[Bug] HttpClient is not fault tolerant for network issues

[JozefDropco]

Library version used

1.15.0

Java version

21

Scenario

ConfidentialClient - web api (AcquireTokenOnBehalfOf)

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

At the moment DefaultHttpClient is not fault tolerant for network issues/glitches. It just handles the situation where HTTP 500 or above is thrown. This is causing troubles for all users not knowing they can "write" their own IHttpClient. This fact is forcing anyone to reinvent the wheel again and again. It would be beneficial if the basic implementation would be more robust to withstand these issues
e.g. Proxy failed with 503 but MSAL4J just failed instead of a retry mechanism to kick in from HttpHelper class
com.microsoft.aad.msal4j.MsalClientException: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 503 Service Unavailable" at com.microsoft.aad.msal4j.HttpHelper.executeHttpRequest(HttpHelper.java:56) at com.microsoft.aad.msal4j.OAuthHttpRequest.send(OAuthHttpRequest.java:48) at com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:39) at com.microsoft.aad.msal4j.AbstractClientApplicationBase.acquireTokenCommon(AbstractClientApplicationBase.java:256) at com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63) at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.acquireTokenByClientCredential(AcquireTokenByClientCredentialSupplier.java:86) at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.execute(AcquireTokenByClientCredentialSupplier.java:49) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69) at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18) at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(Unknown Source) at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(Unknown Source) at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source) at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source) at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source) at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source) at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source) Caused by: java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 503 Service Unavailable" at java.base/sun.net.www.protocol.http.HttpURLConnection.doTunneling(Unknown Source) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Unknown Source) at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source) at com.microsoft.aad.msal4j.DefaultHttpClient.executeHttpPost(DefaultHttpClient.java:59)

We were experiancing IOException, SocketTimeoutException and ConnectException. None of them are handled correctly as they are thrown in DefaultHttpClient but before readResponseFromConnection is executed.

I will share PR request shortly

Relevant code snippets

Expected behavior

Retry the request 3 times nevertheless if its 503 or some network glitch.

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Create a fault-tolerant resource handler which will retry whole request/response chain in case of expected failures.

Workarounds for now is to write IHttpClient yourself and reinvent the same wheel for all customers which are using MSAL4J and needs more robust error handling