Add OIDC issuer validation and new testing style

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -579,6 +579,10 @@ public T correlationId(String val) {
             ((OidcAuthority) authenticationAuthority).setAuthorityProperties(
                     OidcDiscoveryProvider.performOidcDiscovery(
                             (OidcAuthority) authenticationAuthority, this));
+
+            if (!((OidcAuthority) authenticationAuthority).isIssuerValid()) {
+                throw new MsalClientException(String.format("Invalid issuer from OIDC discovery: %s", ((OidcAuthority) authenticationAuthority).issuerFromOidcDiscovery), "issuer_validation");
+            }
         }
     }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/OidcAuthority.java

@@ -10,6 +10,7 @@ public class OidcAuthority extends Authority {
     //Part of the OpenIdConnect standard, this is appended to the authority to create the endpoint that has OIDC metadata
     static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
     private static final String AUTHORITY_FORMAT = "https://%s/%s/";
+    String issuerFromOidcDiscovery;
 
     OidcAuthority(URL authorityUrl) throws MalformedURLException {
         super(createOidcDiscoveryUrl(authorityUrl), AuthorityType.OIDC);
@@ -29,5 +30,49 @@ void setAuthorityProperties(OidcDiscoveryResponse instanceDiscoveryResponse) {
         this.tokenEndpoint = instanceDiscoveryResponse.tokenEndpoint();
         this.deviceCodeEndpoint = instanceDiscoveryResponse.deviceCodeEndpoint();
         this.selfSignedJwtAudience = this.tokenEndpoint;
+        this.issuerFromOidcDiscovery = instanceDiscoveryResponse.issuer();
+    }
+
+    /**
+     * Validates the issuer from OIDC discovery.
+     * Issuer is valid if it matches the authority URL (without the well-known segment)
+     * or if it follows the CIAM issuer format.
+     *
+     * @return true if the issuer is valid, false otherwise
+     */
+    boolean isIssuerValid() {
+        if (issuerFromOidcDiscovery == null) {
+            return false;
+        }
+
+        // Normalize issuer by removing trailing slashes
+        String normalizedIssuer = issuerFromOidcDiscovery;
+        while (normalizedIssuer.endsWith("/")) {
+            normalizedIssuer = normalizedIssuer.substring(0, normalizedIssuer.length() - 1);
+        }
+
+        // Case 1: Check against canonicalAuthorityUrl without the well-known segment
+        String authorityWithoutWellKnown = canonicalAuthorityUrl.toString();
+        if (authorityWithoutWellKnown.endsWith(WELL_KNOWN_OPENID_CONFIGURATION)) {
+            authorityWithoutWellKnown = authorityWithoutWellKnown.substring(0,
+                    authorityWithoutWellKnown.length() - WELL_KNOWN_OPENID_CONFIGURATION.length());
+
+            // Remove trailing slash if present
+            if (authorityWithoutWellKnown.endsWith("/")) {
+                authorityWithoutWellKnown = authorityWithoutWellKnown.substring(0, authorityWithoutWellKnown.length() - 1);
+            }
+
+            if (normalizedIssuer.equals(authorityWithoutWellKnown)) {
+                return true;
+            }
+        }
+
+        // Case 2: Check CIAM format: "https://{tenant}.ciamlogin.com/{tenant}/"
+        if (tenant != null && !tenant.isEmpty()) {
+            String ciamPattern = "https://" + tenant + ".ciamlogin.com/" + tenant;
+            return normalizedIssuer.startsWith(ciamPattern);
+        }
+
+        return false;
     }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/OidcDiscoveryResponse.java

@@ -15,6 +15,7 @@ class OidcDiscoveryResponse implements JsonSerializable<OidcDiscoveryResponse> {
     private String authorizationEndpoint;
     private String tokenEndpoint;
     private String deviceCodeEndpoint;
+    private String issuer;
 
     public static OidcDiscoveryResponse fromJson(JsonReader jsonReader) throws IOException {
         OidcDiscoveryResponse response = new OidcDiscoveryResponse();
@@ -32,6 +33,9 @@ public static OidcDiscoveryResponse fromJson(JsonReader jsonReader) throws IOExc
                     case "device_authorization_endpoint":
                         response.deviceCodeEndpoint = reader.getString();
                         break;
+                    case "issuer":
+                        response.issuer = reader.getString();
+                        break;
                     default:
                         reader.skipChildren();
                         break;
@@ -61,4 +65,8 @@ String tokenEndpoint() {
     String deviceCodeEndpoint() {
         return this.deviceCodeEndpoint;
     }
+
+    String issuer() {
+        return this.issuer;
+    }
 }