Address comments

neha-bhargava · neha-bhargava · commit 42eee6a03baa · 2025-04-03T15:09:17.000-07:00
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java
@@ -13,7 +13,7 @@ class AcquireTokenByManagedIdentitySupplier extends AuthenticationResultSupplier
 
     private static final Logger LOG = LoggerFactory.getLogger(AcquireTokenByManagedIdentitySupplier.class);
 
-    private static final int TWO_HOURS = 2*3600;
+    private static final int TWO_HOURS = 2 * 3600;
 
     private ManagedIdentityParameters managedIdentityParameters;
 
@@ -39,60 +39,61 @@ AuthenticationResult execute() throws Exception {
 
         CacheRefreshReason cacheRefreshReason = CacheRefreshReason.NOT_APPLICABLE;
 
-        if (!managedIdentityParameters.forceRefresh) {
-            LOG.debug("ForceRefresh set to false. Attempting cache lookup");
-
-            try {
-                Set<String> scopes = new HashSet<>();
-                scopes.add(this.managedIdentityParameters.resource);
-                SilentParameters parameters = SilentParameters
-                        .builder(scopes)
-                        .tenant(managedIdentityParameters.tenant())
-                        .build();
-
-                RequestContext context = new RequestContext(
-                        this.clientApplication,
-                        PublicApi.ACQUIRE_TOKEN_SILENTLY,
-                        parameters);
-
-                SilentRequest silentRequest = new SilentRequest(
-                        parameters,
-                        this.clientApplication,
-                        context,
-                        null);
-
-                AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
-                        this.clientApplication,
-                        silentRequest);
-
-                AuthenticationResult result = supplier.execute();
-                cacheRefreshReason = SilentRequestHelper.NeedsRefresh(
-                        parameters,
-                        result,
-                        LOG);
-
-                // If the token does not need a refresh, return the cached token
-                // Else refresh the token if it is either expired, proactively refreshable, or if the claims are passed.
-                if (cacheRefreshReason == CacheRefreshReason.NOT_APPLICABLE) {
-                    LOG.debug("Returning token from cache");
-                    result.metadata().tokenSource(TokenSource.CACHE);
-                    return result;
-                } else {
-                    LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
-                }
-            } catch (MsalClientException ex) {
-                if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
-                    LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
-                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
-                } else {
-                    LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
-                    throw ex;
-                }
-            }
+        if (managedIdentityParameters.forceRefresh) {
+            LOG.debug("ForceRefresh set to true. Skipping cache lookup and attempting to acquire new token");
+            return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.FORCE_REFRESH);
         }
 
-        LOG.info("Skipped looking for an Access Token in the cache because forceRefresh was set. Or the token in the cache needs refresh");
-        return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+
+        LOG.debug("ForceRefresh set to false. Attempting cache lookup");
+        try {
+            Set<String> scopes = new HashSet<>();
+            scopes.add(this.managedIdentityParameters.resource);
+            SilentParameters parameters = SilentParameters
+                    .builder(scopes)
+                    .tenant(managedIdentityParameters.tenant())
+                    .build();
+
+            RequestContext context = new RequestContext(
+                    this.clientApplication,
+                    PublicApi.ACQUIRE_TOKEN_SILENTLY,
+                    parameters);
+
+            SilentRequest silentRequest = new SilentRequest(
+                    parameters,
+                    this.clientApplication,
+                    context,
+                    null);
+
+            AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
+                    this.clientApplication,
+                    silentRequest);
+
+            AuthenticationResult result = supplier.execute();
+            cacheRefreshReason = SilentRequestHelper.getCacheRefreshReasonIfApplicable(
+                    parameters,
+                    result,
+                    LOG);
+
+            // If the token does not need a refresh, return the cached token
+            // Else refresh the token if it is either expired, proactively refreshable, or if the claims are passed.
+            if (cacheRefreshReason == CacheRefreshReason.NOT_APPLICABLE) {
+                LOG.debug("Returning token from cache");
+                result.metadata().tokenSource(TokenSource.CACHE);
+                return result;
+            } else {
+                LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            }
+        } catch (MsalClientException ex) {
+            if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
+                LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            } else {
+                LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
+                throw ex;
+            }
+        }
     }
 
     private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor, CacheRefreshReason cacheRefreshReason) throws Exception {
@@ -131,7 +132,7 @@ private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityRe
                 .build();
     }
 
-    private long calculateRefreshOn(long expiresOn){
+    private long calculateRefreshOn(long expiresOn) {
         long timestampSeconds = System.currentTimeMillis() / 1000;
         long expiresIn = expiresOn - timestampSeconds;
 
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/SilentRequestHelper.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/SilentRequestHelper.java
@@ -14,37 +14,31 @@ private SilentRequestHelper() {
         // Utility class
     }
 
-    static CacheRefreshReason NeedsRefresh(SilentParameters parameters, AuthenticationResult cachedResult, Logger log) {
-        //If forceRefresh is true, no reason to check any other option
-        if (parameters.forceRefresh()) {
-            log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.FORCE_REFRESH));
-            return CacheRefreshReason.FORCE_REFRESH;
-        }
-
-        //If the request contains claims then the token should be refreshed, to ensure that the returned token has the correct claims
-        //  Note: these are the types of claims found in (for example) a claims challenge, and do not include client capabilities
+    static CacheRefreshReason getCacheRefreshReasonIfApplicable(SilentParameters parameters, AuthenticationResult cachedResult, Logger log) {
+        // If the request contains claims then the token should be refreshed, to ensure that the returned token has the correct claims
+        // Note: these are the types of claims found in (for example) a claims challenge, and do not include client capabilities
         if (parameters.claims() != null) {
             log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.CLAIMS));
             return CacheRefreshReason.CLAIMS;
         }
 
         long currTimeStampSec = new Date().getTime() / 1000;
 
-        //If the access token is expired or within 5 minutes of becoming expired, refresh it
+        // If the access token is expired or within 5 minutes of becoming expired, refresh it
         if (!StringHelper.isBlank(cachedResult.accessToken()) && cachedResult.expiresOn() < (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)) {
             log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.EXPIRED));
             return CacheRefreshReason.EXPIRED;
         }
 
-        //Certain long-lived tokens will have a 'refresh on' time that indicates a refresh should be attempted long before the token would expire
+        // Certain long-lived tokens will have a 'refresh on' time that indicates a refresh should be attempted long before the token would expire
         if (!StringHelper.isBlank(cachedResult.accessToken()) &&
                 cachedResult.refreshOn() != null && cachedResult.refreshOn() > 0 &&
                 cachedResult.refreshOn() < currTimeStampSec && cachedResult.expiresOn() >= (currTimeStampSec + ACCESS_TOKEN_EXPIRE_BUFFER_IN_SEC)){
             log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.PROACTIVE_REFRESH));
             return CacheRefreshReason.PROACTIVE_REFRESH;
         }
 
-        //If there is a refresh token but no access token, we should use the refresh token to get the access token
+        // If there is a refresh token but no access token, we should use the refresh token to get the access token
         if (StringHelper.isBlank(cachedResult.accessToken()) && !StringHelper.isBlank(cachedResult.refreshToken())) {
             log.debug(String.format("Refreshing access token. Cache refresh reason: %s", CacheRefreshReason.NO_CACHED_ACCESS_TOKEN));
             return CacheRefreshReason.NO_CACHED_ACCESS_TOKEN;
