Merge pull request #927 from AzureAD/avdunn/nimbus-http

Remove usage of com.nimbusds.oauth2's HTTP classes

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -3,8 +3,6 @@
 
 package com.microsoft.aad.msal4j;
 
-import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
-
 import javax.net.ssl.SSLSocketFactory;
 import java.net.MalformedURLException;
 import java.net.Proxy;
@@ -29,7 +27,6 @@ public abstract class AbstractClientApplicationBase extends AbstractApplicationB
     private String applicationName;
     private String applicationVersion;
     private AadInstanceDiscoveryResponse aadAadInstanceDiscoveryResponse;
-    protected abstract ClientAuthentication clientAuthentication();
     private String clientCapabilities;
     private boolean autoDetectRegion;
     protected String azureRegion;

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientAuthenticationPost.java

@@ -3,12 +3,8 @@
 
 package com.microsoft.aad.msal4j;
 
-import com.nimbusds.oauth2.sdk.ParseException;
-import com.nimbusds.oauth2.sdk.auth.*;
-import com.nimbusds.oauth2.sdk.id.ClientID;
 import org.slf4j.LoggerFactory;
 
-import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.function.Function;
 
@@ -23,10 +19,9 @@
  */
 public class ConfidentialClientApplication extends AbstractClientApplicationBase implements IConfidentialClientApplication {
 
-    private ClientAuthentication clientAuthentication;
-
-    private boolean clientCertAuthentication = false;
     private ClientCertificate clientCertificate;
+    String assertion;
+    String secret;
 
     /** AppTokenProvider creates a Credential from a function that provides access tokens. The function
      must be concurrency safe. This is intended only to allow the Azure SDK to cache MSI tokens. It isn't
@@ -87,65 +82,31 @@ private void initClientAuthentication(IClientCredential clientCredential) {
         validateNotNull("clientCredential", clientCredential);
 
         if (clientCredential instanceof ClientSecret) {
-            clientAuthentication = new ClientSecretPost(
-                    new ClientID(clientId()),
-                    new Secret(((ClientSecret) clientCredential).clientSecret()));
+            this.secret = ((ClientSecret) clientCredential).clientSecret();
         } else if (clientCredential instanceof ClientCertificate) {
-            this.clientCertAuthentication = true;
             this.clientCertificate = (ClientCertificate) clientCredential;
-            clientAuthentication = buildValidClientCertificateAuthority();
+            this.assertion = getAssertionString(clientCredential);
         } else if (clientCredential instanceof ClientAssertion) {
-            clientAuthentication = createClientAuthFromClientAssertion((ClientAssertion) clientCredential);
+            this.assertion = getAssertionString(clientCredential);
         } else {
             throw new IllegalArgumentException("Unsupported client credential");
         }
     }
 
-    @Override
-    protected ClientAuthentication clientAuthentication() {
-        if (clientCertAuthentication) {
-            final Date currentDateTime = new Date(System.currentTimeMillis());
-            final Date expirationTime = ((PrivateKeyJWT) clientAuthentication).getJWTAuthenticationClaimsSet().getExpirationTime();
-            if (expirationTime.before(currentDateTime)) {
-                clientAuthentication = buildValidClientCertificateAuthority();
-            }
-        }
-        return clientAuthentication;
-    }
+    String getAssertionString(IClientCredential clientCredential) {
+        if (clientCredential instanceof ClientCertificate) {
+            boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
 
-    private ClientAuthentication buildValidClientCertificateAuthority() {
-        //The library originally used SHA-1 for thumbprints as other algorithms were not supported server-side.
-        //When this was written support for SHA-256 had been added, however ADFS scenarios still only allowed SHA-1.
-        boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
-
-        ClientAssertion clientAssertion = JwtHelper.buildJwt(
-                clientId(),
-                clientCertificate,
-                this.authenticationAuthority.selfSignedJwtAudience(),
-                sendX5c,
-                useSha1);
-        return createClientAuthFromClientAssertion(clientAssertion);
-    }
-
-    protected ClientAuthentication createClientAuthFromClientAssertion(
-            final ClientAssertion clientAssertion) {
-        final Map<String, List<String>> map = new HashMap<>();
-        try {
-
-            map.put("client_assertion_type", Collections.singletonList(ClientAssertion.assertionType));
-            map.put("client_assertion", Collections.singletonList(clientAssertion.assertion()));
-            return PrivateKeyJWT.parse(map);
-        } catch (final ParseException e) {
-            //This library is not supposed to validate Issuer and subject values.
-            //The next lines of code ensures that exception is not thrown.
-            if (e.getMessage().contains("Issuer and subject in client JWT assertion must designate the same client identifier")) {
-                return new CustomJWTAuthentication(
-                        ClientAuthenticationMethod.PRIVATE_KEY_JWT,
-                        clientAssertion,
-                        new ClientID(clientId())
-                );
-            }
-            throw new MsalClientException(e);
+            return JwtHelper.buildJwt(
+                    clientId(),
+                    clientCertificate,
+                    this.authenticationAuthority.selfSignedJwtAudience(),
+                    sendX5c,
+                    useSha1).assertion();
+        } else if (clientCredential instanceof ClientAssertion) {
+            return ((ClientAssertion) clientCredential).assertion();
+        } else {
+            throw new IllegalArgumentException("Unsupported client credential");
         }
     }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -3,6 +3,10 @@
 
 package com.microsoft.aad.msal4j;
 
+import com.azure.json.JsonProviders;
+import com.azure.json.JsonReader;
+
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
@@ -46,14 +50,22 @@ public void addHeaders(Map<String, List<String>> responseHeaders) {
         }
     }
 
-    private void addHeader(final String name, final String... values) {
+    void addHeader(final String name, final String... values) {
         if (values != null && values.length > 0) {
             headers.put(name, Arrays.asList(values));
         } else {
             headers.remove(name);
         }
     }
 
+    List<String> getHeader(String key) {
+        return headers.get(key);
+    }
+
+    Map<String, String> getBodyAsMap() {
+        return JsonHelper.convertJsonToMap(this.body);
+    }
+
     public int statusCode() {
         return this.statusCode;
     }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/HttpResponse.java

@@ -17,6 +17,7 @@
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.Map;
 import java.util.Set;
 
 class JsonHelper {
@@ -51,6 +52,16 @@ static <T extends JsonSerializable<T>> T convertJsonStringToJsonSerializableObje
         }
     }
 
+    //Converts a JSON string to a Map<String, String>
+    static Map<String, String> convertJsonToMap(String jsonString) {
+        try (JsonReader reader = JsonProviders.createReader(jsonString)) {
+            reader.nextToken();
+            return reader.readMap(JsonReader::getString);
+        } catch (IOException e) {
+            throw new MsalClientException("Could not parse JSON from HttpResponse body: " + e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
+        }
+    }
+
     /**
      * Throws exception if given String does not follow JSON syntax
      */

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JsonHelper.java

@@ -3,8 +3,6 @@
 
 package com.microsoft.aad.msal4j;
 
-import com.nimbusds.oauth2.sdk.http.HTTPResponse;
-
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
@@ -14,37 +12,6 @@ class MsalServiceExceptionFactory {
     private MsalServiceExceptionFactory() {
     }
 
-    static MsalServiceException fromHttpResponse(HTTPResponse httpResponse) {
-
-        String responseContent = httpResponse.getContent();
-        if (responseContent == null || StringHelper.isBlank(responseContent)) {
-            return new MsalServiceException(
-                    String.format(
-                            "Unknown Service Exception. Service returned status code %s",
-                            httpResponse.getStatusCode()),
-                    AuthenticationErrorCode.UNKNOWN);
-        }
-
-        ErrorResponse errorResponse = JsonHelper.convertJsonToObject(
-                responseContent,
-                ErrorResponse.class);
-
-        errorResponse.statusCode(httpResponse.getStatusCode());
-        errorResponse.statusMessage(httpResponse.getStatusMessage());
-
-        if (errorResponse.error() != null &&
-                errorResponse.error().equalsIgnoreCase(AuthenticationErrorCode.INVALID_GRANT)) {
-
-            if (isInteractionRequired(errorResponse.subError)) {
-                return new MsalInteractionRequiredException(errorResponse, httpResponse.getHeaderMap());
-            }
-        }
-
-        return new MsalServiceException(
-                errorResponse,
-                httpResponse.getHeaderMap());
-    }
-
     static MsalServiceException fromHttpResponse(IHttpResponse response) {
         String responseBody = response.body();
         if (StringHelper.isBlank(responseBody)) {
@@ -59,6 +26,12 @@ static MsalServiceException fromHttpResponse(IHttpResponse response) {
                 responseBody,
                 ErrorResponse.class);
 
+        if (errorResponse.error() != null &&
+                errorResponse.error().equalsIgnoreCase(AuthenticationErrorCode.INVALID_GRANT) && isInteractionRequired(errorResponse.subError)) {
+            return new MsalInteractionRequiredException(errorResponse, response.headers());
+        }
+
+
         if (!StringHelper.isBlank(errorResponse.error()) && !StringHelper.isBlank(errorResponse.errorDescription)) {
 
             errorResponse.statusCode(response.statusCode());