Fix cache not used for getting token if scopes are empty (#7995)

Copilot · tnorling · Copilot · web-flow · commit 81f41cb452dd · 2025-08-15T14:48:04.000-07:00
The issue occurs when `acquireTokenSilent` is called with empty scopes (`scopes: []`). Instead of using cached tokens, the library throws a `ClientConfigurationError` during cache lookup and makes unnecessary API requests to Azure AD. ## Root Cause The problem is in `ScopeSet.createSearchScopes()` which is called from `CacheManager.getAccessToken()` during cache lookup. When empty scopes are passed, the `ScopeSet` constructor throws an error because it doesn't allow empty scope arrays, preventing cache lookup from completing. ## Solution Modified `ScopeSet.createSearchScopes()` to handle empty, null, or undefined scopes by providing default OIDC scopes (`openid`, `profile`, `offline_access`) before calling the constructor. This approach: - Follows the same pattern as `RequestParameterBuilder.addScopes()` which already handles empty scopes - Allows cache lookup to proceed with reasonable default scopes when no specific scopes are requested - Maintains all existing behavior for non-empty scopes - Eliminates unnecessary network requests when tokens are already cached ## Example ```javascript const { instance, accounts } = useMsal(); const account = useAccount(accounts[0]); // This now works and uses cache instead of making API calls const response = await instance.acquireTokenSilent({ scopes: [], // Empty scopes now supported account }); ``` The fix enables `acquireTokenSilent` to properly utilize cached tokens when called with empty scopes, improving performance and user experience. Fixes #6969.  --- 💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click [here](https://survey.alchemer.com/s3/8343779/Copilot-Coding-agent) to start the survey. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: tnorling <5307810+tnorling@users.noreply.github.com> Co-authored-by: Thomas Norling <thomas.norling@microsoft.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
diff --git a/change/@azure-msal-common-4d63cc3c-64b6-4116-bd14-1fd83f61ccf8.json b/change/@azure-msal-common-4d63cc3c-64b6-4116-bd14-1fd83f61ccf8.json
@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "Fix cache not used for getting token if scopes are empty (PR #7121)",
+  "packageName": "@azure/msal-common",
+  "email": "198982749+Copilot@users.noreply.github.com",
+  "dependentChangeType": "patch"
+}
diff --git a/lib/msal-common/src/request/ScopeSet.ts b/lib/msal-common/src/request/ScopeSet.ts
@@ -12,7 +12,11 @@ import {
     ClientAuthErrorCodes,
     createClientAuthError,
 } from "../error/ClientAuthError.js";
-import { Constants, OIDC_SCOPES } from "../utils/Constants.js";
+import {
+    Constants,
+    OIDC_SCOPES,
+    OIDC_DEFAULT_SCOPES,
+} from "../utils/Constants.js";
 
 /**
  * The ScopeSet class creates a set of scopes. Scopes are case-insensitive, unique values, so the Set object in JS makes
@@ -61,7 +65,13 @@ export class ScopeSet {
      * @returns
      */
     static createSearchScopes(inputScopeString: Array<string>): ScopeSet {
-        const scopeSet = new ScopeSet(inputScopeString);
+        // Handle empty scopes by using default OIDC scopes for cache lookup
+        const scopesToUse =
+            inputScopeString && inputScopeString.length > 0
+                ? inputScopeString
+                : [...OIDC_DEFAULT_SCOPES];
+
+        const scopeSet = new ScopeSet(scopesToUse);
         if (!scopeSet.containsOnlyOIDCScopes()) {
             scopeSet.removeOIDCScopes();
         } else {
diff --git a/lib/msal-common/test/request/ScopeSet.spec.ts b/lib/msal-common/test/request/ScopeSet.spec.ts
@@ -420,6 +420,60 @@ describe("ScopeSet.ts", () => {
         });
     });
 
+    describe("createSearchScopes static method", () => {
+        it("handles empty scopes array by using default OIDC scopes", () => {
+            const result = ScopeSet.createSearchScopes([]);
+            // After processing, it should have OIDC scopes except offline_access (which gets removed by the removeScope logic)
+            const resultScopes = result.asArray();
+            expect(resultScopes).toContain(Constants.OPENID_SCOPE);
+            expect(resultScopes).toContain(Constants.PROFILE_SCOPE);
+            // offline_access should be removed per the logic in createSearchScopes
+            expect(resultScopes).not.toContain(Constants.OFFLINE_ACCESS_SCOPE);
+        });
+
+        it("handles null or undefined scopes array by using default OIDC scopes", () => {
+            // Test null input
+            // @ts-ignore - intentionally testing null input
+            const resultNull = ScopeSet.createSearchScopes(null);
+            const nullScopes = resultNull.asArray();
+            expect(nullScopes).toContain(Constants.OPENID_SCOPE);
+            expect(nullScopes).toContain(Constants.PROFILE_SCOPE);
+
+            // Test undefined input
+            // @ts-ignore - intentionally testing undefined input
+            const resultUndefined = ScopeSet.createSearchScopes(undefined);
+            const undefinedScopes = resultUndefined.asArray();
+            expect(undefinedScopes).toContain(Constants.OPENID_SCOPE);
+            expect(undefinedScopes).toContain(Constants.PROFILE_SCOPE);
+        });
+
+        it("creates ScopeSet with provided scopes and processes them correctly", () => {
+            const scopes = ["testscope1", "testscope2"];
+            const result = ScopeSet.createSearchScopes(scopes);
+            const resultScopes = result.asArray();
+            expect(resultScopes).toContain("testscope1");
+            expect(resultScopes).toContain("testscope2");
+            // When non-OIDC scopes are present, OIDC scopes should be removed
+            expect(resultScopes).not.toContain(Constants.OPENID_SCOPE);
+            expect(resultScopes).not.toContain(Constants.PROFILE_SCOPE);
+            expect(resultScopes).not.toContain(Constants.OFFLINE_ACCESS_SCOPE);
+        });
+
+        it("handles scopes with only OIDC scopes by removing offline_access", () => {
+            const oidcScopes = [
+                Constants.OPENID_SCOPE,
+                Constants.PROFILE_SCOPE,
+                Constants.OFFLINE_ACCESS_SCOPE,
+            ];
+            const result = ScopeSet.createSearchScopes(oidcScopes);
+            const resultScopes = result.asArray();
+            expect(resultScopes).toContain(Constants.OPENID_SCOPE);
+            expect(resultScopes).toContain(Constants.PROFILE_SCOPE);
+            // offline_access should be removed when only OIDC scopes are present
+            expect(resultScopes).not.toContain(Constants.OFFLINE_ACCESS_SCOPE);
+        });
+    });
+
     describe("Getters and Setters", () => {
         let requiredScopeSet: ScopeSet;
         let nonRequiredScopeSet: ScopeSet;
