ADAL Mac returns 300 AD_ERROR_CACHE_MULTIPLE_USERS errors
We are using the ADAL Mac library for authentication. When using this library, we get error 300 (AD_ERROR_CACHE_MULTIPLE_USERS) with the description:
The token cache store for this resource contains more than one user. Please set the 'userId' parameter to the one that will be used.
When does this happen? How should this scenario be handled?
source to share
Background
ADAL has a token cache for all access / refresh tokens on the device. Cache keys on things like user, requested resource, etc.
The application can get into a state in which there are several tokens in the cache for the same request. While these tokens may represent some other information, the information provided in the token lookup request was somehow ambiguous. Simple example:
Cache
hash(userA,B,C) -> token pair 1
hash(userB,B,C) -> token pair 2
hash(userA,F,G) -> token pair 3
Search (AcquireTokenSilent)
So now we make an AcquireTokenSilent request (cache lookup). This request does not require every cache core. For example,
AcquireTokenSilent(B, C)
There is an ambiguity in this request, it can be matched against the token pair 1 or 2.
Handling this error
Thus, there are currently two workarounds:
-
Please provide more information in the same request.
You can issue a new AcquireTokenSilent request that contains additional information that allows ADAL to finalize the cache entry. In this case, ADAL needs a userId, which means that your application will need to store or find this value and pass it in the request. In our example
AcquireTokenSilent(userA, B, C)
-
Ignore the cache and start from scratch.
If you cannot get the userId and cannot recover, your application can perform an interactive authentication request and ask the end user for their credentials. If you have a valid token, this is an unfavorable experience as your users will have to log in more than necessary. This will be a standard AcquireToken request. From our example (no user to request,
AcquireToken(B, C)
source to share