We modified the MSAL Java servlet authentication example into an apache tomcat valve/servlet for SSO at the container level. It works well with all chrome browsers, and most Edge browsers. However, if the MS Edge browser account is logged with a user who has multiple devices, we get a "state mismatch" error in the servlet/valve.
Unlike other browsers, Microsoft Edge adds the fields X-Ms-Refreshtokencredential and X-Ms-Devicecredential to the HTTP request header when accessing "login.microsoftonline.com/authorize". This causes the authentication to fail.
This behavior can be reproduced in Chrome by installing the "Windows Authentication" Extension: https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji?hl=en
Is there anything that can be done within the MSAL java servlet example (e.g. AuthHelper.java or parameter set in ConfidentialClientApplication) to either suppress the sending of these two headers, or handle the flow?
Chrome browsers are able to SSO successfully. However MS Edge browsers will not work if the Edge browser account is logged in with a profile that has multiple devices. If the Edge account is logged out, the same browser then is able to SSO to the MSAL java servlet application.