multiple_matching_tokens_detected with ADAL

Question

I have a service that uses Azure access tokens that we retrieve using ADAL. We have several hundred customers, but for some reason there are two of them that sporadically generate this error when we try to retrieve an AuthenticationResult for them:

multiple_matching_tokens_detected: The cache contains multiple tokens satisfying the requirements. Call AcquireToken again providing more requirements (e.g. UserId).

I have no idea why only these two folks out of hundreds have this issue and really can't find much about it on the net. Our code to acquire a token looks like this (simplified):

AuthenticationContext authContext = new AuthenticationContext(authority, new MyCustomTokenCache());
ClientCredential credential = new ClientCredential(myClientId, myPassword);
authContext.AcquireTokenSilent(resourceUri, credential, UserIdentifier.AnyUser); 

Why does this error occur and what is the "suggested" solution to resolve it? I have been leaning towards trying to fix it by acquiring a token like so but really would like to know what the error really is all about:

authContext.AcquireTokenSilent(mr.ResourceUri, credential, new UserIdentifier("[email protected]", UserIdentifierType.UniqueId));

Answer 1

If this is still relevant, I had similar problem with multiple_matching_tokens_detected error and I found this:

https://developercommunity.visualstudio.com/content/problem/17315/cant-add-new-account-with-vsts-online-failed-to-re.html

As Alex at the answer there mentioned (You need to do this on the client machine) :

1. Close all Visual Studio instances (In your case - close all client apps I suppose).
2. Delete %LOCALAPPDATA%\.IdentityService.
3. Enjoy.

Worked for me like magic

Answer 2

This error is usually accurate, as in - it is actually reporting that there are multiple tokens for the same authority/resource/clientid combination for different users. There are many possible reasons for which you might end up with such tokens, and in fact there are scenarios for which it is perfectly legitimate (say one mail app that supports multiple mailboxes for multiple users at once). In your specific case I can think of two possible culprits. One is that MyCustomTokenCache might not enforce isolation between web sessions, ending up pooling tokens from different callers. Another possibility is that those two users might have had their UPN reassigned, and now you have multiple cache entries with both the old and new UPN. I would recommend inspecting the cache looking for such duplicates and, if they are there, clean up accordingly.