ClientCredential and OBO acquireToken requests with claims will now skip the cache

change/@azure-msal-common-c7f27295-64bd-44e2-b07f-d4bf9c4b7d6a.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "ClientCredential and OBO acquireToken requests with claims will now skip the cache",
+  "packageName": "@azure/msal-common",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-node-2c770c1f-88f0-42d9-b87e-591e60e975b6.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "ClientCredential and OBO acquireToken requests with claims will now skip the cache",
+  "packageName": "@azure/msal-node",
+  "email": "[email protected]",
+  "dependentChangeType": "patch"
+}

lib/msal-common/src/config/ClientConfiguration.ts

@@ -23,6 +23,10 @@ import {
     ClientAuthErrorCodes,
     createClientAuthError,
 } from "../error/ClientAuthError";
+import {
+    ClientConfigurationErrorCodes,
+    createClientConfigurationError,
+} from "../error/ClientConfigurationError";
 
 /**
  * Use the configuration object to configure MSAL Modules and initialize the base interfaces for MSAL.
@@ -233,6 +237,12 @@ export function buildClientConfiguration({
     persistencePlugin: persistencePlugin,
     serializableCache: serializableCache,
 }: ClientConfiguration): CommonClientConfiguration {
+    if (userCacheOptions?.claimsBasedCachingEnabled) {
+        throw createClientConfigurationError(
+            ClientConfigurationErrorCodes.claimsBasedCachingEnabled
+        );
+    }
+
     const loggerOptions = {
         ...DEFAULT_LOGGER_IMPLEMENTATION,
         ...userLoggerOption,

lib/msal-common/src/error/ClientConfigurationError.ts

@@ -51,6 +51,8 @@ export const ClientConfigurationErrorMessages = {
         "Cannot set allowNativeBroker parameter to true when not in AAD protocol mode.",
     [ClientConfigurationErrorCodes.authorityMismatch]:
         "Authority mismatch error. Authority provided in login request or PublicClientApplication config does not match the environment of the provided account. Please use a matching account or make an interactive request to login to this authority.",
+    [ClientConfigurationErrorCodes.claimsBasedCachingEnabled]:
+        "Claims based caching is not supported in MSALJS.",
 };
 
 /**

lib/msal-common/src/error/ClientConfigurationErrorCodes.ts

@@ -26,3 +26,4 @@ export const invalidAuthenticationHeader = "invalid_authentication_header";
 export const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
 export const cannotAllowNativeBroker = "cannot_allow_native_broker";
 export const authorityMismatch = "authority_mismatch";
+export const claimsBasedCachingEnabled = "claims_based_caching_enabled";

lib/msal-common/test/client/SilentFlowClient.spec.ts

@@ -366,71 +366,6 @@ describe("SilentFlowClient unit tests", () => {
             );
         });
 
-        it("acquireCachedToken does not throw when given valid claims with claimsBasedCachingEnabled", async () => {
-            const testScopes = [
-                Constants.OPENID_SCOPE,
-                Constants.PROFILE_SCOPE,
-                ...TEST_CONFIG.DEFAULT_GRAPH_SCOPE,
-            ];
-            testAccessTokenEntity.target = testScopes.join(" ");
-            sinon
-                .stub(
-                    Authority.prototype,
-                    <any>"getEndpointMetadataFromNetwork"
-                )
-                .resolves(DEFAULT_OPENID_CONFIG_RESPONSE.body);
-            sinon
-                .stub(CacheManager.prototype, "readAccountFromCache")
-                .returns(testAccountEntity);
-            sinon
-                .stub(CacheManager.prototype, "getIdToken")
-                .returns(testIdToken);
-            sinon
-                .stub(CacheManager.prototype, "getAccessToken")
-                .returns(testAccessTokenEntity);
-            sinon
-                .stub(CacheManager.prototype, "getRefreshToken")
-                .returns(testRefreshTokenEntity);
-            const config =
-                await ClientTestUtils.createTestClientConfiguration();
-            const client = new SilentFlowClient(
-                {
-                    ...config,
-                    cacheOptions: {
-                        ...config.cacheOptions,
-                        claimsBasedCachingEnabled: true,
-                    },
-                },
-                stubPerformanceClient
-            );
-            sinon.stub(TimeUtils, <any>"isTokenExpired").returns(false);
-
-            const silentFlowRequest: CommonSilentFlowRequest = {
-                scopes: TEST_CONFIG.DEFAULT_GRAPH_SCOPE,
-                account: testAccount,
-                authority: TEST_CONFIG.validAuthority,
-                correlationId: TEST_CONFIG.CORRELATION_ID,
-                forceRefresh: false,
-                claims: `{ "access_token": { "xms_cc":{"values":["cp1"] } }}`,
-            };
-
-            const response = await client.acquireCachedToken(silentFlowRequest);
-            const authResult: AuthenticationResult = response[0];
-            expect(authResult.authority).toEqual(
-                `${TEST_URIS.DEFAULT_INSTANCE}${TEST_CONFIG.TENANT}/`
-            );
-            expect(authResult.uniqueId).toEqual(ID_TOKEN_CLAIMS.oid);
-            expect(authResult.tenantId).toEqual(ID_TOKEN_CLAIMS.tid);
-            expect(authResult.scopes).toEqual(testScopes);
-            expect(authResult.account).toEqual(testAccount);
-            expect(authResult.idToken).toEqual(testIdToken.secret);
-            expect(authResult.idTokenClaims).toEqual(ID_TOKEN_CLAIMS);
-            expect(authResult.accessToken).toEqual(
-                testAccessTokenEntity.secret
-            );
-            expect(authResult.state).toBe("");
-        });
-
         it("acquireCachedToken returns correct token when max age is provided and has not transpired yet", async () => {
             const testScopes = [
                 Constants.OPENID_SCOPE,

lib/msal-common/test/config/ClientConfiguration.spec.ts

@@ -14,7 +14,12 @@ import {
 import { MockStorageClass, mockCrypto } from "../client/ClientTestUtils";
 import { MockCache } from "../cache/entities/cacheConstants";
 import { Constants } from "../../src/utils/Constants";
-import { ClientAuthErrorCodes, createClientAuthError } from "../../src";
+import {
+    ClientAuthErrorCodes,
+    ClientConfigurationErrorCodes,
+    createClientAuthError,
+    createClientConfigurationError,
+} from "../../src";
 
 describe("ClientConfiguration.ts Class Unit Tests", () => {
     it("buildConfiguration assigns default functions", async () => {
@@ -31,21 +36,21 @@ describe("ClientConfiguration.ts Class Unit Tests", () => {
         expect(emptyConfig.cryptoInterface.base64Decode).not.toBeNull();
         expect(() =>
             emptyConfig.cryptoInterface.base64Decode("test input")
-        ).toThrowError(
+        ).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
         expect(() =>
             emptyConfig.cryptoInterface.base64Decode("test input")
-        ).toThrowError(AuthError);
+        ).toThrow(AuthError);
         expect(emptyConfig.cryptoInterface.base64Encode).not.toBeNull();
         expect(() =>
             emptyConfig.cryptoInterface.base64Encode("test input")
-        ).toThrowError(
+        ).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
         expect(() =>
             emptyConfig.cryptoInterface.base64Encode("test input")
-        ).toThrowError(AuthError);
+        ).toThrow(AuthError);
         // Storage interface checks
         expect(emptyConfig.storageInterface).not.toBeNull();
         expect(emptyConfig.storageInterface.clear).not.toBeNull();
@@ -57,37 +62,35 @@ describe("ClientConfiguration.ts Class Unit Tests", () => {
         expect(emptyConfig.storageInterface.getAccount).not.toBeNull();
         expect(() =>
             emptyConfig.storageInterface.getAccount("testKey")
-        ).toThrowError(
+        ).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
         expect(() =>
             emptyConfig.storageInterface.getAccount("testKey")
-        ).toThrowError(AuthError);
+        ).toThrow(AuthError);
         expect(emptyConfig.storageInterface.getKeys).not.toBeNull();
-        expect(() => emptyConfig.storageInterface.getKeys()).toThrowError(
+        expect(() => emptyConfig.storageInterface.getKeys()).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
-        expect(() => emptyConfig.storageInterface.getKeys()).toThrowError(
-            AuthError
-        );
+        expect(() => emptyConfig.storageInterface.getKeys()).toThrow(AuthError);
         expect(emptyConfig.storageInterface.removeItem).not.toBeNull();
         expect(() =>
             emptyConfig.storageInterface.removeItem("testKey")
-        ).toThrowError(
+        ).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
         expect(() =>
             emptyConfig.storageInterface.removeItem("testKey")
-        ).toThrowError(AuthError);
+        ).toThrow(AuthError);
         expect(emptyConfig.storageInterface.setAccount).not.toBeNull();
         expect(() =>
             emptyConfig.storageInterface.setAccount(MockCache.acc)
-        ).toThrowError(
+        ).toThrow(
             createClientAuthError(ClientAuthErrorCodes.methodNotImplemented)
         );
         expect(() =>
             emptyConfig.storageInterface.setAccount(MockCache.acc)
-        ).toThrowError(AuthError);
+        ).toThrow(AuthError);
         // Network interface checks
         expect(emptyConfig.networkInterface).not.toBeNull();
         expect(emptyConfig.networkInterface.sendGetRequestAsync).not.toBeNull();
@@ -191,9 +194,6 @@ describe("ClientConfiguration.ts Class Unit Tests", () => {
                 ): void => {},
                 piiLoggingEnabled: true,
             },
-            cacheOptions: {
-                claimsBasedCachingEnabled: true,
-            },
             libraryInfo: {
                 sku: TEST_CONFIG.TEST_SKU,
                 version: TEST_CONFIG.TEST_VERSION,
@@ -265,7 +265,7 @@ describe("ClientConfiguration.ts Class Unit Tests", () => {
         expect(newConfig.loggerOptions.piiLoggingEnabled).toBe(true);
         // Cache options tests
         expect(newConfig.cacheOptions).not.toBeNull();
-        expect(newConfig.cacheOptions.claimsBasedCachingEnabled).toBe(true);
+        expect(newConfig.cacheOptions.claimsBasedCachingEnabled).toBe(false);
         // Client info tests
         expect(newConfig.libraryInfo.sku).toBe(TEST_CONFIG.TEST_SKU);
         expect(newConfig.libraryInfo.version).toBe(TEST_CONFIG.TEST_VERSION);
@@ -279,4 +279,20 @@ describe("ClientConfiguration.ts Class Unit Tests", () => {
             TEST_CONFIG.TEST_APP_VER
         );
     });
+
+    test("throws an error when claimsBasedCaching is enabled", async () => {
+        expect(() => {
+            buildClientConfiguration({
+                //@ts-ignore
+                authOptions: {
+                    clientId: TEST_CONFIG.MSAL_CLIENT_ID,
+                },
+                cacheOptions: { claimsBasedCachingEnabled: true },
+            });
+        }).toThrow(
+            createClientConfigurationError(
+                ClientConfigurationErrorCodes.claimsBasedCachingEnabled
+            )
+        );
+    });
 });

lib/msal-node/src/client/ClientCredentialClient.ts

@@ -59,7 +59,7 @@ export class ClientCredentialClient extends BaseClient {
     public async acquireToken(
         request: CommonClientCredentialRequest
     ): Promise<AuthenticationResult | null> {
-        if (request.skipCache) {
+        if (request.skipCache || request.claims) {
             return this.executeTokenRequest(request, this.authority);
         }
 

lib/msal-node/src/client/OnBehalfOfClient.ts

@@ -58,7 +58,7 @@ export class OnBehalfOfClient extends BaseClient {
             request.oboAssertion
         );
 
-        if (request.skipCache) {
+        if (request.skipCache || request.claims) {
             return this.executeTokenRequest(
                 request,
                 this.authority,

lib/msal-node/src/config/Configuration.ts

@@ -14,6 +14,8 @@ import {
     AzureCloudOptions,
     ApplicationTelemetry,
     INativeBrokerPlugin,
+    createClientConfigurationError,
+    ClientConfigurationErrorCodes,
 } from "@azure/msal-common";
 import { HttpClient } from "../network/HttpClient.js";
 import http from "http";
@@ -203,6 +205,12 @@ export function buildAppConfiguration({
     system,
     telemetry,
 }: Configuration): NodeConfiguration {
+    if (cache?.claimsBasedCachingEnabled) {
+        throw createClientConfigurationError(
+            ClientConfigurationErrorCodes.claimsBasedCachingEnabled
+        );
+    }
+
     const systemOptions: Required<NodeSystemOptions> = {
         ...DEFAULT_SYSTEM_OPTIONS,
         networkClient: new HttpClient(