obo, b2c samples (#96)

obo, b2c samples

Author: SomkaPe

src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscovery.java

@@ -8,6 +8,8 @@
 
 import java.net.URL;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.Set;
 import java.util.TreeSet;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -35,6 +37,15 @@ class AadInstanceDiscovery {
 
     static ConcurrentHashMap<String, InstanceDiscoveryMetadataEntry> cache = new ConcurrentHashMap<>();
 
+    static Set<String> getAliases(String host){
+        if(cache.containsKey(host)){
+            return cache.get(host).aliases();
+        }
+        else{
+            return Collections.singleton(host);
+        }
+    }
+
     private static String getAuthorizeEndpoint(String host, String tenant) {
         return AUTHORIZE_ENDPOINT_TEMPLATE.
                 replace("{host}", host).

src/main/java/com/microsoft/aad/msal4j/RemoveAccountRunnable.java

@@ -3,6 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.util.Set;
 import java.util.concurrent.CompletionException;
 
 class RemoveAccountRunnable implements Runnable {
@@ -21,11 +22,10 @@ class RemoveAccountRunnable implements Runnable {
     @Override
     public void run() {
         try {
-            InstanceDiscoveryMetadataEntry instanceDiscoveryData =
-                    AadInstanceDiscovery.cache.get(clientApplication.authenticationAuthority.host());
+            Set<String> aliases = AadInstanceDiscovery.getAliases(clientApplication.authenticationAuthority.host());
 
             clientApplication.tokenCache.removeAccount
-                    (clientApplication.clientId(), account, instanceDiscoveryData.aliases());
+                    (clientApplication.clientId(), account, aliases);
 
         } catch (Exception ex) {
             clientApplication.log.error(

src/main/java/com/microsoft/aad/msal4j/TokenCache.java

@@ -459,7 +459,8 @@ private boolean isMatchingScopes(AccessTokenCacheEntity accessTokenCacheEntity,
         AuthenticationResult.AuthenticationResultBuilder builder = AuthenticationResult.builder();
         builder.environment(authority.host());
 
-        Set<String> environmentAliases = AadInstanceDiscovery.cache.get(account.environment()).aliases();
+        Set<String> environmentAliases = AadInstanceDiscovery.getAliases(account.environment());
+
         try (CacheAspect cacheAspect = new CacheAspect(
                 TokenCacheAccessContext.builder().
                         clientId(clientId).
@@ -520,7 +521,7 @@ private boolean isMatchingScopes(AccessTokenCacheEntity accessTokenCacheEntity,
             (Authority authority, Set<String> scopes, String clientId) {
         AuthenticationResult.AuthenticationResultBuilder builder = AuthenticationResult.builder();
 
-        Set<String> environmentAliases = AadInstanceDiscovery.cache.get(authority.host).aliases();
+        Set<String> environmentAliases = AadInstanceDiscovery.getAliases(authority.host);
         builder.environment(authority.host());
 
         try (CacheAspect cacheAspect = new CacheAspect(

src/samples/msal-b2c-web-sample/pom.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.1.4.RELEASE</version>
+		<relativePath/>
+	</parent>
+	<groupId>com.microsoft.azure</groupId>
+	<artifactId>msal-b2c-web-sample</artifactId>
+	<packaging>war</packaging>
+	<version>0.1.0</version>
+	<name>msal-b2c-web-sample</name>
+	<description>B2C Web sample for Microsoft Authentication Library for Java</description>
+
+	<properties>
+		<java.version>1.8</java.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>com.microsoft.azure</groupId>
+			<artifactId>msal4j</artifactId>
+			<version>0.5.0-preview</version>
+		</dependency>
+		<dependency>
+			<groupId>com.nimbusds</groupId>
+			<artifactId>oauth2-oidc-sdk</artifactId>
+			<version>6.5</version>
+		</dependency>
+		<dependency>
+			<groupId>org.json</groupId>
+			<artifactId>json</artifactId>
+			<version>20090211</version>
+		</dependency>
+		<!-- Spring 3 dependencies -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+</project>

src/samples/msal-b2c-web-sample/src/main/java/com/microsoft/azure/msalwebsample/AuthFilter.java

@@ -0,0 +1,225 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.azure.msalwebsample;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.text.ParseException;
+import java.util.*;
+import java.util.concurrent.*;
+
+import javax.naming.ServiceUnavailableException;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import com.microsoft.aad.msal4j.*;
+import com.nimbusds.jwt.JWTParser;
+import com.nimbusds.oauth2.sdk.AuthorizationCode;
+import com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse;
+import com.nimbusds.openid.connect.sdk.AuthenticationResponse;
+import com.nimbusds.openid.connect.sdk.AuthenticationResponseParser;
+import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class AuthFilter implements Filter {
+
+    private static final String STATES = "states";
+    private static final String STATE = "state";
+    private static final Integer STATE_TTL = 3600;
+    private static final String FAILED_TO_VALIDATE_MESSAGE = "Failed to validate data received from Authorization service - ";
+
+    private List<String> excludedUrls = Arrays.asList("/", "/msal4jsample/");
+
+    @Autowired
+    AuthHelper authHelper;
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response,
+                         FilterChain chain) throws IOException, ServletException {
+        if (request instanceof HttpServletRequest) {
+            HttpServletRequest httpRequest = (HttpServletRequest) request;
+            HttpServletResponse httpResponse = (HttpServletResponse) response;
+            try {
+                String currentUri = httpRequest.getRequestURL().toString();
+                String path = httpRequest.getServletPath();
+                String queryStr = httpRequest.getQueryString();
+                String fullUrl = currentUri + (queryStr != null ? "?" + queryStr : "");
+
+                // exclude home page
+                if(excludedUrls.contains(path)){
+                    chain.doFilter(request, response);
+                    return;
+                }
+                // check if user has a AuthData in the session
+                if (!AuthHelper.isAuthenticated(httpRequest)) {
+                    if(AuthHelper.containsAuthenticationCode(httpRequest)){
+                        // response should have authentication code, which will be used to acquire access token
+                        processAuthenticationCodeRedirect(httpRequest, currentUri, fullUrl);
+                    } else {
+                        // not authenticated, redirecting to login.microsoft.com so user can authenticate
+                        sendAuthRedirect(authHelper.configuration.signUpSignInAuthority, httpRequest, httpResponse);
+                        return;
+                    }
+                }
+                if (isAccessTokenExpired(httpRequest)) {
+                    authHelper.updateAuthDataUsingSilentFlow(httpRequest);
+                }
+            } catch (MsalException authException) {
+                // something went wrong (like expiration or revocation of token)
+                // we should invalidate AuthData stored in session and redirect to Authorization server
+                authHelper.removePrincipalFromSession(httpRequest);
+                sendAuthRedirect(authHelper.configuration.signUpSignInAuthority, httpRequest, httpResponse);
+                return;
+            } catch (Throwable exc) {
+                httpResponse.setStatus(500);
+                request.setAttribute("error", exc.getMessage());
+                request.getRequestDispatcher("/error").forward(request, response);
+                return;
+            }
+        }
+        chain.doFilter(request, response);
+    }
+
+    private boolean isAccessTokenExpired(HttpServletRequest httpRequest) {
+        IAuthenticationResult result = AuthHelper.getAuthSessionObject(httpRequest);
+        return result.expiresOnDate().before(new Date());
+    }
+
+    private void processAuthenticationCodeRedirect(HttpServletRequest httpRequest, String currentUri, String fullUrl)
+            throws Throwable {
+
+        Map<String, List<String>> params = new HashMap<>();
+        for (String key : httpRequest.getParameterMap().keySet()) {
+            params.put(key, Collections.singletonList(httpRequest.getParameterMap().get(key)[0]));
+        }
+        // validate that state in response equals to state in request
+        StateData stateData = validateState(httpRequest.getSession(), params.get(STATE).get(0));
+
+        AuthenticationResponse authResponse = AuthenticationResponseParser.parse(new URI(fullUrl), params);
+        if (AuthHelper.isAuthenticationSuccessful(authResponse)) {
+            AuthenticationSuccessResponse oidcResponse = (AuthenticationSuccessResponse) authResponse;
+            // validate that OIDC Auth Response matches Code Flow (contains only requested artifacts)
+            validateAuthRespMatchesAuthCodeFlow(oidcResponse);
+
+            IAuthenticationResult result = authHelper.getAuthResultByAuthCode(
+                    httpRequest,
+                    oidcResponse.getAuthorizationCode(),
+                    currentUri,
+                    Collections.singleton(authHelper.configuration.apiScope));
+
+            // validate nonce to prevent reply attacks (code maybe substituted to one with broader access)
+            validateNonce(stateData, getNonceClaimValueFromIdToken(result.idToken()));
+            authHelper.setSessionPrincipal(httpRequest, result);
+        } else {
+            AuthenticationErrorResponse oidcResponse = (AuthenticationErrorResponse) authResponse;
+            throw new Exception(String.format("Request for auth code failed: %s - %s",
+                    oidcResponse.getErrorObject().getCode(),
+                    oidcResponse.getErrorObject().getDescription()));
+        }
+    }
+
+    void sendAuthRedirect(String authoriy, HttpServletRequest httpRequest, HttpServletResponse httpResponse) throws IOException {
+        // state parameter to validate response from Authorization server and nonce parameter to validate idToken
+        String state = UUID.randomUUID().toString();
+        String nonce = UUID.randomUUID().toString();
+        storeStateInSession(httpRequest.getSession(), state, nonce);
+
+        httpResponse.setStatus(302);
+        String redirectUrl = getRedirectUrl(authoriy, httpRequest.getParameter("claims"), state, nonce);
+        httpResponse.sendRedirect(redirectUrl);
+    }
+
+    private void validateNonce(StateData stateData, String nonce) throws Exception {
+        if (StringUtils.isEmpty(nonce) || !nonce.equals(stateData.getNonce())) {
+            throw new Exception(FAILED_TO_VALIDATE_MESSAGE + "could not validate nonce");
+        }
+    }
+
+    private String getNonceClaimValueFromIdToken(String idToken) throws ParseException {
+        return (String) JWTParser.parse(idToken).getJWTClaimsSet().getClaim("nonce");
+    }
+
+    private StateData validateState(HttpSession session, String state) throws Exception {
+        if (StringUtils.isNotEmpty(state)) {
+            StateData stateDataInSession = removeStateFromSession(session, state);
+            if (stateDataInSession != null) {
+                return stateDataInSession;
+            }
+        }
+        throw new Exception(FAILED_TO_VALIDATE_MESSAGE + "could not validate state");
+    }
+
+    private void validateAuthRespMatchesAuthCodeFlow(AuthenticationSuccessResponse oidcResponse) throws Exception {
+        if (oidcResponse.getIDToken() != null || oidcResponse.getAccessToken() != null ||
+                oidcResponse.getAuthorizationCode() == null) {
+            throw new Exception(FAILED_TO_VALIDATE_MESSAGE + "unexpected set of artifacts received");
+        }
+    }
+
+    private void storeStateInSession(HttpSession session, String state, String nonce) {
+        if (session.getAttribute(STATES) == null) {
+            session.setAttribute(STATES, new HashMap<String, StateData>());
+        }
+        ((Map<String, StateData>) session.getAttribute(STATES)).put(state, new StateData(nonce, new Date()));
+    }
+
+    private StateData removeStateFromSession(HttpSession session, String state) {
+        Map<String, StateData> states = (Map<String, StateData>) session.getAttribute(STATES);
+        if (states != null) {
+            eliminateExpiredStates(states);
+            StateData stateData = states.get(state);
+            if (stateData != null) {
+                states.remove(state);
+                return stateData;
+            }
+        }
+        return null;
+    }
+
+    private void eliminateExpiredStates(Map<String, StateData> map) {
+        Iterator<Map.Entry<String, StateData>> it = map.entrySet().iterator();
+
+        Date currTime = new Date();
+        while (it.hasNext()) {
+            Map.Entry<String, StateData> entry = it.next();
+            long diffInSeconds = TimeUnit.MILLISECONDS.
+                    toSeconds(currTime.getTime() - entry.getValue().getExpirationDate().getTime());
+
+            if (diffInSeconds > STATE_TTL) {
+                it.remove();
+            }
+        }
+    }
+
+    private String getRedirectUrl(String authority, String claims, String state, String nonce)
+            throws UnsupportedEncodingException {
+
+        String redirectUrl = authority.replace("/tfp", "") + "oauth2/v2.0/authorize?" +
+                "response_type=code&" +
+                "response_mode=form_post&" +
+                "redirect_uri=" + URLEncoder.encode(authHelper.configuration.redirectUri, "UTF-8") +
+                "&client_id=" + authHelper.configuration.clientId +
+                "&scope=" + URLEncoder.encode("openid offline_access profile " +
+                authHelper.configuration.apiScope, "UTF-8") +
+                (StringUtils.isEmpty(claims) ? "" : "&claims=" + claims) +
+                "&prompt=select_account" +
+                "&state=" + state
+                + "&nonce=" + nonce;
+
+        return redirectUrl;
+    }
+}