25,180 questions
I have the same issue on my project , and will be waiting for an answer as well, hopefully someones from Microsoft answers this ,
Regards
MSAL sign out does not appear to clear cache
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 92%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Yousef Shahien [KP-Mobility]
36
Reputation points
We have an android application integrated with azure authentication using MSAL and it's configured to be single tenant. After signing out, I would expect the app to clear its cache and require users to provide credentials when signing in again. But what happen actually that users can sign out and sign in again with same user or a previous logged in users without having to authenticate the user again (No credentials required on second logins).
Is there a way to clear cached users, or to totally sign out from the user ?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
3 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 47%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
Emad Al Abed 6 Reputation points2021-02-08T13:04:10.453+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
VipulSparsh-MSFT 16,316 Reputation points Microsoft Employee2021-02-09T05:02:07.69+00:00 @Yousef Shahien [KP-Mobility] Have you tried calling the Signout API in MSAL.
This will remove all tokens from the cache for this application for the provided account. Additionally, this API will remove account from the system browser or the embedded webView by navigating to the OIDC end session endpoint if requested in parameters. As a result of the signout operation, application will not be able to get tokens for the given account without user entering credentials.If you also want to do a browser sign out, you can have a look here.
Read the code here on Github
-----------------------------------------------------------------------------------------------------------------
If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.
-
Yousef Shahien [KP-Mobility] 36 Reputation points
2021-02-09T14:10:34.233+00:00 @VipulSparsh-MSFT We are already calling singout API in the MSAL library, but it's not doing the expected behavior. When we call sign out the token get expired but when the user try to login again and get redirected to the broker authentication page, he can just select his account and login again without typing his credentials. Keep in mind that we are enabling two factor authentication on our organization which making it much more inconvenient.
Also, regarding the documentation function you linked in your answer, it might exist in the iOS library but as I typed in my question "we have an Android application" and the method you mentioned it's not available in the Android MSAL library.
Kindly find the methods available in the client application class: ISingleAccountPublicClientApplication https://learn.microsoft.com/en-us/java/api/com.microsoft.identity.client.isingleaccountpublicclientapplication?view=azure-java-stable
Sign in to comment -
-
VipulSparsh-MSFT 16,316 Reputation points Microsoft Employee
2021-02-10T12:44:57.22+00:00 MSAL libraries can't control the browser cache. You do have some level of control over the interactive experience when using prompts - for example to force the user to re-enter their password, you can do:
AcquireTokenInteractive(scopes).WithPrompt(Prompt.ForceLogin);On Android, the use of Chrome Custom Tabs means that we don't have any control over cookies as they are shared with the external Chrome app and thus not accessible. The user would have to manually open the website in Chrome and then log out from any identity providers. Theoretically we could automatically open the logout URL, if one exists, but clearly that would be extremely bad UX.
Right now the issue has been handled for few frameworks by using embedded webview in MSAL.
Check further here.Workaround suggested:
A better way to deal with requirement however would be via Conditional Access. You ask the tenant admin to require users to enter their passwords at least once every x hours / days.
From the developer perspective, when you call AcquireTokenSilent, MSAL will throw an MsalUiRequiredException and the user will have to re-enter their password.
-
VipulSparsh-MSFT 16,316 Reputation points Microsoft Employee
2021-02-26T03:53:34.633+00:00 I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.----------
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment -