loadExternalTokens no longer works with aquireTokenSilent

[domshyra]

Core Library

MSAL.js (@azure/msal-browser)

Core Library Version

4.0.1

Wrapper Library

MSAL React (@azure/msal-react)

Wrapper Library Version

3.0.1

Public or Confidential Client?

Public

Description

Hello,

When using the loadExternalTokens the assumption is that the aquireTokenSilent request will not prompt with a redirect. However this seems to not be the case and a redirect login is always showing up.

At one point this work 100% correctly, but now it seems no matter what I try that will no longer set the account, even tho all the tokens are their in the sessionStorage.

I have created a repo to go over this more in depth and have it be a sandbox for other to try or tell me what is wrong in the code. The readme should be more indepth and have all the repro steps.

Here is the repo

The use case is we have a selenium runner that does a fetch for the tokens are our MS endpoint https://login.microsoftonline.com/tenatId-here/oauth2/v2.0/token that then gets transformed into session storage values for our useAuthetication hook to receive values such as 'seleniumIdTokenKey' these values are then read and fed into call to our pca like so await pca.getTokenCache().loadExternalTokens(silentRequest, serverResponse, loadTokenOptions); At which point a user should be logged in once they reach a page that has a <MsalAuthenticationTemplate interactionType={InteractionType.Redirect}> wrapped around the rendered child component.
The sample code comes from this document here

Note: This token from https://login.microsoftonline.com/tenatId-here/oauth2/v2.0/token comes back correctly and when using the "access_token" property off it, it is able to hit out api's and auth correctly. We know it's not the token and have also tried it with multiple app registrations as well as a brand new one.

In the sample repo this redirect always prompts a login prompt and doesn't appear to read from our sessionStorage items anymore.

This seemed to work until about mid Oct of 2024 on msal 2.2.
This also seems to work without loadExternalTokens on msal 1, but we don't wanna downgrade.

Other issues that seem related are as follows:
One in SO
one in github

Error Message

The only error message sometimes provided was a https://autologon.microsoftazuread-sso.com/our-tenantId-here/winauth/ssoprobe?client-request-id=01946bbe-a6ee-729b-af2e-31545463d6d7&_=1736974445488 - Failed to load resource: the server responded with a status of 401 (Unauthorized)

MSAL Logs

No response

Network Trace (Preferrably Fiddler)

• Sent
• Pending

MSAL Configuration

export const msalConfig = {
	auth: {
		clientId: clientId,
		authority: `https://login.microsoftonline.com/${tenantId}`, // This is a URL (e.g. https://login.microsoftonline.com/{your tenant ID})
		redirectUri: redirectUri,
	},
	cache: {
		cacheLocation: BrowserCacheLocation.SessionStorage, // This configures where your cache will be stored
		storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge
	},
	system: {
		logLevel: LogLevel.Verbose,
		loggerCallback: (level: LogLevel, message: string, _containsPii: boolean) => {
			switch (level) {
				case LogLevel.Error:
					console.error(message);
					return;
				case LogLevel.Info:
					console.info(message);
					return;
				case LogLevel.Verbose:
					console.debug(message);
					return;
				case LogLevel.Warning:
					console.warn(message);
					return;
			}
		},
		piiLoggingEnabled: false,
		allowPlatformBroker: false,
	},
};

Relevant Code Snippets

//useAuthentication hook 
const pca = new PublicClientApplication(msalConfig);
try {
			await pca.initialize();
			const authenticationResult = await pca.getTokenCache().loadExternalTokens(silentRequest, serverResponse, loadTokenOptions);

			console.log(JSON.stringify(authenticationResult));
			window.sessionStorage.removeItem("seleniumIdTokenKey");
			window.sessionStorage.removeItem("seleniumAccountKey");
			window.sessionStorage.removeItem("seleniumAccessTokenKey");
			window.sessionStorage.removeItem("seleniumRefreshTokenKey");
			console.log("Tokens set for Selenium");
		} catch (error: any) {
			console.error(error);
		}

Reproduction Steps

Clone the repo, follow the Prerequisites steps.

Grab a result from https://login.microsoftonline.com/your-tenant-id-here/oauth2/v2.0/token, and paste that into the textarea of the application. Once pasted hit "set sessionStorage & slient redirect" button on the application homepage.

Expected Behavior

The login prompt should not appear as loadExternalTokens should be satisfied. Once a result from the MS endpoint is pasted into the textarea anbd the "set sessionStorage & slient redirect" is press, the app would redirect to an authed page. just like if a user signed in regularly

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

Chrome, Firefox, Edge

Regression

@azure/msal-browser: 3

[MicahWSRB]

I came across this same issue and was hoping the stack overflow would gain traction. I was able to recreate the issue you described when pulling down your example repo.

Besides the 401 you provided; I am not able to generate any other kind of error. It would be great to get some support on this.