Take home account from request, if not available elsewhere.#5657
Open
yowl wants to merge 3 commits into
Open
Conversation
bgavrilMS
approved these changes
Jan 19, 2026
bgavrilMS
reviewed
Jan 19, 2026
bgavrilMS
approved these changes
Jan 19, 2026
bgavrilMS
force-pushed
the
ping-identity-home-account-refresh
branch
from
8dbdc68 to
eac383b
Compare
gladjohn
approved these changes
Jan 28, 2026
4gust
approved these changes
Feb 5, 2026
bgavrilMS
force-pushed
the
ping-identity-home-account-refresh
branch
from
277e75e to
e8991f3
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses a token refresh caching failure for generic OIDC providers (e.g., PingIdentity) that omit client_info and may omit id_token on refresh responses, by sourcing the home account id from the original request when needed.
Changes:
- Extend home account id derivation to fall back to
requestParams.Account.HomeAccountId.Identifierwhenclient_infoandid_tokenare not available. - Add a unit test covering a refresh-style token response with missing
client_info/id_tokento ensure tokens can still be cached and updated.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/client/Microsoft.Identity.Client/TokenResponseHelper.cs | Adds a fallback source for homeAccountId when refresh responses omit client_info/id_token. |
| tests/Microsoft.Identity.Test.Unit/CacheTests/TokenCacheTests.cs | Adds a unit test reproducing the PingIdentity refresh response shape (missing client_info/id_token). |
Comments suppressed due to low confidence (1)
src/client/Microsoft.Identity.Client/TokenResponseHelper.cs:54
GetHomeAccountIdstill returnsnullwhenclient_info,id_token, andrequestParams.Accountare missing.TokenCache.SaveTokenResponseAsyncuses this value to build cache partition keys (e.g.,InMemoryPartitionedUserTokenCacheAccessor.SaveAccessToken), which will throwArgumentNullExceptionlater. Consider failing fast here (e.g., throw aMsalClientExceptionwith a clear message) instead of only logging and returning null.
string homeAccountId = clientInfo?.ToAccountIdentifier() ?? idToken?.Subject ?? requestParams.Account?.HomeAccountId?.Identifier; // ADFS does not have client info, so we use subject
if (homeAccountId == null)
{
requestParams.RequestContext.Logger.Info("Cannot determine home account ID - or id token or no client info and no subject ");
Comment on lines
+1088
to
+1091
| [TestMethod] | ||
| [TestCategory(TestCategories.TokenCacheTests)] | ||
| public async Task SaveAccessAndRefreshTokenWithNoClientInfoAsync() | ||
| { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5618
Changes proposed in this request
When refreshing a token, PingIdentity does not return the home account. This change takes the home account from the request if existing places do not supply it.
Testing
Added a test for the
TokenCachefor the PingIdentity scenario I face.Performance impact
None done, minor impact of and extra
??when there is no ID/client_info returned.Documentation
This is a PR to fix an issue with the experimental feature of using an OIDC that is not Azure, namely PingIdentity. When getting a refresh token, the client_info is not returned, and nor is a new identity token. I believe that according to the spec these are optional so seems a valid scenario. In this case to get the right cache key the home account is taken from the request. If that is not present we will be back to a NRE again, but at least for PingIdentity we seem to be able to refresh tokens.
First PR here, so hopefully this is at least food for thought, if it is not the right approach.
Thanks for looking.