[Bug] Exception when cache deserialization fails

[pmaytak]

Which version of Microsoft Identity Web are you using?
1.23.0

Actual behavior
Related to MSAL issue 3162.
When distributed cache serialization and encryption is enabled, in certain cases (like when encryption keys are changed), MSAL will fail to deserialize an already serialized cache entry and throw an exception.

Repro

1. Use WebAppCallsMicrosoftGraph.
2. Add distributed token caches, data protection (with data protection discriminator), and encryption.

...
.AddDistributedTokenCaches();
services.AddDataProtection(o =>
{
    o.ApplicationDiscriminator = "DataProtectionApplicationDiscriminator12";
});

services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>
{
    options.Encrypt = true;
});

3. Set up some distributed cache like SQL or Redis.
4. Login once, so that encrypted token is in the L2 cache. (Don't sign out, it will delete the cached token.)
5. Change the data protection discriminator to something else.
6. Login with the same account again.
7. Data protection will fail decrypting the cache entry, and pass the encrypted entry to MSAL which will fail at deserialization.

Expected behavior

• Throw a more descriptive error with a correct configuration on a user-end.
• Documentation added: https://aka.ms/ms-id-web/token-cache-troubleshooting

Other possible solution:

• When deserialization error happens, cache is cleared, code execution continues.
  • Not good solution because if at least one machine in a distributed environment is misconfigured, the cache would be cleared for all machines constantly.

[jennyf19]

released in 1.23.1