Add support for Multi-tenant accounts and cross-tenant token caching (#6536)

This PR:
- Adds `tenantProfiles` map to `AccountInfo` and `tenantProfiles` array
(serialization) to `AccountEntity`
- Adds `realm` filtering to `getIdToken` and `getAccessToken` so cached
tokens are only matched if they were issued by the tenant in the
request's authority
- Updates cached account setting logic to cache `AccountEntity` objects
with the available data of the home tenant profile in client_info
(localAccountId = uid, realm = utid).
- Adds logic to update the `AccountInfo` objects that `getAccount` APIs
return to reflect the tenant-specific data (tenant profile) in the ID
token claims from the ID token that matches the account filter passed in
- Adds logic to `getAllAccounts` to expand and return all tenant
profiles that match the filter into full `AccountInfo` objects to
maintain backward compatibility
- Sets access token and ID token realm values to the best available
value from ID token claims with precedence tid > tfp > acr to cover AAD
and B2C cases

---------

Co-authored-by: Sameera Gajjarapu <sameera.gajjarapu@microsoft.com>
Co-authored-by: Thomas Norling <thomas.norling@microsoft.com>

Author: 3 people

change/@azure-msal-browser-79eee614-ede9-45f3-b008-5fa2b8a7ecf3.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for Multi-tenant accounts and cross-tenant token caching #6466",
+  "packageName": "@azure/msal-browser",
+  "email": "hemoral@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-common-8efe538a-488d-46f1-b1ea-f1bdea1ad4ae.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for Multi-tenant accounts and cross-tenant token caching #6466",
+  "packageName": "@azure/msal-common",
+  "email": "hemoral@microsoft.com",
+  "dependentChangeType": "patch"
+}

change/@azure-msal-node-fd8922d0-15cd-4b36-b209-0810fd9a67d6.json

@@ -0,0 +1,7 @@
+{
+  "type": "minor",
+  "comment": "Add support for Multi-tenant accounts and cross-tenant token caching #6466",
+  "packageName": "@azure/msal-node",
+  "email": "hemoral@microsoft.com",
+  "dependentChangeType": "patch"
+}

lib/msal-browser/docs/accounts.md

@@ -1,6 +1,6 @@
 # Accounts in MSAL Browser
 
-> This is the platform-specific Accounts documentation for `@azure/msal-browser`. For the general documentation of the `AccountInfo` object structure, please visit the `@azure/msal-common` [Accounts document](../../msal-common/docs/Accounts.md).
+> This is the platform-specific Accounts documentation for `@azure/msal-browser`. For the general documentation of the `AccountInfo` object structure, please visit the `@azure/msal-common` [Accounts document](../../msal-common/docs/Accounts.md). For documentation relating to multi-tenant accounts, please visit the [Multi-tenant Accounts document](../../msal-common/docs/multi-tenant-accounts.md).
 
 ## Usage
 

lib/msal-browser/package.json

@@ -86,6 +86,7 @@
     "@types/sinon": "^7.5.0",
     "dotenv": "^8.2.0",
     "eslint-config-msal": "^0.0.0",
+    "msal-test-utils": "^0.0.1",
     "fake-indexeddb": "^3.1.3",
     "jest": "^29.5.0",
     "jest-environment-jsdom": "^29.5.0",

lib/msal-browser/src/cache/BrowserCacheManager.ts

@@ -394,15 +394,31 @@ export class BrowserCacheManager extends CacheManager {
      * fetch the account entity from the platform cache
      * @param accountKey
      */
-    getAccount(accountKey: string): AccountEntity | null {
+    getAccount(accountKey: string, logger?: Logger): AccountEntity | null {
         this.logger.trace("BrowserCacheManager.getAccount called");
-        const account = this.getItem(accountKey);
-        if (!account) {
+        const accountEntity = this.getCachedAccountEntity(accountKey);
+
+        return this.updateOutdatedCachedAccount(
+            accountKey,
+            accountEntity,
+            logger
+        );
+    }
+
+    /**
+     * Reads account from cache, deserializes it into an account entity and returns it.
+     * If account is not found from the key, returns null and removes key from map.
+     * @param accountKey
+     * @returns
+     */
+    getCachedAccountEntity(accountKey: string): AccountEntity | null {
+        const serializedAccount = this.getItem(accountKey);
+        if (!serializedAccount) {
             this.removeAccountKeyFromMap(accountKey);
             return null;
         }
 
-        const parsedAccount = this.validateAndParseJson(account);
+        const parsedAccount = this.validateAndParseJson(serializedAccount);
         if (!parsedAccount || !AccountEntity.isAccountEntity(parsedAccount)) {
             this.removeAccountKeyFromMap(accountKey);
             return null;
@@ -505,6 +521,15 @@ export class BrowserCacheManager extends CacheManager {
         this.removeAccountKeyFromMap(key);
     }
 
+    /**
+     * Remove account entity from the platform cache if it's outdated
+     * @param accountKey
+     */
+    removeOutdatedAccount(accountKey: string): void {
+        this.removeItem(accountKey);
+        this.removeAccountKeyFromMap(accountKey);
+    }
+
     /**
      * Removes given idToken from the cache and from the key map
      * @param key
@@ -1034,6 +1059,7 @@ export class BrowserCacheManager extends CacheManager {
             return this.getAccountInfoFilteredBy({
                 homeAccountId: activeAccountValueObj.homeAccountId,
                 localAccountId: activeAccountValueObj.localAccountId,
+                tenantId: activeAccountValueObj.tenantId,
             });
         }
         this.logger.trace(
@@ -1058,6 +1084,7 @@ export class BrowserCacheManager extends CacheManager {
             const activeAccountValue: ActiveAccountFilters = {
                 homeAccountId: account.homeAccountId,
                 localAccountId: account.localAccountId,
+                tenantId: account.tenantId,
             };
             this.browserStorage.setItem(
                 activeAccountKey,

lib/msal-browser/src/cache/TokenCache.ts

@@ -19,6 +19,7 @@ import {
     CacheRecord,
     TokenClaims,
     CacheHelpers,
+    buildAccountToCache,
 } from "@azure/msal-common";
 import { BrowserConfiguration } from "../config/Configuration";
 import { SilentRequest } from "../request/SilentRequest";
@@ -240,40 +241,43 @@ export class TokenCache implements ITokenCache {
         clientInfo?: string,
         requestHomeAccountId?: string
     ): AccountEntity {
-        let homeAccountId;
-        if (requestHomeAccountId) {
-            homeAccountId = requestHomeAccountId;
-        } else if (authority.authorityType !== undefined && clientInfo) {
-            homeAccountId = AccountEntity.generateHomeAccountId(
-                clientInfo,
-                authority.authorityType,
-                this.logger,
-                this.cryptoObj,
-                idTokenClaims
-            );
-        }
+        if (this.isBrowserEnvironment) {
+            this.logger.verbose("TokenCache - loading account");
+            let homeAccountId;
+            if (requestHomeAccountId) {
+                homeAccountId = requestHomeAccountId;
+            } else if (authority.authorityType !== undefined && clientInfo) {
+                homeAccountId = AccountEntity.generateHomeAccountId(
+                    clientInfo,
+                    authority.authorityType,
+                    this.logger,
+                    this.cryptoObj,
+                    idTokenClaims
+                );
+            }
 
-        if (!homeAccountId) {
-            throw createBrowserAuthError(
-                BrowserAuthErrorCodes.unableToLoadToken
-            );
-        }
+            if (!homeAccountId) {
+                throw createBrowserAuthError(
+                    BrowserAuthErrorCodes.unableToLoadToken
+                );
+            }
+            const claimsTenantId = idTokenClaims.tid;
 
-        const accountEntity = AccountEntity.createAccount(
-            {
+            const cachedAccount = buildAccountToCache(
+                this.storage,
+                authority,
                 homeAccountId,
-                idTokenClaims: idTokenClaims,
+                idTokenClaims,
+                base64Decode,
                 clientInfo,
-                environment: authority.hostnameAndPort,
-            },
-            authority
-        );
-
-        if (this.isBrowserEnvironment) {
-            this.logger.verbose("TokenCache - loading account");
+                claimsTenantId,
+                undefined,
+                undefined,
+                this.logger
+            );
 
-            this.storage.setAccount(accountEntity);
-            return accountEntity;
+            this.storage.setAccount(cachedAccount);
+            return cachedAccount;
         } else {
             throw createBrowserAuthError(
                 BrowserAuthErrorCodes.unableToLoadToken

lib/msal-browser/src/controllers/StandardController.ts

@@ -1549,7 +1549,7 @@ export class StandardController implements IController {
     ): string {
         const account =
             request.account ||
-            this.browserStorage.getAccountInfoFilteredBy({
+            this.getAccount({
                 loginHint: request.loginHint,
                 sid: request.sid,
             }) ||

lib/msal-browser/src/index.ts

@@ -146,6 +146,7 @@ export {
     PerformanceEvents,
     // Telemetry
     InProgressPerformanceEvent,
+    TenantProfile,
 } from "@azure/msal-common";
 
 export { version } from "./packageMetadata";

lib/msal-browser/src/interaction_client/NativeInteractionClient.ts

@@ -33,7 +33,9 @@ import {
     invokeAsync,
     createAuthError,
     AuthErrorCodes,
+    updateAccountTenantProfileData,
     CacheHelpers,
+    buildAccountToCache,
 } from "@azure/msal-common";
 import { BaseInteractionClient } from "./BaseInteractionClient";
 import { BrowserConfiguration } from "../config/Configuration";
@@ -420,28 +422,32 @@ export class NativeInteractionClient extends BaseInteractionClient {
             response,
             idTokenClaims
         );
-        const accountEntity = AccountEntity.createAccount(
-            {
-                homeAccountId: homeAccountIdentifier,
-                idTokenClaims: idTokenClaims,
-                clientInfo: response.client_info,
-                nativeAccountId: response.account.id,
-            },
-            authority
+
+        const baseAccount = buildAccountToCache(
+            this.browserStorage,
+            authority,
+            homeAccountIdentifier,
+            idTokenClaims,
+            base64Decode,
+            response.client_info,
+            idTokenClaims.tid,
+            undefined,
+            response.account.id,
+            this.logger
         );
 
         // generate authenticationResult
         const result = await this.generateAuthenticationResult(
             response,
             request,
             idTokenClaims,
-            accountEntity,
+            baseAccount,
             authority.canonicalAuthority,
             reqTimestamp
         );
 
         // cache accounts and tokens in the appropriate storage
-        this.cacheAccount(accountEntity);
+        this.cacheAccount(baseAccount);
         this.cacheNativeTokens(
             response,
             request,
@@ -580,14 +586,11 @@ export class NativeInteractionClient extends BaseInteractionClient {
             idTokenClaims.tid ||
             Constants.EMPTY_STRING;
 
-        const fullAccountEntity: AccountEntity = idTokenClaims
-            ? Object.assign(new AccountEntity(), {
-                  ...accountEntity,
-                  idTokenClaims: idTokenClaims,
-              })
-            : accountEntity;
-
-        const accountInfo = fullAccountEntity.getAccountInfo();
+        const accountInfo: AccountInfo | null = updateAccountTenantProfileData(
+            accountEntity.getAccountInfo(),
+            undefined, // tenantProfile optional
+            idTokenClaims
+        );
 
         // generate PoP token as needed
         const responseAccessToken = await this.generatePopAccessToken(