Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentication-library-for-java into avdunn/nimbus-removal

Author: Avery-Dunn

README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.19.1
+Current version - 1.20.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/main/msal4j-sdk/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.19.1</version>
+    <version>1.20.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.19.1'
+implementation group: 'com.microsoft.azure', name: 'com.microsoft.aad.msal4j', version: '1.20.0'
 ```
 
 ## Usage

changelog.txt

@@ -1,3 +1,11 @@
+Version 1.20.0
+=============
+- Replace some usage of jackson-databind with azure-json (#918)
+- Remove Lombok code generation from most classes (#919, #925)
+- Remove some usage of nimbusds-oauth2-oidc-sdk (#927, #928)
+- Fix refresh metadata not being set in MI flows (#931)
+- Add distinct exception type for JSON parsing errors (#933)
+
 Version 1.19.1
 =============
 - Update dependencies to avoid CVE-2023-1370 (#914)

msal4j-sdk/README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.19.1
+Current version - 1.20.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.19.1</version>
+    <version>1.20.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```gradle
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.19.1'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.20.0'
 ```
 
 ## Usage

msal4j-sdk/bnd.bnd

@@ -1,2 +1,2 @@
-Export-Package: com.microsoft.aad.msal4j;version="1.19.1"
+Export-Package: com.microsoft.aad.msal4j;version="1.20.0"
 Automatic-Module-Name: com.microsoft.aad.msal4j

msal4j-sdk/pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.19.1</version>
+	<version>1.20.0</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/DeviceCodeIT.java

@@ -76,7 +76,8 @@ void DeviceCodeFlowADFSv2019Test() throws Exception {
         IntegrationTestHelper.assertAccessAndIdTokensNotNull(result);
     }
 
-    @Test()
+    //TODO: This test is failing intermittently in the pipeline runs for the same commit, but always passes locally. Disabling until we can investigate more.
+    //@Test()
     void DeviceCodeFlowMSATest() throws Exception {
 
         User user = labUserProvider.getMSAUser();

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -93,7 +93,12 @@ public ManagedIdentityResponse handleResponse(
 
     protected ManagedIdentityResponse getSuccessfulResponse(IHttpResponse response) {
 
-        ManagedIdentityResponse managedIdentityResponse = JsonHelper.convertJsonStringToJsonSerializableObject(response.body(), ManagedIdentityResponse::fromJson);
+        ManagedIdentityResponse managedIdentityResponse;
+        try {
+            managedIdentityResponse = JsonHelper.convertJsonStringToJsonSerializableObject(response.body(), ManagedIdentityResponse::fromJson);
+        } catch (MsalJsonParsingException e) {
+            throw new MsalJsonParsingException(String.format(MsalErrorMessage.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, response.statusCode(), e.getMessage()), MsalError.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, managedIdentitySourceType);
+        }
 
         if (managedIdentityResponse == null || managedIdentityResponse.getAccessToken() == null
                 || managedIdentityResponse.getAccessToken().isEmpty() || managedIdentityResponse.getExpiresOn() == null
@@ -105,8 +110,13 @@ protected ManagedIdentityResponse getSuccessfulResponse(IHttpResponse response)
     }
 
     protected String getMessageFromErrorResponse(IHttpResponse response) {
-        ManagedIdentityErrorResponse managedIdentityErrorResponse =
-                JsonHelper.convertJsonToObject(response.body(), ManagedIdentityErrorResponse.class);
+
+        ManagedIdentityErrorResponse managedIdentityErrorResponse;
+        try {
+            managedIdentityErrorResponse = JsonHelper.convertJsonToObject(response.body(), ManagedIdentityErrorResponse.class);
+        } catch (MsalJsonParsingException e) {
+            throw new MsalJsonParsingException(String.format(MsalErrorMessage.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, response.statusCode(), e.getMessage()), MsalError.MANAGED_IDENTITY_RESPONSE_PARSE_FAILURE, managedIdentitySourceType);
+        }
 
         if (managedIdentityErrorResponse == null) {
             return MANAGED_IDENTITY_NO_RESPONSE_RECEIVED;

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -13,7 +13,7 @@ class AcquireTokenByManagedIdentitySupplier extends AuthenticationResultSupplier
 
     private static final Logger LOG = LoggerFactory.getLogger(AcquireTokenByManagedIdentitySupplier.class);
 
-    private static final int TWO_HOURS = 2*3600;
+    private static final int TWO_HOURS = 2 * 3600;
 
     private ManagedIdentityParameters managedIdentityParameters;
 
@@ -37,49 +37,67 @@ AuthenticationResult execute() throws Exception {
                 clientApplication.serviceBundle()
         );
 
-        if (!managedIdentityParameters.forceRefresh) {
-            LOG.debug("ForceRefresh set to false. Attempting cache lookup");
-
-            try {
-                Set<String> scopes = new HashSet<>();
-                scopes.add(this.managedIdentityParameters.resource);
-                SilentParameters parameters = SilentParameters
-                        .builder(scopes)
-                        .tenant(managedIdentityParameters.tenant())
-                        .build();
-
-                RequestContext context = new RequestContext(
-                        this.clientApplication,
-                        PublicApi.ACQUIRE_TOKEN_SILENTLY,
-                        parameters);
-
-                SilentRequest silentRequest = new SilentRequest(
-                        parameters,
-                        this.clientApplication,
-                        context,
-                        null);
-
-                AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
-                        this.clientApplication,
-                        silentRequest);
-
-                return supplier.execute();
-            } catch (MsalClientException ex) {
-                if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
-                    LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
-                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
-                } else {
-                    LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
-                    throw ex;
-                }
-            }
+        CacheRefreshReason cacheRefreshReason = CacheRefreshReason.NOT_APPLICABLE;
+
+        if (managedIdentityParameters.forceRefresh) {
+            LOG.debug("ForceRefresh set to true. Skipping cache lookup and attempting to acquire new token");
+            return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.FORCE_REFRESH);
         }
 
-        LOG.info("Skipped looking for an Access Token in the cache because forceRefresh or Claims were set. ");
-        return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor);
+
+        LOG.debug("ForceRefresh set to false. Attempting cache lookup");
+        try {
+            Set<String> scopes = new HashSet<>();
+            scopes.add(this.managedIdentityParameters.resource);
+            SilentParameters parameters = SilentParameters
+                    .builder(scopes)
+                    .tenant(managedIdentityParameters.tenant())
+                    .claims(managedIdentityParameters.claims())
+                    .build();
+
+            RequestContext context = new RequestContext(
+                    this.clientApplication,
+                    PublicApi.ACQUIRE_TOKEN_SILENTLY,
+                    parameters);
+
+            SilentRequest silentRequest = new SilentRequest(
+                    parameters,
+                    this.clientApplication,
+                    context,
+                    null);
+
+            AcquireTokenSilentSupplier supplier = new AcquireTokenSilentSupplier(
+                    this.clientApplication,
+                    silentRequest);
+
+            AuthenticationResult result = supplier.execute();
+            cacheRefreshReason = SilentRequestHelper.getCacheRefreshReasonIfApplicable(
+                    parameters,
+                    result,
+                    LOG);
+
+            // If the token does not need a refresh, return the cached token
+            // Else refresh the token if it is either expired, proactively refreshable, or if the claims are passed.
+            if (cacheRefreshReason == CacheRefreshReason.NOT_APPLICABLE) {
+                LOG.debug("Returning token from cache");
+                result.metadata().tokenSource(TokenSource.CACHE);
+                return result;
+            } else {
+                LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            }
+        } catch (MsalClientException ex) {
+            if (ex.errorCode().equals(AuthenticationErrorCode.CACHE_MISS)) {
+                LOG.debug(String.format("Cache lookup failed: %s", ex.getMessage()));
+                return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
+            } else {
+                LOG.error(String.format("Error occurred while cache lookup: %s", ex.getMessage()));
+                throw ex;
+            }
+        }
     }
 
-    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor) {
+    private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecutor tokenRequestExecutor, CacheRefreshReason cacheRefreshReason) throws Exception {
 
         ManagedIdentityClient managedIdentityClient = new ManagedIdentityClient(msalRequest, tokenRequestExecutor.getServiceBundle());
 
@@ -91,13 +109,17 @@ private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecu
 
         AuthenticationResult authenticationResult = createFromManagedIdentityResponse(managedIdentityResponse);
         clientApplication.tokenCache.saveTokens(tokenRequestExecutor, authenticationResult, clientApplication.authenticationAuthority.host);
-        return authenticationResult;
+        AuthenticationResult result = authenticationResult;
+        result.metadata().tokenSource(TokenSource.IDENTITY_PROVIDER);
+        result.metadata().cacheRefreshReason(cacheRefreshReason);
+        return result;
     }
 
     private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse) {
         long expiresOn = Long.parseLong(managedIdentityResponse.expiresOn);
         long refreshOn = calculateRefreshOn(expiresOn);
         AuthenticationResultMetadata metadata = AuthenticationResultMetadata.builder()
+                .tokenSource(TokenSource.IDENTITY_PROVIDER)
                 .refreshOn(refreshOn)
                 .build();
 
@@ -111,7 +133,7 @@ private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityRe
                 .build();
     }
 
-    private long calculateRefreshOn(long expiresOn){
+    private long calculateRefreshOn(long expiresOn) {
         long timestampSeconds = System.currentTimeMillis() / 1000;
         long expiresIn = expiresOn - timestampSeconds;
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenSilentSupplier.java

@@ -73,6 +73,7 @@ AuthenticationResult execute() throws Exception {
                 }
             }
         }
+
         if (res == null || StringHelper.isBlank(res.accessToken())) {
             throw new MsalClientException(AuthenticationErrorMessage.NO_TOKEN_IN_CACHE, AuthenticationErrorCode.CACHE_MISS);
         }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JsonHelper.java

@@ -36,19 +36,17 @@ private JsonHelper() {
     static <T> T convertJsonToObject(final String json, final Class<T> tClass) {
         try {
             return mapper.readValue(json, tClass);
-        } catch (IOException e) {
-            throw new MsalClientException(e);
+        } catch (Exception e) {
+            throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         }
     }
 
     //This method is used to convert a JSON string to an object which implements the JsonSerializable interface from com.azure.json
     static <T extends JsonSerializable<T>> T convertJsonStringToJsonSerializableObject(String jsonResponse, ReadValueCallback<JsonReader, T> readFunction) {
         try (JsonReader jsonReader = JsonProviders.createReader(jsonResponse)) {
             return readFunction.read(jsonReader);
-        } catch (IOException e) {
-            throw new MsalClientException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         } catch (Exception e) {
-            throw new MsalClientException("Error parsing JSON response: " + e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
+            throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         }
     }