MSAL node - in memory cache always empty when using ConfidentialClientApplication.acquireTokenByClientCredential

Question

I am using msal node the latest version. This is my code:

 protected getConfidentialClientApplication(tenantId: string): ConfidentialClientApplication {
        if (this.confidentialClientApplication) {
            return this.confidentialClientApplication;
        }

        this.confidentialClientApplication = new ConfidentialClientApplication({
            auth: {
                clientId: this.tokenConfiguration.clientId,
                clientCertificate: {
                    thumbprint: this.tokenConfiguration.thumbprint,
                    privateKey: this.tokenConfiguration.privateKey,
                    x5c: this.tokenConfiguration.publicKey
                },
                authority: this.tokenConfiguration.authority + tenantId,
                knownAuthorities: [this.tokenConfiguration.authority + tenantId]
            },
        });

        return this.confidentialClientApplication;
    }

protected getTokenRequest(correlationId: string): ClientCredentialRequest {
    return {
        scopes: this.getScopes(),
        correlationId: correlationId,
        azureRegion: "TryAutoDetect"
    };
}

and I am calling this method:

this.getConfidentialClientApplication(tenantId).acquireTokenByClientCredential(tokenRequest)

If I am watching the response of the request, the token exist but the account is empty. Also, msalTokenCache.getAllAccounts(); is always an empty list. How to resolve?

Answer 1

As per the Document-msal-authentication-flows using client-credentials

For client credentials flow, where you are obtaining tokens without user interaction, it's important to understand that there are typically no user accounts involved.

The client credentials flow is intended for server-to-server communication and doesn't deal with user accounts or user interactions.

When you use the client credentials flow to obtain a token, there won't be any cached accounts to retrieve using msalTokenCache.getAllAccounts().

Here's an example of how you can do this:

const { ConfidentialClientApplication , PublicClientApplication} =  require("@azure/msal-node");            
const  tenantId  =  "********-****-****-****-***********";   
const  tokenConfiguration  = {
clientId:  "********-****-****-****-***********", 
clientSecret:  "**********************************", // Add your client secret here   
authority:  "https://login.microsoftonline.com/",  
};    
const  confidentialClientApplication  =  new  ConfidentialClientApplication({    
auth: {   
clientId:  tokenConfiguration.clientId,  
clientSecret:  tokenConfiguration.clientSecret,   
authority:  tokenConfiguration.authority  +  tenantId,    
knownAuthorities: [tokenConfiguration.authority  +  tenantId]   
}    
});
  
const  tokenRequest  = {    
scopes: [`${tokenConfiguration.clientId}/.default`], // Replace with the scope you need  
azureRegion:  "TryAutoDetect" 
}; 
(async () => {  
try { 
const  response  =  await  confidentialClientApplication.acquireTokenByClientCredential(tokenRequest);
console.log("Token response:", response);
const  cachedAccounts  =  await  confidentialClientApplication.getTokenCache().getAllAccounts();

console.log("Cached accounts:", cachedAccounts);

} catch (error) {

console.error("Token acquisition error:", error);

}

})();

Response: