Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentication-library-for-java into avdunn/nimbus-grants

# Conflicts:
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java

Author: Avery-Dunn

README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.20.0
+Current version - 1.20.1
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/main/msal4j-sdk/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.20.0</version>
+    <version>1.20.1</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.20.0'
+implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.20.1'
 ```
 
 ## Usage

changelog.txt

@@ -1,3 +1,7 @@
+Version 1.20.1
+=============
+- Fix Base64URL decoding bug (#938)
+
 Version 1.20.0
 =============
 - Replace some usage of jackson-databind with azure-json (#918)

msal4j-sdk/README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.20.0
+Current version - 1.20.1
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.20.0</version>
+    <version>1.20.1</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.20.0'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.20.1'
 ```
 
 ## Usage

msal4j-sdk/bnd.bnd

@@ -1,2 +1,2 @@
-Export-Package: com.microsoft.aad.msal4j;version="1.20.0"
+Export-Package: com.microsoft.aad.msal4j;version="1.20.1"
 Automatic-Module-Name: com.microsoft.aad.msal4j

msal4j-sdk/pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.20.0</version>
+	<version>1.20.1</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClientManagedIdentity.java

@@ -29,7 +29,6 @@
  */
 class DefaultHttpClientManagedIdentity extends DefaultHttpClient {
 
-    // CodeQL [SM03767] False positive: in addTrustedCertificateThumbprint() we create a TrustManager that only trusts a certificate with a specific thumbprint.
     public static final HostnameVerifier ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER = new HostnameVerifier() {
         @SuppressWarnings("BadHostnameVerifier")
         @Override
@@ -85,6 +84,8 @@ public static void addTrustedCertificateThumbprint(HttpsURLConnection httpsUrlCo
                                                        String certificateThumbprint) {
         //We expect the connection to work against a specific server side certificate only, so it's safe to disable the
         // host name verification.
+
+        // CodeQL [SM03767] False positive: the TrustManager created later on will only trust a certificate with a specific thumbprint.
         if (httpsUrlConnection.getHostnameVerifier() != ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER) {
             httpsUrlConnection.setHostnameVerifier(ALL_HOSTS_ACCEPT_HOSTNAME_VERIFIER);
         }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java

@@ -124,6 +124,7 @@ private AuthenticationResult createAuthenticationResultFromOauthHttpResponse(
             if (!StringHelper.isNullOrBlank(response.idToken())) {
                 String idTokenJson;
                 try {
+                    idTokenJson = new String(Base64.getUrlDecoder().decode(tokens.getIDTokenString().split("\\.")[1]), StandardCharsets.UTF_8);
                     idTokenJson = new String(Base64.getDecoder().decode(response.idToken().split("\\.")[1]), StandardCharsets.UTF_8);
                 } catch (ArrayIndexOutOfBoundsException e) {
                     throw new MsalServiceException("Error parsing ID token, missing payload section. Ensure that the ID token is following the JWT format.",

msal4j-sdk/src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java

@@ -31,6 +31,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
 
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
+        stateCookie.setSecure(true);
 
         httpResponse.addCookie(stateCookie);
 

msal4j-sdk/src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java

@@ -31,6 +31,7 @@ static void removeStateNonceCookies(HttpServletResponse httpResponse){
 
         Cookie stateCookie = new Cookie(MSAL_WEB_APP_STATE_COOKIE, "");
         stateCookie.setMaxAge(0);
+        stateCookie.setSecure(true);
 
         httpResponse.addCookie(stateCookie);
 

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TokenRequestExecutorTest.java

@@ -25,8 +25,10 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.concurrent.ExecutionException;
 
 @ExtendWith(MockitoExtension.class)
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
@@ -291,4 +293,44 @@ void testExecuteOAuth_Failure() throws SerializeException,
 
         assertThrows(MsalException.class, request::executeTokenRequest);
     }
+
+    @Test
+    void testBase64UrlEncoding() throws MalformedURLException, ExecutionException, InterruptedException {
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId", ClientCredentialFactory.createFromSecret("password"))
+                        .authority("https://login.microsoftonline.com/tenant/")
+                        .instanceDiscovery(false)
+                        .validateAuthority(false)
+                        .httpClient(httpClientMock)
+                        .build();
+
+        //ID token payloads are parsed to get certain info to create Account and AccountCacheEntity objects, and the library must decode them using a Base64URL decoder.
+        HashMap<String, String> tokenParameters = new HashMap<>();
+        tokenParameters.put("preferred_username", "~nameWith~specialChars");
+        String encodedIDToken = TestHelper.createIdToken(tokenParameters);
+        try {
+            //TestHelper.createIdToken() should use Base64URL encoding, so first we prove that the encoded token it produces cannot be decoded with Base64 decoder
+            Base64.getDecoder().decode(encodedIDToken.split("\\.")[1]);
+
+            fail("IllegalArgumentException was expected but not thrown.");
+        } catch (IllegalArgumentException e) {
+            //Encoded token should have some "-" characters in it
+            assertTrue(e.getMessage().contains("Illegal base64 character 2d"));
+        }
+
+        //Now, send that encoded token through the library's token request flow, which will decode it using a Base64URL decoder
+        HashMap<String, String> responseParameters = new HashMap<>();
+        responseParameters.put("id_token", encodedIDToken);
+        responseParameters.put("access_token", "token");
+        TestHelper.createTokenRequestMock(httpClientMock, TestHelper.getSuccessfulTokenResponse(responseParameters), 200);
+
+        OnBehalfOfParameters parameters = OnBehalfOfParameters.builder(Collections.singleton("someScopes"), new UserAssertion(TestHelper.signedAssertion)).build();
+        IAuthenticationResult result = cca.acquireToken(parameters).get();
+
+        //Ensure that the name was successfully parsed out of the encoded ID token
+        assertNotNull(result.idToken());
+        assertNotNull(result.account());
+        assertEquals("~nameWith~specialChars", result.account().username());
+    }
 }