Update MSIv1 Token Revocation's token_sha256_to_refresh param to use sha256's HEX representation (#5229)

* hex

* test method fix

* pr comments

* pr comments

---------

Co-authored-by: Gladwin Johnson <[email protected]>

Author: gladjohn

src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs

@@ -256,7 +256,7 @@ private bool ShouldUseCachedToken(MsalAccessTokenCacheItem cacheItem)
         /// <returns></returns>
         private bool IsMatchingTokenHash(string tokenSecret, string accessTokenHashToRefresh)
         {
-            string cachedTokenHash = _cryptoManager.CreateSha256Hash(tokenSecret);
+            string cachedTokenHash = _cryptoManager.CreateSha256HashHex(tokenSecret);
             return string.Equals(cachedTokenHash, accessTokenHashToRefresh, StringComparison.Ordinal);
         }
 

src/client/Microsoft.Identity.Client/PlatformsCommon/Interfaces/ICryptographyManager.cs

@@ -11,6 +11,7 @@ internal interface ICryptographyManager
         string CreateBase64UrlEncodedSha256Hash(string input);
         string GenerateCodeVerifier();
         string CreateSha256Hash(string input);
+        string CreateSha256HashHex(string input);
         byte[] CreateSha256HashBytes(string input);
         byte[] SignWithCertificate(string message, X509Certificate2 certificate, RSASignaturePadding signaturePadding);
     }

src/client/Microsoft.Identity.Client/PlatformsCommon/Shared/CommonCryptographyManager.cs

@@ -56,6 +56,19 @@ public byte[] CreateSha256HashBytes(string input)
             }
         }
 
+        public string CreateSha256HashHex(string input)
+        {
+            if (string.IsNullOrEmpty(input))
+            {
+                return null;
+            }
+
+            byte[] hashBytes = CreateSha256HashBytes(input);
+
+            // Convert to hex using BitConverter, removing dashes and forcing lowercase
+            return BitConverter.ToString(hashBytes).Replace("-", "").ToLowerInvariant();
+        }
+
         /// <remarks>AAD only supports RSA certs for client credentials </remarks>
         public virtual byte[] SignWithCertificate(string message, X509Certificate2 certificate, RSASignaturePadding signaturePadding)
         {

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs

@@ -2164,7 +2164,8 @@ public void ConfidentialClient_WithInvalidAuthority_ThrowsArgumentException()
         [TestMethod]
         public async Task WithAccessTokenSha256ToRefresh_MatchingHash_GetsTokenFromIdp_Async()
         {
-            const string accessToken = "access-token";
+            const string accessToken = "test_token";
+            const string accessTokenHash = "cc0af97287543b65da2c7e1476426021826cab166f1e063ed012b855ff819656";
 
             // Arrange
             using (var httpManager = new MockHttpManager())
@@ -2190,14 +2191,12 @@ public async Task WithAccessTokenSha256ToRefresh_MatchingHash_GetsTokenFromIdp_A
                 Assert.AreEqual(TokenSource.Cache, secondResult.AuthenticationResultMetadata.TokenSource);
 
                 // 3) Now specify the same token's hash as "bad" => expect a new token from IdP
-                string tokenHash = ComputeSHA256(accessToken);
-
                 // Add another network response to simulate fetching a new token
                 httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(token: "new-access-token");
 
                 // Act: Use matching hash => triggers new token request
                 AuthenticationResult result = await app.AcquireTokenForClient(TestConstants.s_scope)
-                    .WithAccessTokenSha256ToRefresh(tokenHash)
+                    .WithAccessTokenSha256ToRefresh(accessTokenHash)
                     .ExecuteAsync()
                     .ConfigureAwait(false);
 
@@ -2231,7 +2230,7 @@ public async Task WithAccessTokenSha256ToRefresh_MismatchedHash_UsesCache_Async(
 
                 // 2) Mismatched hash => we expect to keep using the cached token
                 // Act
-                var mismatchHash = ComputeSHA256("some-other-token");
+                var mismatchHash = ComputeSHA256Hex("some-other-token");
                 AuthenticationResult result = await app.AcquireTokenForClient(TestConstants.s_scope)
                     .WithAccessTokenSha256ToRefresh(mismatchHash)
                     .ExecuteAsync()
@@ -2289,7 +2288,7 @@ public async Task AcquireTokenForClient_WithClaims_And_MatchingHash_SkipsCache_A
                 Assert.AreEqual(oldToken, firstResult.AccessToken);
 
                 // 2) We do matching hash => a new token is returned
-                string tokenHash = ComputeSHA256(oldToken);
+                string tokenHash = ComputeSHA256Hex(oldToken);
 
                 // Add second network response for the new token
                 httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(token: freshToken);
@@ -2334,7 +2333,7 @@ public async Task AcquireTokenForClient_WithClaims_And_MismatchedHash_UsesCache_
                 Assert.AreEqual(TokenSource.IdentityProvider, initialResult.AuthenticationResultMetadata.TokenSource);
 
                 // 2) We'll do a mismatched hash => expect to keep using the cached token
-                string mismatchedHash = ComputeSHA256("some-other-token");
+                string mismatchedHash = ComputeSHA256Hex("some-other-token");
 
                 // Act
                 var result = await app.AcquireTokenForClient(TestConstants.s_scope)
@@ -2350,18 +2349,10 @@ public async Task AcquireTokenForClient_WithClaims_And_MismatchedHash_UsesCache_
             }
         }
 
-        private static string ComputeSHA256(string token)
+        private static string ComputeSHA256Hex(string token)
         {
-#if NET6_0_OR_GREATER
-            byte[] hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(token));
-            return Convert.ToBase64String(hashBytes);
-#else
-            using (var sha256 = SHA256.Create())
-            {
-                byte[] hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(token));
-                return Convert.ToBase64String(hashBytes);
-            }
-#endif
+            var cryptoMgr = new CommonCryptographyManager();
+            return cryptoMgr.CreateSha256HashHex(token);
         }
     }
 }