Enable device code flow for ADFS 2019

Author: Avery-Dunn

src/integrationtest/java/com.microsoft.aad.msal4j/DeviceCodeIT.java

@@ -35,7 +35,7 @@ public void setUp(){
     }
 
     @Test(dataProvider = "environments", dataProviderClass = EnvironmentsProvider.class)
-    public void DeviceCodeFlowTest(String environment) throws Exception {
+    public void DeviceCodeFlowADTest(String environment) throws Exception {
         cfg = new Config(environment);
 
         User user = labUserProvider.getDefaultUser(cfg.azureEnvironment);
@@ -59,22 +59,57 @@ public void DeviceCodeFlowTest(String environment) throws Exception {
         Assert.assertTrue(!Strings.isNullOrEmpty(result.accessToken()));
     }
 
+    @Test(dataProvider = "environments", dataProviderClass = EnvironmentsProvider.class)
+    public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
+        cfg = new Config(environment);
+
+        User user = labUserProvider.getOnPremAdfsUser(FederationProvider.ADFS_2019);
+
+        PublicClientApplication pca = PublicClientApplication.builder(
+                TestConstants.ADFS_APP_ID).
+                authority(TestConstants.ADFS_AUTHORITY).validateAuthority(false).
+                build();
+
+        Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
+            runAutomatedDeviceCodeFlow(deviceCode, user);
+        };
+
+        IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
+                .builder(Collections.singleton(TestConstants.ADFS_SCOPE),
+                        deviceCodeConsumer)
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
+    }
+
     private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user){
         boolean isRunningLocally = true;//!Strings.isNullOrEmpty(
                 //System.getenv(TestConstants.LOCAL_FLAG_ENV_VAR));
 
+        boolean isADFS2019 = user.getFederationProvider().equals("adfsv2019");
+
         LOG.info("Device code running locally: " + isRunningLocally);
         try{
             String deviceCodeFormId;
             String continueButtonId;
             if(isRunningLocally){
-                deviceCodeFormId = "otc";
-                continueButtonId = "idSIButton9";
+                if (isADFS2019) {
+                    deviceCodeFormId = "userCodeInput";
+                    continueButtonId = "confirmationButton";
+                } else {
+                    deviceCodeFormId = "otc";
+                    continueButtonId = "idSIButton9";
+                }
             } else {
                 deviceCodeFormId = "code";
                 continueButtonId = "continueBtn";
             }
             LOG.info("Loggin in ... Entering device code");
+            if (isADFS2019) {
+                seleniumDriver.manage().deleteAllCookies();
+            }
             seleniumDriver.navigate().to(deviceCode.verificationUri());
             seleniumDriver.findElement(new By.ById(deviceCodeFormId)).sendKeys(deviceCode.userCode());
 
@@ -84,7 +119,11 @@ private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user){
                    new By.ById(continueButtonId));
             continueBtn.click();
 
-            SeleniumExtensions.performADLogin(seleniumDriver, user);
+            if (isADFS2019) {
+                SeleniumExtensions.performADFS2019Login(seleniumDriver, user);
+            } else {
+                SeleniumExtensions.performADLogin(seleniumDriver, user);
+            }
         } catch(Exception e){
             if(!isRunningLocally){
                 SeleniumExtensions.takeScreenShot(seleniumDriver);

src/main/java/com/microsoft/aad/msal4j/ADFSAuthority.java

@@ -9,14 +9,23 @@ class ADFSAuthority extends Authority{
 
     final static String AUTHORIZATION_ENDPOINT = "oauth2/authorize";
     final static String TOKEN_ENDPOINT = "oauth2/token";
+    final static String DEVICE_CODE_ENDPOINT = "oauth2/devicecode";
 
     private final static String ADFS_AUTHORITY_FORMAT = "https://%s/%s/";
+    private final static String DEVICE_CODE_ENDPOINT_FORMAT = ADFS_AUTHORITY_FORMAT + DEVICE_CODE_ENDPOINT;
+
+    String deviceCodeEndpoint;
 
     ADFSAuthority(final URL authorityUrl) {
         super(authorityUrl, AuthorityType.ADFS);
         this.authority = String.format(ADFS_AUTHORITY_FORMAT, host, tenant);
         this.authorizationEndpoint = authority + AUTHORIZATION_ENDPOINT;
         this.tokenEndpoint = authority + TOKEN_ENDPOINT;
         this.selfSignedJwtAudience = this.tokenEndpoint;
+        this.deviceCodeEndpoint = String.format(DEVICE_CODE_ENDPOINT_FORMAT, host, tenant);
+    }
+
+    String deviceCodeEndpoint() {
+        return deviceCodeEndpoint;
     }
 }

src/main/java/com/microsoft/aad/msal4j/AcquireTokenByDeviceCodeFlowSupplier.java

@@ -22,12 +22,12 @@ AuthenticationResult execute() throws Exception {
         Authority requestAuthority = clientApplication.authenticationAuthority;
         requestAuthority = getAuthorityWithPrefNetworkHost(requestAuthority.authority());
 
-        DeviceCode deviceCode = getDeviceCode((AADAuthority) requestAuthority);
+        DeviceCode deviceCode = getDeviceCode(requestAuthority);
 
         return acquireTokenWithDeviceCode(deviceCode, requestAuthority);
     }
 
-    private DeviceCode getDeviceCode(AADAuthority requestAuthority) throws Exception{
+    private DeviceCode getDeviceCode(Authority requestAuthority) throws Exception{
 
         DeviceCode deviceCode = deviceCodeFlowRequest.acquireDeviceCode(
                 requestAuthority.deviceCodeEndpoint(),

src/main/java/com/microsoft/aad/msal4j/Authority.java

@@ -36,6 +36,17 @@ abstract class Authority {
     String authorizationEndpoint;
     String tokenEndpoint;
 
+    final static String DEVICE_CODE_ENDPOINT = "oauth2/devicecode";
+
+    private final static String ADFS_AUTHORITY_FORMAT = "https://%s/%s/";
+    private final static String DEVICE_CODE_ENDPOINT_FORMAT = ADFS_AUTHORITY_FORMAT + DEVICE_CODE_ENDPOINT;
+
+    String deviceCodeEndpoint;
+
+    String deviceCodeEndpoint() {
+        return deviceCodeEndpoint;
+    }
+
     URL tokenEndpointUrl() throws MalformedURLException {
         return new URL(tokenEndpoint);
     }
@@ -49,6 +60,7 @@ URL tokenEndpointUrl() throws MalformedURLException {
     private void setCommonAuthorityProperties() {
         this.tenant = getTenant(canonicalAuthorityUrl, authorityType);
         this.host = canonicalAuthorityUrl.getAuthority().toLowerCase();
+        this.deviceCodeEndpoint = String.format(DEVICE_CODE_ENDPOINT_FORMAT, host, tenant);
     }
 
     static Authority createAuthority(URL authorityUrl) {

src/main/java/com/microsoft/aad/msal4j/DeviceCodeFlowRequest.java

@@ -41,10 +41,17 @@ DeviceCode acquireDeviceCode(String url,
                                  Map<String, String> clientDataHeaders,
                                  ServiceBundle serviceBundle) throws Exception {
 
-        String urlWithQueryParams = createQueryParamsAndAppendToURL(url, clientId);
         Map<String, String> headers = appendToHeaders(clientDataHeaders);
 
-        HttpRequest httpRequest = new HttpRequest(HttpMethod.GET, urlWithQueryParams, headers);
+        String scopesParam = AbstractMsalAuthorizationGrant.COMMON_SCOPES_PARAM +
+                AbstractMsalAuthorizationGrant.SCOPES_DELIMITER + scopesStr;
+
+        Map<String, List<String>> queryParameters = new HashMap<>();
+        queryParameters.put("client_id", Collections.singletonList(clientId));
+        queryParameters.put("scope", Collections.singletonList(scopesParam));
+
+        HttpRequest httpRequest = new HttpRequest(HttpMethod.POST, url, headers, URLUtils.serializeParameters(queryParameters));
+
         final IHttpResponse response = HttpHelper.executeHttpRequest(
                 httpRequest,
                 this.requestContext(),

src/main/java/com/microsoft/aad/msal4j/PublicClientApplication.java

@@ -55,11 +55,6 @@ public CompletableFuture<IAuthenticationResult> acquireToken(IntegratedWindowsAu
     @Override
     public CompletableFuture<IAuthenticationResult> acquireToken(DeviceCodeFlowParameters parameters) {
 
-        if (!AuthorityType.AAD.equals(authenticationAuthority.authorityType())) {
-            throw new IllegalArgumentException(
-                    "Invalid authority type. Device Flow is only supported by AAD authority");
-        }
-
         validateNotNull("parameters", parameters);
 
         AtomicReference<CompletableFuture<IAuthenticationResult>> futureReference =

src/test/java/com/microsoft/aad/msal4j/DeviceCodeFlowTest.java

@@ -134,54 +134,21 @@ public void deviceCodeFlowTest() throws Exception {
         Assert.assertEquals(url.getPath(),
                 "/" + AAD_TENANT_NAME + "/" + AADAuthority.DEVICE_CODE_ENDPOINT);
 
-        Map<String, String> expectedQueryParams = new HashMap<>();
-        expectedQueryParams.put("client_id", AAD_CLIENT_ID);
-        expectedQueryParams.put("scope", URLEncoder.encode(AbstractMsalAuthorizationGrant.COMMON_SCOPES_PARAM +
-                AbstractMsalAuthorizationGrant.SCOPES_DELIMITER + AAD_RESOURCE_ID, "UTF-8" ));
+        String expectedScope = URLEncoder.encode(AbstractMsalAuthorizationGrant.COMMON_SCOPES_PARAM +
+                AbstractMsalAuthorizationGrant.SCOPES_DELIMITER + AAD_RESOURCE_ID, "UTF-8");
+        String expectedBody = String.format("scope=%s&client_id=%s", expectedScope, AAD_CLIENT_ID);
 
-        Assert.assertEquals(getQueryMap(url.getQuery()), expectedQueryParams);
+        String body = capturedHttpRequest.getValue().body();
+        Assert.assertEquals(body, expectedBody);
 
         // make sure same correlation id is used for acquireDeviceCode and acquireTokenByDeviceCode calls
-
-        Map<String, String > headers = capturedMsalRequest.getValue().headers().getReadonlyHeaderMap();
         Assert.assertEquals(capturedMsalRequest.getValue().headers().getReadonlyHeaderMap().
                 get(HttpHeaders.CORRELATION_ID_HEADER_NAME), deviceCodeCorrelationId.get());
         Assert.assertNotNull(authResult);
 
         PowerMock.verify();
     }
 
-    @Test(expectedExceptions = IllegalArgumentException.class,
-            expectedExceptionsMessageRegExp = "Invalid authority type. Device Flow is only supported by AAD authority")
-    public void executeAcquireDeviceCode_AdfsAuthorityUsed_IllegalArgumentExceptionThrown()
-            throws Exception {
-
-        app = PublicClientApplication.builder("client_id")
-                .authority(ADFS_TENANT_ENDPOINT)
-                .validateAuthority(false).build();
-
-        app.acquireToken
-                (DeviceCodeFlowParameters
-                        .builder(Collections.singleton(AAD_RESOURCE_ID), (DeviceCode deviceCode) -> {})
-                        .build());
-    }
-
-    @Test(expectedExceptions = IllegalArgumentException.class,
-            expectedExceptionsMessageRegExp = "Invalid authority type. Device Flow is only supported by AAD authority")
-    public void executeAcquireDeviceCode_B2CAuthorityUsed_IllegalArgumentExceptionThrown()
-            throws Exception {
-
-        app = PublicClientApplication.builder("client_id")
-                .b2cAuthority(TestConfiguration.B2C_AUTHORITY)
-                .validateAuthority(false).build();
-
-        app.acquireToken
-                (DeviceCodeFlowParameters
-                        .builder(Collections.singleton(AAD_RESOURCE_ID), (DeviceCode deviceCode) -> {})
-                        .build());
-    }
-
-
     @Test
     public void executeAcquireDeviceCode_AuthenticaionPendingErrorReturned_AuthenticationExceptionThrown()
             throws Exception {