From de57369dd6d1210fbe9ec38caaf2b694c623112c Mon Sep 17 00:00:00 2001
From: iamgusain <75644120+iamgusain@users.noreply.github.com>
Date: Tue, 12 Nov 2024 15:05:21 -0500
Subject: [PATCH 1/5] Merge amgusain/release/18.2.0 to release/18.2.0 (#2534)

---
 changelog.txt                          | 3 ++-
 common/build.gradle                    | 2 +-
 common4j/versioning/version.properties | 2 +-
 versioning/version.properties          | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/changelog.txt b/changelog.txt
index 28ce22b03a..370a8e9c88 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,5 +1,6 @@
-vNext
+Version 18.2.0
 ----------
+(common4j 15.2.0)
 - [PATCH] Add native auth instructions to error description when reset password required is returned (#2532)
 - [MINOR] Add support for suppressing broker account picker (#2529)
 - [MINOR] Camera permission request behavior changes for QR + PIN Auth (#2524)
diff --git a/common/build.gradle b/common/build.gradle
index 572266b677..df607c5f7e 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -31,7 +31,7 @@ codeCoverageReport {
 
 // In dev, we want to keep the dependencies(common4j, broker4j, common) to 1.0.+ to be able to be consumed by daily dev pipeline.
 // In release/*, we change these to specific versions being consumed.
-def common4jVersion = "1.0.+"
+def common4jVersion = "15.2.0"
 if (project.hasProperty("distCommon4jVersion") && project.distCommon4jVersion != '') {
     common4jVersion = project.distCommon4jVersion
 }
diff --git a/common4j/versioning/version.properties b/common4j/versioning/version.properties
index 89b22b45a6..6c84e479d6 100644
--- a/common4j/versioning/version.properties
+++ b/common4j/versioning/version.properties
@@ -1,4 +1,4 @@
 #Wed May 12 20:08:39 UTC 2021
-versionName=15.1.0
+versionName=15.2.0
 versionCode=1
 latestPatchVersion=227
diff --git a/versioning/version.properties b/versioning/version.properties
index bb2c3d48b6..9e4f9c010e 100644
--- a/versioning/version.properties
+++ b/versioning/version.properties
@@ -1,4 +1,4 @@
 #Tue Apr 06 22:55:08 UTC 2021
-versionName=18.1.0
+versionName=18.2.0
 versionCode=1
 latestPatchVersion=234

From ec44661fb67fa0186e7823ff7d401e96205a7bb1 Mon Sep 17 00:00:00 2001
From: Sandesh Kumar Srivastava <sansrivastav@microsoft.com>
Date: Fri, 22 Nov 2024 10:49:49 -0800
Subject: [PATCH 2/5] For MSALCPP flows, match exact calims when deleting AT
 with intersecting scopes

---
 .../common/java/cache/MsalCppOAuth2TokenCache.java    |  2 +-
 .../common/java/cache/MsalOAuth2TokenCache.java       | 11 ++++++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
index d6f4faf5e6..aedeead4bb 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
@@ -148,7 +148,7 @@ public synchronized void saveCredentials(@NonNull final Credential... credential
             }
         }
 
-        saveCredentialsInternal(credentials);
+        saveCredentialsInternal(true, credentials);
     }
 
     /**
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
index 2aac30b932..7a312a7c34 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
@@ -1635,13 +1635,17 @@ private void saveAccounts(final AccountRecord... accounts) {
     }
 
     void saveCredentialsInternal(final Credential... credentials) {
+        saveCredentialsInternal(false, credentials);
+    }
+
+    void saveCredentialsInternal(boolean mustMatchExactClaims, final Credential... credentials) {
         for (final Credential credential : credentials) {
             if (credential == null) {
                 continue;
             }
 
             if (credential instanceof AccessTokenRecord) {
-                deleteAccessTokensWithIntersectingScopes((AccessTokenRecord) credential);
+                deleteAccessTokensWithIntersectingScopes((AccessTokenRecord) credential, mustMatchExactClaims);
             }
 
             mAccountCredentialCache.saveCredential(credential);
@@ -1707,7 +1711,7 @@ void validateCacheArtifacts(
     }
 
     private void deleteAccessTokensWithIntersectingScopes(
-            final AccessTokenRecord referenceToken) {
+            final AccessTokenRecord referenceToken, boolean mustMatchExactClaims) {
         final String methodName = "deleteAccessTokensWithIntersectingScopes";
 
         final List<Credential> accessTokens = mAccountCredentialCache.getCredentialsFilteredBy(
@@ -1721,6 +1725,7 @@ private void deleteAccessTokensWithIntersectingScopes(
                 null, // Wildcard (*)
                 referenceToken.getAccessTokenType(),
                 referenceToken.getRequestedClaims(),
+                mustMatchExactClaims,
                 mAccountCredentialCache.getCredentials()
         );
 
@@ -1735,7 +1740,7 @@ private void deleteAccessTokensWithIntersectingScopes(
                         TAG + ":" + methodName,
                         "Removing credential: " + accessToken
                 );
-                mAccountCredentialCache.removeCredential(accessToken);
+                //mAccountCredentialCache.removeCredential(accessToken);
             }
         }
     }

From 1f81b28b4f614ddb40d43e2b0df81fdc859014b9 Mon Sep 17 00:00:00 2001
From: Sandesh Kumar Srivastava <sansrivastav@microsoft.com>
Date: Fri, 22 Nov 2024 11:00:12 -0800
Subject: [PATCH 3/5] Remove unwanted changes

---
 common/build.gradle                                             | 2 +-
 .../identity/common/java/cache/MsalOAuth2TokenCache.java        | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/build.gradle b/common/build.gradle
index df607c5f7e..572266b677 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -31,7 +31,7 @@ codeCoverageReport {
 
 // In dev, we want to keep the dependencies(common4j, broker4j, common) to 1.0.+ to be able to be consumed by daily dev pipeline.
 // In release/*, we change these to specific versions being consumed.
-def common4jVersion = "15.2.0"
+def common4jVersion = "1.0.+"
 if (project.hasProperty("distCommon4jVersion") && project.distCommon4jVersion != '') {
     common4jVersion = project.distCommon4jVersion
 }
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
index 7a312a7c34..d8fd522e6c 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
@@ -1740,7 +1740,7 @@ private void deleteAccessTokensWithIntersectingScopes(
                         TAG + ":" + methodName,
                         "Removing credential: " + accessToken
                 );
-                //mAccountCredentialCache.removeCredential(accessToken);
+                mAccountCredentialCache.removeCredential(accessToken);
             }
         }
     }

From 794177308ec25628738880fe1622cb35998301e0 Mon Sep 17 00:00:00 2001
From: Sandesh Kumar Srivastava <sansrivastav@microsoft.com>
Date: Fri, 22 Nov 2024 12:14:02 -0800
Subject: [PATCH 4/5] Changelog entry

---
 changelog.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/changelog.txt b/changelog.txt
index abf9475ffe..c1cffd7209 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,6 +1,7 @@
 vNext
 ----------
 - [PATCH] Translate MFA token error to UIRequiredException instead of ServiceException (#2538)
+- [MINOR] For MSAL CPP flows, match exact claims when deleting AT with intersecting scopes (#2548)
 
 Version 18.2.2
 ----------

From c651abf30790dadb04808d35b9bc13fd3d657e62 Mon Sep 17 00:00:00 2001
From: Sandesh Kumar Srivastava <sansrivastav@microsoft.com>
Date: Fri, 22 Nov 2024 16:48:06 -0800
Subject: [PATCH 5/5] Add parameter to saveCredential + Add test

---
 .../common/MsalCppOAuth2TokenCacheTest.java   | 36 +++++++++++++++++++
 .../java/cache/MsalCppOAuth2TokenCache.java   | 11 +++++-
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/common/src/test/java/com/microsoft/identity/common/MsalCppOAuth2TokenCacheTest.java b/common/src/test/java/com/microsoft/identity/common/MsalCppOAuth2TokenCacheTest.java
index 27612d7d0d..6f98b20843 100644
--- a/common/src/test/java/com/microsoft/identity/common/MsalCppOAuth2TokenCacheTest.java
+++ b/common/src/test/java/com/microsoft/identity/common/MsalCppOAuth2TokenCacheTest.java
@@ -534,4 +534,40 @@ public void saveATSansTargetThrowsException() throws ClientException {
                 mTestBundle.mGeneratedRefreshToken
         );
     }
+
+    @Test
+    public void saveCredentialsWithSameTargetAndDifferentClaims() throws ClientException {
+        mTestBundle.mGeneratedAccessToken.setRequestedClaims("TestClaims");
+        mCppCache.saveCredentials(
+                false,
+                mTestBundle.mGeneratedAccessToken
+        );
+
+        mTestBundle.mGeneratedAccessToken.setRequestedClaims(null);
+        mCppCache.saveCredentials(
+                false,
+                mTestBundle.mGeneratedAccessToken
+        );
+
+        List<Credential> credentials = mCppCache.getCredentials();
+        Assert.assertEquals(credentials.size(), 1);
+
+        //Clear credentials and now match exact claims
+        mCppCache.clearCache();
+
+        mTestBundle.mGeneratedAccessToken.setRequestedClaims("TestClaims");
+        mCppCache.saveCredentials(
+                true,
+                mTestBundle.mGeneratedAccessToken
+        );
+
+        mTestBundle.mGeneratedAccessToken.setRequestedClaims(null);
+        mCppCache.saveCredentials(
+                true,
+                mTestBundle.mGeneratedAccessToken
+        );
+
+        credentials = mCppCache.getCredentials();
+        Assert.assertEquals(credentials.size(), 2);
+    }
 }
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
index aedeead4bb..635e09737d 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalCppOAuth2TokenCache.java
@@ -128,6 +128,15 @@ public IAccountCredentialCache getAccountCredentialCache() {
      * @throws ClientException  If the supplied Account or Credential are null or schema invalid.
      */
     public synchronized void saveCredentials(@NonNull final Credential... credentials) throws ClientException {
+        saveCredentials(false, credentials);
+    }
+
+    /**
+     * @param credentials          list of Credential which can include AccessTokenRecord, IdTokenRecord and RefreshTokenRecord.
+     * @param mustMatchExactClaims If true, match exact claims when deleting AT with intersecting scopes.
+     * @throws ClientException  If the supplied Account or Credential are null or schema invalid.
+     */
+    public synchronized void saveCredentials(boolean mustMatchExactClaims, @NonNull final Credential... credentials) throws ClientException {
         if (credentials.length == 0) {
             throw new ClientException("Credential array passed in is null or empty");
         }
@@ -148,7 +157,7 @@ public synchronized void saveCredentials(@NonNull final Credential... credential
             }
         }
 
-        saveCredentialsInternal(true, credentials);
+        saveCredentialsInternal(mustMatchExactClaims, credentials);
     }
 
     /**