOperationException (not just warn) in MicrosoftGraphTokenProvider when the retry also returns the wrong tenant, preventing a known-bad token from being cached and used - Add MSAL cache backup/restore in AuthenticationServiceTests and MicrosoftGraphTokenProviderTests so tests do not destroy the developer's real credential cache on machines where a real cache exists
gwharris7
approved these changes
Jun 5, 2026
ajmfehr
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue: On Windows, WAM silently selects a cached work account from a different tenant when multiple accounts are present. The CLI acquires a token for the wrong tenant and uses it for Graph and Agent 365 API calls, returning 403s that look like missing Entra roles.
Fix: After token acquisition, the CLI decodes the
tidclaim and compares it to the configured tenant. On mismatch: logs a warning, deletes both token caches (auth-token.json+msal-token-cache), and retries once. If the retry also returns the wrong tenant, throws with an actionable error. No new commands — fully transparent to the user.Closes #430