Merge pull request #712 from AzureAD/nebharg/MSI

Managed Identity Support

Author: Avery-Dunn

changelog.txt

@@ -13,13 +13,23 @@ Version 1.14.1
 - Improve timeout behavior for futures (#756)
 - Reduce verbosity of certain info logs (#756)
 
+Version 1.14.4-beta
+=============
+- Beta support for MSI in Azure Arc (#730)
+- Beta support for MSI in Service Fabric (#729)
+- Fix Cloud Shell parsing issue (#750)
+
 Version 1.14.0
 =============
 - GA release of MSAL Java Brokers package
 - Add support for acquiring bearer and proof-of-possession tokens using WAM as the broker (#590)
 - Default throttling time for password grant requests lowered to 5 seconds (#721)
 - Fix internal docs generation issue (#705)
 
+Version 1.14.2-beta
+=============
+- Add support for Managed Identity (#712)
+
 Version 1.14.1-beta
 =============
 - Add proof-of-possession token support

msal4j-sdk/README.md

@@ -29,6 +29,7 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
     <version>1.14.3</version>
+</dependency>
 ```
 ### Gradle
 

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenSilentIT.java

@@ -69,6 +69,8 @@ void acquireTokenSilent_LabAuthority_TokenNotRefreshed(String environment) throw
         // Check that access and id tokens are coming from cache
         assertEquals(result.accessToken(), acquireSilentResult.accessToken());
         assertEquals(result.idToken(), acquireSilentResult.idToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
+        assertEquals(TokenSource.CACHE, acquireSilentResult.metadata().tokenSource());
     }
 
     @ParameterizedTest
@@ -92,6 +94,8 @@ void acquireTokenSilent_ForceRefresh(String environment) throws Exception {
 
         // Check that new refresh and id tokens are being returned
         assertTokensAreNotEqual(result, resultAfterRefresh);
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, resultAfterRefresh.metadata().tokenSource());
     }
 
     @ParameterizedTest
@@ -253,6 +257,8 @@ void acquireTokenSilent_WithRefreshOn(String environment) throws Exception {
         //Current time is after refreshOn, so token should be refreshed
         assertNotNull(resultSilentWithRefreshOn);
         assertTokensAreNotEqual(resultSilent, resultSilentWithRefreshOn);
+        assertEquals(TokenSource.CACHE, resultSilent.metadata().tokenSource());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, resultSilentWithRefreshOn.metadata().tokenSource());
     }
 
     @ParameterizedTest

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -18,14 +18,14 @@
 
 class AadInstanceDiscoveryProvider {
 
-    private final static String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
-    private final static String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
-    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}:{port}/common/discovery/instance";
-    private final static String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
-    private final static String HOST_TEMPLATE_WITH_REGION = "{region}.login.microsoft.com";
-    private final static String SOVEREIGN_HOST_TEMPLATE_WITH_REGION = "{region}.{host}";
-    private final static String REGION_NAME = "REGION_NAME";
-    private final static int PORT_NOT_SET = -1;
+    private static final String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
+    private static final String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
+    private static final String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}:{port}/common/discovery/instance";
+    private static final String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
+    private static final String HOST_TEMPLATE_WITH_REGION = "{region}.login.microsoft.com";
+    private static final String SOVEREIGN_HOST_TEMPLATE_WITH_REGION = "{region}.{host}";
+    private static final String REGION_NAME = "REGION_NAME";
+    private static final int PORT_NOT_SET = -1;
 
     // For information of the current api-version refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service#versioning
     private static final String DEFAULT_API_VERSION = "2020-06-01";
@@ -62,11 +62,10 @@ static InstanceDiscoveryMetadataEntry getMetadataEntry(URL authorityUrl,
                                                            boolean validateAuthority,
                                                            MsalRequest msalRequest,
                                                            ServiceBundle serviceBundle) {
-
         String host = authorityUrl.getHost();
 
-        //If instanceDiscovery flag set to false, cache a basic instance metadata entry to skip future lookups
-        if (!msalRequest.application().instanceDiscovery()) {
+        //If instanceDiscovery flag set to false OR this is a managed identity scenario, cache a basic instance metadata entry to skip this and future lookups
+        if (msalRequest.application() instanceof ManagedIdentityApplication || !((AbstractClientApplicationBase) msalRequest.application()).instanceDiscovery()) {
             if (cache.get(host) == null) {
                 log.debug("Instance discovery set to false, caching a default entry.");
                 cacheInstanceDiscoveryMetadata(host);
@@ -75,8 +74,8 @@ static InstanceDiscoveryMetadataEntry getMetadataEntry(URL authorityUrl,
         }
 
         //If a region was set by an app developer or previously found through autodetection, adjust the authority host to use it
-        if (shouldUseRegionalEndpoint(msalRequest) && msalRequest.application().azureRegion() != null) {
-            host = getRegionalizedHost(authorityUrl.getHost(), msalRequest.application().azureRegion());
+        if (shouldUseRegionalEndpoint(msalRequest) && ((AbstractClientApplicationBase) msalRequest.application()).azureRegion() != null) {
+            host = getRegionalizedHost(authorityUrl.getHost(), ((AbstractClientApplicationBase) msalRequest.application()).azureRegion());
         }
 
         //If there is no cached instance metadata, do instance discovery cache the result
@@ -91,18 +90,18 @@ static InstanceDiscoveryMetadataEntry getMetadataEntry(URL authorityUrl,
 
                 //If region autodetection is enabled and a specific region was not already set, set the application's
                 // region to the discovered region so that future requests can skip the IMDS endpoint call
-                if (msalRequest.application().azureRegion() == null
-                        && msalRequest.application().autoDetectRegion()
+                if (((AbstractClientApplicationBase) msalRequest.application()).azureRegion() == null
+                        && ((AbstractClientApplicationBase) msalRequest.application()).autoDetectRegion()
                         && detectedRegion != null) {
                     log.debug(String.format("Region autodetection found %s, this region will be used for future calls.", detectedRegion));
 
-                    msalRequest.application().azureRegion = detectedRegion;
-                    host = getRegionalizedHost(authorityUrl.getHost(), msalRequest.application().azureRegion());
+                    ((AbstractClientApplicationBase) msalRequest.application()).azureRegion = detectedRegion;
+                    host = getRegionalizedHost(authorityUrl.getHost(), ((AbstractClientApplicationBase) msalRequest.application()).azureRegion());
                 }
 
                 cacheRegionInstanceMetadata(authorityUrl.getHost(), host);
                 serviceBundle.getServerSideTelemetry().getCurrentRequest().regionOutcome(
-                        determineRegionOutcome(detectedRegion, msalRequest.application().azureRegion(), msalRequest.application().autoDetectRegion()));
+                        determineRegionOutcome(detectedRegion, ((AbstractClientApplicationBase) msalRequest.application()).azureRegion(), ((AbstractClientApplicationBase) msalRequest.application()).autoDetectRegion()));
             }
 
             doInstanceDiscoveryAndCache(authorityUrl, validateAuthority, msalRequest, serviceBundle);
@@ -160,7 +159,8 @@ static void cacheInstanceDiscoveryMetadata(String host) {
 
 
     private static boolean shouldUseRegionalEndpoint(MsalRequest msalRequest){
-        if (msalRequest.application().azureRegion() != null || msalRequest.application().autoDetectRegion()){
+        if (((AbstractClientApplicationBase) msalRequest.application()).azureRegion() != null
+                || ((AbstractClientApplicationBase) msalRequest.application()).autoDetectRegion()){
             //This class type check is a quick and dirty fix to accommodate changes to the internal workings of the region API
             //
             //ESTS-R only supports a small, but growing, number of scenarios, and the original design failed silently whenever
@@ -296,7 +296,7 @@ private static IHttpResponse executeRequest(String requestUrl, Map<String, Strin
                 requestUrl,
                 headers);
 
-        return HttpHelper.executeHttpRequest(
+        return serviceBundle.getHttpHelper().executeHttpRequest(
                 httpRequest,
                 msalRequest.requestContext(),
                 serviceBundle);