MsalInterceptor uses wrong account after logging out

[antonio-grudicek]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

3.28.1

Wrapper Library

MSAL Angular (@azure/msal-angular)

Wrapper Library Version

3.1.0

Public or Confidential Client?

Public

Description

Hello!

I'm using Angular 18 and @azure/msal-angular 3.1.0 in my project. I'm using MS Entra ID authentication and should support multiple accounts at the same time (signing in with different account, switching between multiple accounts, logging out of specific account etc).

I have the following problem:
I'm logged in with 2 accounts.
I log out of my first account.
First, I'm redirected to my application, and if REST request fails (that should be the case after logging out), I should be redirected to login page.
But, MsalInterceptor starts using token from my second account in Authorization header (instead of not using token at all).
As a result, redirect to login form is not working, because my REST requests pass (with the token from another account) and I'm not redirected from my application to login form.

I think this code is problematic, especially command: account = this.authService.instance.getAllAccounts()[0];:

// Sets account as active account or first account
    let account: AccountInfo;
    if (!!this.authService.instance.getActiveAccount()) {
      this.authService
        .getLogger()
        .verbose("Interceptor - active account selected");
      account = this.authService.instance.getActiveAccount();
    } else {
      this.authService
        .getLogger()
        .verbose("Interceptor - no active account, fallback to first account");
      account = this.authService.instance.getAllAccounts()[0];
    }

    const authRequest =
      typeof this.msalInterceptorConfig.authRequest === "function"
        ? this.msalInterceptorConfig.authRequest(this.authService, req, {
            account: account,
          })
        : { ...this.msalInterceptorConfig.authRequest, account };

    this.authService
      .getLogger()
      .info(`Interceptor - ${scopes.length} scopes found for endpoint`);
    this.authService
      .getLogger()
      .infoPii(`Interceptor - [${scopes}] scopes found for ${req.url}`);

    return this.acquireToken(authRequest, scopes, account).pipe(
      switchMap((result: AuthenticationResult) => {
        this.authService
          .getLogger()
          .verbose("Interceptor - setting authorization headers");
        const headers = req.headers.set(
          "Authorization",
          `Bearer ${result.accessToken}`
        );

        const requestClone = req.clone({ headers });
        return next.handle(requestClone);
      })
    );

In my opinion, interceptor shouldn't set account at all. If there is no active account, interceptor shouldn't set Authorization header.

Error Message

No response

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

{
    auth: {
      clientId: environment.authConfig.clientId,
      authority: `https://login.microsoftonline.com/${environment.authConfig.tenantId}`,
      redirectUri: locationOrigin,
      navigateToLoginRequestUrl: true,
    },
    cache: {
      cacheLocation: 'sessionStorage',
      storeAuthStateInCookie: isIE,
    }
  }

Relevant Code Snippets

onLogoutClick() {
    if (this.activeAccount) {
      this.msalService.logoutRedirect({account: this.activeAccount});
    }
  }

Reproduction Steps

1. I'm logged in with 2 accounts
2. I log out of my first account
3. First, I'm redirected to my application, REST request passes with the token from my second account, I'm not redirected to login page

Expected Behavior

1. I'm logged in with 2 accounts
2. I log out of my first account
3. First, I'm redirected to my application, REST request fails (because I'm logged out), I'm redirected to login page

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge, Safari, Other

Regression

No response