External ID in External Tenant - acquireTokenSilentAsync - No cached accounts found for the supplied homeAccountId and clientId

[mrentmeister-tt]

Describe the bug
I think I am facing a similar issue to #1598. My app is not live in production, but will be going live in a month.

I am using External ID with an External Tenant. After logging into my application interactively to ensure an account gets added to the account cache on the device, I am unable to use the account to acquire a token silently. I've debugged into the getAccounts method and have found some interesting things..

When getting a list of accounts via IMultipleAccountPublicClientApplication.getAccounts, the cache returns an AccountCredentialBase instance with the following important fields:

mHomeAccountId = "b7ce9aa4-xxxx-xxxx-xxxx-xxxxxxxxxxxx.e3a33c9e-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
mRealm = "e92e0026-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // This is my azure tenantId, different from the homeAccountId

After the cache returns the account, the AccountAdapter.createIAccountsForGuestsNotSignedIntoHomeTenant method takes the AccountCredentialBase record and creates a new MultiTenantAccount, and executes the following code:

220.     emptyRoot.setId(StringUtil.getTenantInfo(entry.getKey()).getKey());
221.     emptyRoot.setTenantId(StringUtil.getTenantInfo(entry.getKey()).getValue());

Line 221 is problematic for me, because in my case I need the tenantId to be set to the mRealm. The reason why it's problematic is because when I call AcquireTokenSilentParameters parameters = new AcquireTokenSilentParameters.Builder().forAccount(account), the acquireTokenSilentAsync method calls PublicClientApplication.selectAccountRecordForTokenRequest, and passes multiTenantAccount.getTenantId() as the realm.

return AccountAdapter.getAccountInternal(
                    pcaConfig.getClientId(),
                    pcaConfig.getOAuth2TokenCache(),
                    multiTenantAccount.getHomeAccountId(), // b7ce9aa4-xxxx-xxxx-xxxx-xxxxxxxxxxxx.e3a33c9e-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                    multiTenantAccount.getTenantId() // e3a33c9e-xxxx-xxxx-xxxx-xxxxxxxxxxxx
            );

This is what's leading to the "No cached accounts" error -- It won't find the account in Msal0Auth2TokenCache.getAccount when it runs while(null != realm && !realm.equals(account.getRealm())); because realm = e3a33c9e... and account.getRealm() = e92e0026...

Smartphone (please complete the following information):

• Device: Pixel 8
• Android Version: API 35
• MSAL Version: com.microsoft.identity.client:msal:5.5.0

To Reproduce
See above

Expected behavior
AccountAdapter.createIAccountsForGuestsNotSignedIntoHomeTenant needs to set the tenantId to the realm instead of the second portion of the homeAccountId

Actual Behavior
acquireTokenSilentAsync throws the following error with the following code: com.microsoft.identity.common.java.exception.ClientException: No cached accounts found for the supplied homeAccountId and clientId

AcquireTokenSilentParameters parameters = new AcquireTokenSilentParameters.Builder()
      .forAccount(account)
      .fromAuthority(authorityUri)
      .withScopes(scopes)
      .withCallback(new SilentAuthenticationCallback() {
        @Override
        public void onSuccess(IAuthenticationResult authenticationResult) {
          ...
        }

        @Override
        public void onError(MsalException exception) {
          if (exception instanceof MsalUiRequiredException || exception instanceof MsalClientException) {
            // login interactively instead
          } else {
            ...
          }
        }
      })
      .build();

application.acquireTokenSilentAsync(parameters);