Add Concurrency Test for Multi-Tenant AcquireTokenForClient Scenario (#5192)

gladjohn · GladwinJohnson · web-flow · commit 631ef39bff05 · 2025-03-20T09:35:40.000-07:00
* Add Concurrency Test for Multi-Tenant AcquireTokenForClient Scenario

* fix per pr comments

---------

Co-authored-by: Gladwin Johnson &lt;gljohns@microsoft.com&gt;
diff --git a/tests/Microsoft.Identity.Test.Unit/Helpers/ParallelRequestMockHandler.cs b/tests/Microsoft.Identity.Test.Unit/Helpers/ParallelRequestMockHandler.cs
@@ -26,6 +26,8 @@ namespace Microsoft.Identity.Test.Unit.Helpers
     internal class ParallelRequestMockHandler : IHttpManager
     {
         public long LastRequestDurationInMs => 50;
+        private int _requestCount = 0;
+        public int RequestsMade => _requestCount;
 
         public async Task<HttpResponse> SendRequestAsync(
             Uri endpoint,
@@ -39,6 +41,8 @@ public async Task<HttpResponse> SendRequestAsync(
             CancellationToken cancellationToken,
             int retryCount = 0)
         {
+            Interlocked.Increment(ref _requestCount);
+
             // simulate delay and also add complexity due to thread context switch
             await Task.Delay(ParallelRequestsTests.NetworkAccessPenaltyMs).ConfigureAwait(false);
 
@@ -53,10 +57,13 @@ public async Task<HttpResponse> SendRequestAsync(
             }
 
             if (HttpMethod.Post == method &&
-                UriWithoutQuery(endpoint).AbsoluteUri.Equals("https://login.microsoftonline.com/my-utid/oauth2/v2.0/token"))
+                UriWithoutQuery(endpoint).AbsoluteUri.EndsWith("oauth2/v2.0/token"))
             {
                 var bodyString = await (body as FormUrlEncodedContent).ReadAsStringAsync().ConfigureAwait(false);
-                var bodyDict = bodyString.Replace("?", "").Split('&').ToDictionary(x => x.Split('=')[0], x => x.Split('=')[1]);
+                var bodyDict = bodyString
+                    .Replace("?", "")
+                    .Split('&')
+                    .ToDictionary(x => x.Split('=')[0], x => x.Split('=')[1]);
 
                 if (bodyDict["grant_type"] == "refresh_token")
                 {
@@ -71,7 +78,12 @@ public async Task<HttpResponse> SendRequestAsync(
 
                 if (bodyDict["grant_type"] == "client_credentials")
                 {
-                    HttpResponseMessage response = MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage();
+                    var segments = endpoint.AbsolutePath.Split('/');
+                    string tid = segments.Length > 1 ? segments[1] : "unknown_tid";
+
+                    HttpResponseMessage response =
+                        MockHelpers.CreateSuccessfulClientCredentialTokenResponseMessage($"token_{tid}");
+
                     string payload = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
 
                     return new HttpResponse()
diff --git a/tests/Microsoft.Identity.Test.Unit/ParallelRequestsTests.cs b/tests/Microsoft.Identity.Test.Unit/ParallelRequestsTests.cs
@@ -85,6 +85,141 @@ public async Task ExtraQP()
             Assert.AreEqual(NumberOfRequests, results.Length);
         }
 
+        [TestMethod]
+        public async Task AcquireTokenForClient_ConcurrentTenantRequests_Test()
+        {
+            // Arrange
+            const int NumberOfRequests = 1000;
+
+            // Custom HTTP manager that counts the number of requests
+            ParallelRequestMockHandler httpManager = new();
+
+            var cca = ConfidentialClientApplicationBuilder
+                .Create(TestConstants.ClientId)
+                .WithAuthority("https://login.microsoftonline.com/common")
+                .WithClientSecret(TestConstants.ClientSecret)
+                .WithHttpManager(httpManager)
+                .Build();
+
+            var tasks = new List<Task<AuthenticationResult>>();
+
+            for (int i = 0; i < NumberOfRequests; i++)
+            {
+                int tempI = i; // Capture the current value of i
+                tasks.Add(Task.Run(async () =>
+                {
+                    string tid = $"tidtid_{tempI}";
+                    AuthenticationResult res = await cca.AcquireTokenForClient(TestConstants.s_scope)
+                        .WithTenantId(tid)
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+
+                    Assert.IsFalse(
+                        string.IsNullOrEmpty(res.AuthenticationResultMetadata.TokenEndpoint),
+                        "TokenEndpoint is null/empty!"
+                    );
+                    Assert.IsTrue(
+                        res.AuthenticationResultMetadata.TokenEndpoint.Contains(tid),
+                        "TokenEndpoint should contain the tenant ID."
+                    );
+                    Assert.AreEqual($"token_{tid}", res.AccessToken, "Access token did not match the expected value.");
+
+                    return res;
+                }));
+            }
+
+            // Wait for all tasks to complete
+            AuthenticationResult[] results = await Task.WhenAll(tasks).ConfigureAwait(false);
+
+            // Assert the total tasks
+            Assert.AreEqual(NumberOfRequests, results.Length, "Number of AuthenticationResult objects does not match the number of requests.");
+        }
+
+        [TestMethod]
+        public async Task AcquireTokenForClient_PerTenantCaching_Test()
+        {
+            const int NumberOfRequests = 5000;
+
+            var httpManager = new ParallelRequestMockHandler();
+            IConfidentialClientApplication cca = ConfidentialClientApplicationBuilder
+                .Create(TestConstants.ClientId)
+                .WithAuthority("https://login.microsoftonline.com/common")
+                .WithClientSecret(TestConstants.ClientSecret)
+                .WithHttpManager(httpManager)
+                .Build();
+
+            // First pass: tokens should come from the network
+            var tasksFirstPass = new List<Task<AuthenticationResult>>();
+            for (int i = 0; i < NumberOfRequests; i++)
+            {
+                int tempI = i; // Capture the current value of i
+                string tid = $"tidtid_{tempI}";
+                tasksFirstPass.Add(Task.Run(async () =>
+                {
+                    AuthenticationResult result = await cca
+                        .AcquireTokenForClient(TestConstants.s_scope)
+                        .WithTenantId(tid)
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+
+                    Assert.IsNotNull(result, $"First-pass result is null for TID '{tid}'.");
+                    Assert.IsFalse(
+                        string.IsNullOrEmpty(result.AccessToken),
+                        $"First-pass access token is null/empty for TID '{tid}'.");
+                    Assert.AreEqual(
+                        $"token_{tid}",
+                        result.AccessToken,
+                        $"First-pass AccessToken mismatch for TID '{tid}'.");
+                    Assert.IsTrue(
+                        result.AuthenticationResultMetadata.TokenEndpoint.Contains(tid),
+                        $"First-pass TokenEndpoint '{result.AuthenticationResultMetadata.TokenEndpoint}' does not contain TID '{tid}'.");
+
+                    return result;
+                }));
+            }
+
+            AuthenticationResult[] firstPassResults = await Task.WhenAll(tasksFirstPass).ConfigureAwait(false);
+            int firstPassRequestsMade = httpManager.RequestsMade;
+
+            // Second pass: tokens should come from the cache
+            var tasksSecondPass = new List<Task<AuthenticationResult>>();
+            for (int i = 0; i < NumberOfRequests; i++)
+            {
+                int tempI = i; // Capture the current value of i
+                string tid = $"tidtid_{tempI}";
+                tasksSecondPass.Add(Task.Run(async () =>
+                {
+                    AuthenticationResult result = await cca
+                        .AcquireTokenForClient(TestConstants.s_scope)
+                        .WithTenantId(tid)
+                        .ExecuteAsync()
+                        .ConfigureAwait(false);
+
+                    Assert.IsNotNull(result, $"Second-pass result is null for TID '{tid}'.");
+                    Assert.IsFalse(
+                        string.IsNullOrEmpty(result.AccessToken),
+                        $"Second-pass access token is null/empty for TID '{tid}'.");
+                    Assert.AreEqual(
+                        $"token_{tid}",
+                        result.AccessToken,
+                        $"Second-pass AccessToken mismatch for TID '{tid}'.");
+
+                    return result;
+                }));
+            }
+
+            AuthenticationResult[] secondPassResults = await Task.WhenAll(tasksSecondPass).ConfigureAwait(false);
+            int totalRequestsMade = httpManager.RequestsMade;
+            int secondPassRequestsMade = totalRequestsMade - firstPassRequestsMade;
+
+            // Verifying no new network calls on the second pass if caching is working properly
+            Assert.AreEqual(
+                0,
+                secondPassRequestsMade,
+                $"Expected zero new requests in second pass, but found {secondPassRequestsMade}."
+            );
+        }
+
         [TestMethod]
         public async Task AcquireTokenSilent_ValidATs_ParallelRequests_Async()
         {
