Merge pull request #931 from AzureAD/nebharg/passTokenSourceMI

Pass token source and update tests

Author: neha-bhargava

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -13,7 +13,7 @@ class AcquireTokenByManagedIdentitySupplier extends AuthenticationResultSupplier
 
     private static final Logger LOG = LoggerFactory.getLogger(AcquireTokenByManagedIdentitySupplier.class);
 
-    private static final int TWO_HOURS = 2*3600;
+    private static final int TWO_HOURS = 2 * 3600;
 
     private ManagedIdentityParameters managedIdentityParameters;
 
@@ -37,49 +37,66 @@ AuthenticationResult execute() throws Exception {
                 clientApplication.serviceBundle()
         );
 
-        if (!managedIdentityParameters.forceRefresh) {
-            LOG.debug("ForceRefresh set to false. Attempting cache lookup");
-
-            try {
-                Set<String> scopes = new HashSet<>();
-                scopes.add(this.managedIdentityParameters.resource);
-                SilentParameters parameters = SilentParameters
-                        .builder(scopes)
-                        .tenant(managedIdentityParameters.tenant())
-                        .build();
-
-                RequestContext context = new RequestContext(
-                        this.clientApplication,
-                        PublicApi.ACQUIRE_TOKEN_SILENTLY,
-                        parameters);
-
-                SilentRequest silentRequest = new SilentRequest(
-                        parameters,
-                        this.clientApplication,
-                        context,
-                        null);
-
-                AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
-                        this.clientApplication,
-                        silentRequest);
-
-                return supplier.execute();
-            } catch (MsalClientException ex) {
-                if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
-                    LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
-                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
-                } else {
-                    LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
-                    throw ex;
-                }
-            }
+        CacheRefreshReason cacheRefreshReason = CacheRefreshReason.NOT_APPLICABLE;
+
+        if (managedIdentityParameters.forceRefresh) {
+            LOG.debug("ForceRefresh set to true. Skipping cache lookup and attempting to acquire new token");
+            return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.FORCE_REFRESH);
         }
 
-        LOG.info("Skipped looking for an Access Token in the cache because forceRefresh or Claims were set. ");
-        return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
+
+        LOG.debug("ForceRefresh set to false. Attempting cache lookup");
+        try {
+            Set<String> scopes = new HashSet<>();
+            scopes.add(this.managedIdentityParameters.resource);
+            SilentParameters parameters = SilentParameters
+                    .builder(scopes)
+                    .tenant(managedIdentityParameters.tenant())
+                    .build();
+
+            RequestContext context = new RequestContext(
+                    this.clientApplication,
+                    PublicApi.ACQUIRE_TOKEN_SILENTLY,
+                    parameters);
+
+            SilentRequest silentRequest = new SilentRequest(
+                    parameters,
+                    this.clientApplication,
+                    context,
+                    null);
+
+            AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
+                    this.clientApplication,
+                    silentRequest);
+
+            AuthenticationResult result = supplier.execute();
+            cacheRefreshReason = SilentRequestHelper.getCacheRefreshReasonIfApplicable(
+                    parameters,
+                    result,
+                    LOG);
+
+            // If the token does not need a refresh, return the cached token
+            // Else refresh the token if it is either expired, proactively refreshable, or if the claims are passed.
+            if (cacheRefreshReason == CacheRefreshReason.NOT_APPLICABLE) {
+                LOG.debug("Returning token from cache");
+                result.metadata().tokenSource(TokenSource.CACHE);
+                return result;
+            } else {
+                LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            }
+        } catch (MsalClientException ex) {
+            if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
+                LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            } else {
+                LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
+                throw ex;
+            }
+        }
     }
 
-    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor) {
+    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor, CacheRefreshReason cacheRefreshReason) throws Exception {
 
         ManagedIdentityClient managedIdentityClient = new ManagedIdentityClient(msalRequest, tokenRequestExecutor.getServiceBundle());
 
@@ -91,13 +108,17 @@ private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecu
 
         AuthenticationResult authenticationResult = createFromManagedIdentityResponse(managedIdentityResponse);
         clientApplication.tokenCache.saveTokens(tokenRequestExecutor, authenticationResult, clientApplication.authenticationAuthority.host);
-        return authenticationResult;
+        AuthenticationResult result = authenticationResult;
+        result.metadata().tokenSource(TokenSource.IDENTITY_PROVIDER);
+        result.metadata().cacheRefreshReason(cacheRefreshReason);
+        return result;
     }
 
     private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse) {
         long expiresOn = Long.parseLong(managedIdentityResponse.expiresOn);
         long refreshOn = calculateRefreshOn(expiresOn);
         AuthenticationResultMetadata metadata = AuthenticationResultMetadata.builder()
+                .tokenSource(TokenSource.IDENTITY_PROVIDER)
                 .refreshOn(refreshOn)
                 .build();
 
@@ -111,7 +132,7 @@ private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityRe
                 .build();
     }
 
-    private long calculateRefreshOn(long expiresOn){
+    private long calculateRefreshOn(long expiresOn) {
         long timestampSeconds = System.currentTimeMillis() / 1000;
         long expiresIn = expiresOn - timestampSeconds;
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenSilentSupplier.java

@@ -73,6 +73,7 @@ AuthenticationResult execute() throws Exception {
                 }
             }
         }
+
         if (res == null || StringHelper.isBlank(res.accessToken())) {
             throw new MsalClientException(AuthenticationErrorMessage.NO_TOKEN_IN_CACHE, AuthenticationErrorCode.CACHE_MISS);
         }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/SilentRequestHelper.java

@@ -0,0 +1,49 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import java.util.Date;
+import org.slf4j.Logger;
+
+class SilentRequestHelper {
+
+    private static final int ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC = 5 * 60;
+
+    private SilentRequestHelper() {
+        // Utility class
+    }
+
+    static CacheRefreshReason getCacheRefreshReasonIfApplicable(SilentParameters parameters, AuthenticationResult cachedResult, Logger log) {
+        // If the request contains claims then the token should be refreshed, to ensure that the returned token has the correct claims
+        // Note: these are the types of claims found in (for example) a claims challenge, and do not include client capabilities
+        if (parameters.claims() != null) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.CLAIMS));
+            return CacheRefreshReason.CLAIMS;
+        }
+
+        long currTimeStampSec = new Date().getTime() / 1000;
+
+        // If the access token is expired or within 5 minutes of becoming expired, refresh it
+        if (!StringHelper.isBlank(cachedResult.accessToken()) && cachedResult.expiresOn() < (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.EXPIRED));
+            return CacheRefreshReason.EXPIRED;
+        }
+
+        // Certain long-lived tokens will have a 'refresh on' time that indicates a refresh should be attempted long before the token would expire
+        if (!StringHelper.isBlank(cachedResult.accessToken()) &&
+                cachedResult.refreshOn() != null && cachedResult.refreshOn() > 0 &&
+                cachedResult.refreshOn() < currTimeStampSec && cachedResult.expiresOn() >= (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)){
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.PROACTIVE_REFRESH));
+            return CacheRefreshReason.PROACTIVE_REFRESH;
+        }
+
+        // If there is a refresh token but no access token, we should use the refresh token to get the access token
+        if (StringHelper.isBlank(cachedResult.accessToken()) && !StringHelper.isBlank(cachedResult.refreshToken())) {
+            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.NO_CACHED_ACCESS_TOKEN));
+            return CacheRefreshReason.NO_CACHED_ACCESS_TOKEN;
+        }
+
+        return CacheRefreshReason.NOT_APPLICABLE;
+    }
+}

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java

@@ -191,15 +191,14 @@ void managedIdentityTest_SystemAssigned_SuccessfulResponse(ManagedIdentitySource
                         .build()).get();
 
         assertNotNull(result.accessToken());
-
-        String accessToken = result.accessToken();
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
 
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
                         .build()).get();
 
         assertNotNull(result.accessToken());
-        assertEquals(accessToken, result.accessToken());
+        assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
         verify(httpClientMock, times(1)).send(any());
     }
 
@@ -228,6 +227,7 @@ void managedIdentityTest_UserAssigned_SuccessfulResponse(ManagedIdentitySourceTy
                         .build()).get();
 
         assertNotNull(result.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
         verify(httpClientMock, times(1)).send(any());
     }
 
@@ -253,6 +253,7 @@ void managedIdentityTest_RefreshOnHalfOfExpiresOn() throws Exception {
         long timestampSeconds = (System.currentTimeMillis() / 1000);
 
         assertNotNull(result.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
         assertEquals((result.expiresOn() - timestampSeconds)/2, result.refreshOn() - timestampSeconds);
 
         verify(httpClientMock, times(1)).send(any());
@@ -320,14 +321,15 @@ void managedIdentityTest_DifferentScopes_RequestsNewToken(ManagedIdentitySourceT
                         .build()).get();
 
         assertNotNull(result.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
 
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(anotherResource)
                         .build()).get();
 
         assertNotNull(result.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
         verify(httpClientMock, times(2)).send(any());
-        // TODO: Assert token source to check the token source is IDP and not Cache.
     }
 
     @ParameterizedTest
@@ -565,12 +567,14 @@ void managedIdentity_SharedCache(ManagedIdentitySourceType source, String endpoi
                         .build()).get();
 
         assertNotNull(resultMiApp1.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, resultMiApp1.metadata().tokenSource());
 
         IAuthenticationResult resultMiApp2 = miApp2.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
                         .build()).get();
 
         assertNotNull(resultMiApp2.accessToken());
+        assertEquals(TokenSource.CACHE, resultMiApp2.metadata().tokenSource());
 
         //acquireTokenForManagedIdentity does a cache lookup by default, and all ManagedIdentityApplication's share a cache,
         // so calling acquireTokenForManagedIdentity with the same parameters in two different ManagedIdentityApplications