AzureAD · sansrivastav · Nov 25, 2024 · Nov 12, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -1,6 +1,7 @@
 vNext
 ----------
 - [PATCH] Translate MFA token error to UIRequiredException instead of ServiceException (#2538)
+- [MINOR] For MSAL CPP flows, match exact claims when deleting AT with intersecting scopes (#2548)
 
 Version 18.2.2
 ----------

@@ -148,7 +148,7 @@ public synchronized void saveCredentials(@NonNull final Credential... credential
             }
         }
 
-        saveCredentialsInternal(credentials);
+        saveCredentialsInternal(true, credentials);
     }
 
     /**

@@ -1635,13 +1635,17 @@ private void saveAccounts(final AccountRecord... accounts) {
     }
 
     void saveCredentialsInternal(final Credential... credentials) {
+        saveCredentialsInternal(false, credentials);
+    }
+
+    void saveCredentialsInternal(boolean mustMatchExactClaims, final Credential... credentials) {
         for (final Credential credential : credentials) {
             if (credential == null) {
                 continue;
             }
 
             if (credential instanceof AccessTokenRecord) {
-                deleteAccessTokensWithIntersectingScopes((AccessTokenRecord) credential);
+                deleteAccessTokensWithIntersectingScopes((AccessTokenRecord) credential, mustMatchExactClaims);
             }
 
             mAccountCredentialCache.saveCredential(credential);
@@ -1707,7 +1711,7 @@ void validateCacheArtifacts(
     }
 
     private void deleteAccessTokensWithIntersectingScopes(
-            final AccessTokenRecord referenceToken) {
+            final AccessTokenRecord referenceToken, boolean mustMatchExactClaims) {
         final String methodName = "deleteAccessTokensWithIntersectingScopes";
 
         final List<Credential> accessTokens = mAccountCredentialCache.getCredentialsFilteredBy(
@@ -1721,6 +1725,7 @@ private void deleteAccessTokensWithIntersectingScopes(
                 null, // Wildcard (*)
                 referenceToken.getAccessTokenType(),
                 referenceToken.getRequestedClaims(),
+                mustMatchExactClaims,
                 mAccountCredentialCache.getCredentials()
         );
-Original file line number
+Diff line change
@@ Expand Up @@
                 }
             }
-            saveCredentialsInternal(credentials);
+            saveCredentialsInternal(true, credentials);
         }
         /**
@@ Expand Down @@