Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentication-library-for-java into nebharg/AddAPIsTR

Author: neha-bhargava

Diff for: README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.19.1
+Current version - 1.20.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/main/msal4j-sdk/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.19.1</version>
+    <version>1.20.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.19.1'
+implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.20.0'
 ```
 
 ## Usage

Diff for: changelog.txt

@@ -1,3 +1,11 @@
+Version 1.20.0
+=============
+- Replace some usage of jackson-databind with azure-json (#918)
+- Remove Lombok code generation from most classes (#919, #925)
+- Remove some usage of nimbusds-oauth2-oidc-sdk (#927, #928)
+- Fix refresh metadata not being set in MI flows (#931)
+- Add distinct exception type for JSON parsing errors (#933)
+
 Version 1.19.1
 =============
 - Update dependencies to avoid CVE-2023-1370 (#914)

Diff for: msal4j-sdk/README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.19.1
+Current version - 1.20.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.19.1</version>
+    <version>1.20.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.19.1'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.20.0'
 ```
 
 ## Usage

Diff for: msal4j-sdk/bnd.bnd

@@ -1,2 +1,2 @@
-Export-Package: com.microsoft.aad.msal4j;version="1.19.1"
+Export-Package: com.microsoft.aad.msal4j;version="1.20.0"
 Automatic-Module-Name: com.microsoft.aad.msal4j

Diff for: msal4j-sdk/pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.19.1</version>
+	<version>1.20.0</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>

Diff for: msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/DeviceCodeIT.java

@@ -76,7 +76,8 @@ void DeviceCodeFlowADFSv2019Test() throws Exception {
         IntegrationTestHelper.assertAccessAndIdTokensNotNull(result);
     }
 
-    @Test()
+    //TODO: This test is failing intermittently in the pipeline runs for the same commit, but always passes locally. Disabling until we can investigate more.
+    //@Test()
     void DeviceCodeFlowMSATest() throws Exception {
 
         User user = labUserProvider.getMSAUser();

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -93,7 +93,12 @@ public ManagedIdentityResponse handleResponse(
 
     protected ManagedIdentityResponse getSuccessfulResponse(IHttpResponse response) {
 
-        ManagedIdentityResponse managedIdentityResponse = JsonHelper.convertJsonStringToJsonSerializableObject(response.body(), ManagedIdentityResponse::fromJson);
+        ManagedIdentityResponse managedIdentityResponse;
+        try {
+            managedIdentityResponse = JsonHelper.convertJsonStringToJsonSerializableObject(response.body(), ManagedIdentityResponse::fromJson);
+        } catch (MsalJsonParsingException e) {
+            throw new MsalJsonParsingException(String.format(MsalErrorMessage.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, response.statusCode(), e.getMessage()), MsalError.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, managedIdentitySourceType);
+        }
 
         if (managedIdentityResponse == null || managedIdentityResponse.getAccessToken() == null
                 || managedIdentityResponse.getAccessToken().isEmpty() || managedIdentityResponse.getExpiresOn() == null
@@ -105,8 +110,13 @@ protected ManagedIdentityResponse getSuccessfulResponse(IHttpResponse response)
     }
 
     protected String getMessageFromErrorResponse(IHttpResponse response) {
-        ManagedIdentityErrorResponse managedIdentityErrorResponse =
-                JsonHelper.convertJsonToObject(response.body(), ManagedIdentityErrorResponse.class);
+
+        ManagedIdentityErrorResponse managedIdentityErrorResponse;
+        try {
+            managedIdentityErrorResponse = JsonHelper.convertJsonToObject(response.body(), ManagedIdentityErrorResponse.class);
+        } catch (MsalJsonParsingException e) {
+            throw new MsalJsonParsingException(String.format(MsalErrorMessage.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, response.statusCode(), e.getMessage()), MsalError.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, managedIdentitySourceType);
+        }
 
         if (managedIdentityErrorResponse == null) {
             return MANAGED_IDENTITY_NO_RESPONSE_RECEIVED;

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -13,7 +13,7 @@ class AcquireTokenByManagedIdentitySupplier extends AuthenticationResultSupplier
 
     private static final Logger LOG = LoggerFactory.getLogger(AcquireTokenByManagedIdentitySupplier.class);
 
-    private static final int TWO_HOURS = 2*3600;
+    private static final int TWO_HOURS = 2 * 3600;
 
     private ManagedIdentityParameters managedIdentityParameters;
 
@@ -37,49 +37,66 @@ AuthenticationResult execute() throws Exception {
                 clientApplication.serviceBundle()
         );
 
-        if (!managedIdentityParameters.forceRefresh) {
-            LOG.debug("ForceRefresh set to false. Attempting cache lookup");
-
-            try {
-                Set<String> scopes = new HashSet<>();
-                scopes.add(this.managedIdentityParameters.resource);
-                SilentParameters parameters = SilentParameters
-                        .builder(scopes)
-                        .tenant(managedIdentityParameters.tenant())
-                        .build();
-
-                RequestContext context = new RequestContext(
-                        this.clientApplication,
-                        PublicApi.ACQUIRE_TOKEN_SILENTLY,
-                        parameters);
-
-                SilentRequest silentRequest = new SilentRequest(
-                        parameters,
-                        this.clientApplication,
-                        context,
-                        null);
-
-                AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
-                        this.clientApplication,
-                        silentRequest);
-
-                return supplier.execute();
-            } catch (MsalClientException ex) {
-                if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
-                    LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
-                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
-                } else {
-                    LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
-                    throw ex;
-                }
-            }
+        CacheRefreshReason cacheRefreshReason = CacheRefreshReason.NOT_APPLICABLE;
+
+        if (managedIdentityParameters.forceRefresh) {
+            LOG.debug("ForceRefresh set to true. Skipping cache lookup and attempting to acquire new token");
+            return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.FORCE_REFRESH);
         }
 
-        LOG.info("Skipped looking for an Access Token in the cache because forceRefresh or Claims were set. ");
-        return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
+
+        LOG.debug("ForceRefresh set to false. Attempting cache lookup");
+        try {
+            Set<String> scopes = new HashSet<>();
+            scopes.add(this.managedIdentityParameters.resource);
+            SilentParameters parameters = SilentParameters
+                    .builder(scopes)
+                    .tenant(managedIdentityParameters.tenant())
+                    .build();
+
+            RequestContext context = new RequestContext(
+                    this.clientApplication,
+                    PublicApi.ACQUIRE_TOKEN_SILENTLY,
+                    parameters);
+
+            SilentRequest silentRequest = new SilentRequest(
+                    parameters,
+                    this.clientApplication,
+                    context,
+                    null);
+
+            AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
+                    this.clientApplication,
+                    silentRequest);
+
+            AuthenticationResult result = supplier.execute();
+            cacheRefreshReason = SilentRequestHelper.getCacheRefreshReasonIfApplicable(
+                    parameters,
+                    result,
+                    LOG);
+
+            // If the token does not need a refresh, return the cached token
+            // Else refresh the token if it is either expired, proactively refreshable, or if the claims are passed.
+            if (cacheRefreshReason == CacheRefreshReason.NOT_APPLICABLE) {
+                LOG.debug("Returning token from cache");
+                result.metadata().tokenSource(TokenSource.CACHE);
+                return result;
+            } else {
+                LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            }
+        } catch (MsalClientException ex) {
+            if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
+                LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            } else {
+                LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
+                throw ex;
+            }
+        }
     }
 
-    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor) {
+    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor, CacheRefreshReason cacheRefreshReason) throws Exception {
 
         ManagedIdentityClient managedIdentityClient = new ManagedIdentityClient(msalRequest, tokenRequestExecutor.getServiceBundle());
 
@@ -91,13 +108,17 @@ private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecu
 
         AuthenticationResult authenticationResult = createFromManagedIdentityResponse(managedIdentityResponse);
         clientApplication.tokenCache.saveTokens(tokenRequestExecutor, authenticationResult, clientApplication.authenticationAuthority.host);
-        return authenticationResult;
+        AuthenticationResult result = authenticationResult;
+        result.metadata().tokenSource(TokenSource.IDENTITY_PROVIDER);
+        result.metadata().cacheRefreshReason(cacheRefreshReason);
+        return result;
     }
 
     private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse) {
         long expiresOn = Long.parseLong(managedIdentityResponse.expiresOn);
         long refreshOn = calculateRefreshOn(expiresOn);
         AuthenticationResultMetadata metadata = AuthenticationResultMetadata.builder()
+                .tokenSource(TokenSource.IDENTITY_PROVIDER)
                 .refreshOn(refreshOn)
                 .build();
 
@@ -111,7 +132,7 @@ private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityRe
                 .build();
     }
 
-    private long calculateRefreshOn(long expiresOn){
+    private long calculateRefreshOn(long expiresOn) {
         long timestampSeconds = System.currentTimeMillis() / 1000;
         long expiresIn = expiresOn - timestampSeconds;
 

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenSilentSupplier.java

@@ -73,6 +73,7 @@ AuthenticationResult execute() throws Exception {
                 }
             }
         }
+
         if (res == null || StringHelper.isBlank(res.accessToken())) {
             throw new MsalClientException(AuthenticationErrorMessage.NO_TOKEN_IN_CACHE, AuthenticationErrorCode.CACHE_MISS);
         }

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JsonHelper.java

@@ -35,19 +35,17 @@ private JsonHelper() {
     static <T> T convertJsonToObject(final String json, final Class<T> tClass) {
         try {
             return mapper.readValue(json, tClass);
-        } catch (IOException e) {
-            throw new MsalClientException(e);
+        } catch (Exception e) {
+            throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         }
     }
 
     //This method is used to convert a JSON string to an object which implements the JsonSerializable interface from com.azure.json
     static <T extends JsonSerializable<T>> T convertJsonStringToJsonSerializableObject(String jsonResponse, ReadValueCallback<JsonReader, T> readFunction) {
         try (JsonReader jsonReader = JsonProviders.createReader(jsonResponse)) {
             return readFunction.read(jsonReader);
-        } catch (IOException e) {
-            throw new MsalClientException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         } catch (Exception e) {
-            throw new MsalClientException("Error parsing JSON response: " + e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
+            throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         }
     }
 

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/MsalError.java

@@ -34,4 +34,6 @@ public class MsalError {
     public static final String MANAGED_IDENTITY_UNREACHABLE_NETWORK = "managed_identity_unreachable_network";
 
     public static final String MANAGED_IDENTITY_FILE_READ_ERROR = "managed_identity_file_read_error";
+
+    public static final String MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE = "managed_identity_response_parse_failure";
 }

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/MsalErrorMessage.java

@@ -26,4 +26,6 @@ class MsalErrorMessage {
     public static final String IDENTITY_UNAVAILABLE_ERROR = "[Managed Identity] Authentication unavailable. The requested identity has not been assigned to this resource.";
 
     public static final String GATEWAY_ERROR = "[Managed Identity] Authentication unavailable. The request failed due to a gateway error.";
+
+    public static final String MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE = "[Managed Identity] MSI returned %s, but the response could not be parsed: %s";
 }

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/MsalJsonParsingException.java

@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+/**
+ * This exception class informs developers that a response contained invalid JSON or otherwise could not be parsed
+ */
+public class MsalJsonParsingException extends MsalServiceException {
+
+    /**
+     * Initializes a new instance of the exception class with a specified error message
+     *
+     * @param message the error message that explains the reason for the exception
+     * @param error a simplified error code from {@link AuthenticationErrorCode} and used for references in documentation
+     */
+    MsalJsonParsingException(final String message, final String error) {
+        super(message, error);
+    }
+
+    /**
+     * Initializes a new instance of the exception class, with extra properties for a Managed Identity error
+     *
+     * @param message the error message that explains the reason for the exception
+     * @param error a simplified error code
+     * @param managedIdentitySource the Managed Identity service
+     */
+    MsalJsonParsingException(
+            final String message, final String error,
+            ManagedIdentitySourceType managedIdentitySource) {
+        super(message, error, managedIdentitySource);
+    }
+
+}

Diff for: msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/SilentRequestHelper.java

@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import java.util.Date;
+import org.slf4j.Logger;
+
+class SilentRequestHelper {
+
+    private static final int ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC = 5 * 60;
+
+    private SilentRequestHelper() {
+        // Utility class
+    }
+
+    static CacheRefreshReason getCacheRefreshReasonIfApplicable(SilentParameters parameters, AuthenticationResult cachedResult, Logger log) {
+        // If the request contains claims then the token should be refreshed, to ensure that the returned token has the correct claims
+        // Note: these are the types of claims found in (for example) a claims challenge, and do not include client capabilities
+        if (parameters.claims() != null) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.CLAIMS));
+            return CacheRefreshReason.CLAIMS;
+        }
+
+        long currTimeStampSec = new Date().getTime() / 1000;
+
+        // If the access token is expired or within 5 minutes of becoming expired, refresh it
+        if (!StringHelper.isBlank(cachedResult.accessToken()) && cachedResult.expiresOn() < (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.EXPIRED));
+            return CacheRefreshReason.EXPIRED;
+        }
+
+        // Certain long-lived tokens will have a 'refresh on' time that indicates a refresh should be attempted long before the token would expire
+        if (!StringHelper.isBlank(cachedResult.accessToken()) &&
+                cachedResult.refreshOn() != null && cachedResult.refreshOn() > 0 &&
+                cachedResult.refreshOn() < currTimeStampSec && cachedResult.expiresOn() >= (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)){
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.PROACTIVE_REFRESH));
+            return CacheRefreshReason.PROACTIVE_REFRESH;
+        }
+
+        // If there is a refresh token but no access token, we should use the refresh token to get the access token
+        if (StringHelper.isBlank(cachedResult.accessToken()) && !StringHelper.isBlank(cachedResult.refreshToken())) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.NO_CACHED_ACCESS_TOKEN));
+            return CacheRefreshReason.NO_CACHED_ACCESS_TOKEN;
+        }
+
+        return CacheRefreshReason.NOT_APPLICABLE;
+    }
+}