3,267 questions
Please create an issue in github. Add as much detail as possible (os, browser and version, source code, etc)
Azure B2C - MSAL.js Session Behavior with Multiple tabs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 88%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Murali
11
Reputation points
We're using MSAL.js 1.3.2 for interacting with Azure AD B2C for a Vuejs SPA. MSAL.js config is set to use session storage for storing its cache. As per the documentation (https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-js-sso#sso-between-browser-tabs) session is not allowed to be shared between different tabs when using session storage. But, when a new tab is opened existing session is being used to sign in the user automatically. We've used 'prompt = login' parameter to suppress this behavior. While this helps us to ensure that the user has to sign in manually when a new tab is opened, we're now noticing an issue with token renewal.
Here's the scenario -
- Login with Account 1 in the Tab 1.
- Open a new tab (Tab 2) and Login with Account 2.
- Now, in Tab 1 make a token renewal request using acquireTokenSilent() with client id as the scope - this is returning a new token with Account 2's Object ID as the Subject. (which means it is renewing the token for Account 2 instead of Account 1)
How do we suppress/control this behavior?
Microsoft Security Microsoft Entra Microsoft Entra External ID
Microsoft Security Microsoft Entra Microsoft Entra ID
25,081 questions
1 answer
Sort by: Most helpful
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator2020-07-23T13:44:41.28+00:00 -
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
2020-08-03T19:41:00.373+00:00 @Murali please let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 14.000000000000002%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
asevak 6 Reputation points2021-02-05T22:41:43.673+00:00 Is there any solution to remove token from session storage ? We are also running in similar situation where user has logged into tab1, user clicks on another tab for same app. Then user logs out of tab1, while user can still tab2, user is not getting logout of tab2 because tab2s session storage still has token.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 4%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Manuel Castro 1 Reputation point2021-03-18T01:52:31.6+00:00 I have the same issue any updates about this??
-
Manuel Castro 1 Reputation point
2021-03-18T01:53:08.973+00:00 Did you solve this issue? any solution?
Sign in to comment -