Add ClientAssertion API to ClientCredentialFactory

Author: sgonzalezMSFT

src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenSilentIT.java

@@ -3,6 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
+import labapi.AppIdentityProvider;
 import labapi.FederationProvider;
 import labapi.LabResponse;
 import labapi.LabUserProvider;
@@ -13,6 +14,10 @@
 
 import java.util.Collections;
 import java.util.Set;
+import java.util.concurrent.ExecutionException;
+
+import static com.microsoft.aad.msal4j.TestConstants.GRAPH_DEFAULT_SCOPE;
+import static com.microsoft.aad.msal4j.TestConstants.KEYVAULT_DEFAULT_SCOPE;
 
 public class AcquireTokenSilentIT {
     private LabUserProvider labUserProvider;
@@ -151,43 +156,80 @@ public void acquireTokenSilent_MultipleAccountsInCache_UseCorrectAccount() throw
         Assert.assertEquals(result.account().username(), labResponse.getUser().getUpn());
     }
 
-    private IPublicClientApplication getPublicClientApplicationWithTokensInCache()
-            throws Exception {
+    @Test
+    public void acquireTokenSilent_usingCommonAuthority_returnCachedAt() throws Exception {
+        acquireTokenSilent_returnCachedTokens(TestConstants.ORGANIZATIONS_AUTHORITY);
+    }
+
+    @Test
+    public void acquireTokenSilent_usingTenantSpecificAuthority_returnCachedAt() throws Exception {
         LabResponse labResponse = labUserProvider.getDefaultUser(
                 NationalCloud.AZURE_CLOUD,
                 false);
-        String password = labUserProvider.getUserPassword(labResponse.getUser());
+        String tenantSpecificAuthority = TestConstants.MICROSOFT_AUTHORITY_HOST + labResponse.getUser().getTenantId();
 
-        PublicClientApplication pca = new PublicClientApplication.Builder(
-                labResponse.getAppId()).
-                authority(TestConstants.ORGANIZATIONS_AUTHORITY).
-                build();
+        acquireTokenSilent_returnCachedTokens(tenantSpecificAuthority);
+    }
 
-        pca.acquireToken(UserNamePasswordParameters.
-                builder(Collections.singleton(TestConstants.GRAPH_DEFAULT_SCOPE),
-                        labResponse.getUser().getUpn(),
-                        password.toCharArray())
+
+    @Test
+    public void acquireTokenSilent_ConfidentialClient_acquireTokenSilent() throws Exception{
+
+        IConfidentialClientApplication cca = getConfidentialClientApplications();
+
+        IAuthenticationResult result = cca.acquireToken(ClientCredentialParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
                 .build())
                 .get();
-        return pca;
+
+        Assert.assertNotNull(result);
+        Assert.assertNotNull(result.accessToken());
+
+        String cachedAt = result.accessToken();
+
+        result = cca.acquireTokenSilently(SilentParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertEquals(result.accessToken(), cachedAt);
     }
 
-    @Test
-    private void acquireTokenSilent_usingCommonAuthority_returnCachedAt() throws Exception {
-        acquireTokenSilent_returnCachedTokens(TestConstants.ORGANIZATIONS_AUTHORITY);
+    @Test(expectedExceptions = ExecutionException.class)
+    public void acquireTokenSilent_ConfidentialClient_acquireTokenSilentDifferentScopeThrowsException()
+            throws Exception {
+
+        IConfidentialClientApplication cca = getConfidentialClientApplications();
+
+        IAuthenticationResult result = cca.acquireToken(ClientCredentialParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertNotNull(result.accessToken());
+
+        //Acquiring token for different scope, expect exception to be thrown
+        cca.acquireTokenSilently(SilentParameters
+                .builder(Collections.singleton(GRAPH_DEFAULT_SCOPE))
+                .build())
+                .get();
     }
 
-    @Test
-    private void acquireTokenSilent_usingTenantSpecificAuthority_returnCachedAt() throws Exception {
-        LabResponse labResponse = labUserProvider.getDefaultUser(
-                NationalCloud.AZURE_CLOUD,
-                false);
-        String tenantSpecificAuthority = TestConstants.MICROSOFT_AUTHORITY_HOST + labResponse.getUser().getTenantId();
+    private IConfidentialClientApplication getConfidentialClientApplications() throws Exception{
+        AppIdentityProvider appProvider = new AppIdentityProvider();
+        final String clientId = appProvider.getDefaultLabId();
+        final String password = appProvider.getDefaultLabPassword();
+        IClientCredential credential = ClientCredentialFactory.createFromSecret(password);
 
-        acquireTokenSilent_returnCachedTokens(tenantSpecificAuthority);
+        return ConfidentialClientApplication.builder(
+                clientId, credential).
+                authority(TestConstants.MICROSOFT_AUTHORITY).
+                build();
     }
 
-    void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
+    private void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
 
         LabResponse labResponse = labUserProvider.getDefaultUser(
                 NationalCloud.AZURE_CLOUD,
@@ -217,4 +259,25 @@ void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
         Assert.assertNotNull(silentAuthResult);
         Assert.assertEquals(interactiveAuthResult.accessToken(), silentAuthResult.accessToken());
     }
+
+    private IPublicClientApplication getPublicClientApplicationWithTokensInCache()
+            throws Exception {
+        LabResponse labResponse = labUserProvider.getDefaultUser(
+                NationalCloud.AZURE_CLOUD,
+                false);
+        String password = labUserProvider.getUserPassword(labResponse.getUser());
+
+        PublicClientApplication pca = new PublicClientApplication.Builder(
+                labResponse.getAppId()).
+                authority(TestConstants.ORGANIZATIONS_AUTHORITY).
+                build();
+
+        pca.acquireToken(
+                UserNamePasswordParameters.builder(
+                        Collections.singleton(TestConstants.GRAPH_DEFAULT_SCOPE),
+                        labResponse.getUser().getUpn(),
+                        password.toCharArray())
+                        .build()).get();
+        return pca;
+    }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/AuthorizationCodeIT.java

@@ -247,7 +247,7 @@ private IAuthenticationResult acquireTokenInteractiveB2C(LabResponse labResponse
                                                             String authCode) {
         IAuthenticationResult result;
         try{
-            IClientCredential credential = ClientCredentialFactory.create("");
+            IClientCredential credential = ClientCredentialFactory.createFromSecret("");
             ConfidentialClientApplication cca = ConfidentialClientApplication.builder(
                     labResponse.getAppId(),
                     credential)

src/integrationtest/java/com.microsoft.aad.msal4j/ClientCredentialsIT.java

@@ -23,6 +23,7 @@
 
 @Test
 public class ClientCredentialsIT {
+
     @Test
     public void acquireTokenClientCredentials_AsymmetricKeyCredential() throws Exception{
         String clientId = "55e7e5af-ca53-482d-9aa3-5cb1cc8eecb5";
@@ -35,7 +36,24 @@ public void acquireTokenClientCredentials_ClientSecret() throws Exception{
         AppIdentityProvider appProvider = new AppIdentityProvider();
         final String clientId = appProvider.getDefaultLabId();
         final String password = appProvider.getDefaultLabPassword();
-        IClientCredential credential = ClientCredentialFactory.create(password);
+        IClientCredential credential = ClientCredentialFactory.createFromSecret(password);
+
+        assertAcquireTokenCommon(clientId, credential);
+    }
+
+    @Test
+    public void acquireTokenClientCredentials_ClientAssertion() throws Exception{
+        String clientId = "55e7e5af-ca53-482d-9aa3-5cb1cc8eecb5";
+        IClientCredential certificateFromKeyStore = getCertificateFromKeyStore();
+
+        ClientAssertion clientAssertion = JwtHelper.buildJwt(
+                clientId,
+                (AsymmetricKeyCredential) certificateFromKeyStore,
+                "https://login.microsoftonline.com/common/oauth2/v2.0/token");
+
+
+        IClientCredential credential = ClientCredentialFactory.createFromClientAssertion(
+                clientAssertion.assertion());
 
         assertAcquireTokenCommon(clientId, credential);
     }
@@ -53,23 +71,6 @@ private void assertAcquireTokenCommon(String clientId, IClientCredential credent
 
         Assert.assertNotNull(result);
         Assert.assertNotNull(result.accessToken());
-
-        String cachedAt = result.accessToken();
-
-        result = cca.acquireTokenSilently(SilentParameters
-                .builder(Collections.singleton(GRAPH_DEFAULT_SCOPE))
-                .build())
-                .get();
-
-        Assert.assertNull(result);
-
-        result = cca.acquireTokenSilently(SilentParameters
-                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
-                .build())
-                .get();
-
-        Assert.assertNotNull(result);
-        Assert.assertEquals(result.accessToken(), cachedAt);
     }
 
 
@@ -84,6 +85,6 @@ private IClientCredential getCertificateFromKeyStore() throws
         X509Certificate publicCertificate = (X509Certificate)keystore.getCertificate(
                 certificateAlias);
 
-        return ClientCredentialFactory.create(key, publicCertificate);
+        return ClientCredentialFactory.createFromCertificate(key, publicCertificate);
     }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/OnBehalfOfIT.java

@@ -50,7 +50,7 @@ public void acquireTokenWithOBO_Managed() throws Exception {
         final String password = appProvider.getOboPassword();
 
         ConfidentialClientApplication cca =
-                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(password)).
+                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.createFromSecret(password)).
                         authority(msidlab4Authority).
                         build();
 

src/integrationtest/java/labapi/KeyVaultSecretsProvider.java

@@ -78,6 +78,6 @@ private IClientCredential getClientCredentialFromKeyStore() {
         } catch (Exception e){
             throw new RuntimeException("Error getting certificate from keystore: " + e.getMessage());
         }
-        return ClientCredentialFactory.create(key, publicCertificate);
+        return ClientCredentialFactory.createFromCertificate(key, publicCertificate);
    }
 }

src/main/java/com/microsoft/aad/msal4j/ClientAssertion.java

@@ -15,7 +15,7 @@
 @Accessors(fluent = true)
 @Getter
 @EqualsAndHashCode
-public final class ClientAssertion {
+final class ClientAssertion implements IClientCredential{
 
     public static final String assertionType = JWTAuthentication.CLIENT_ASSERTION_TYPE;
     private final String assertion;
@@ -26,7 +26,7 @@ public final class ClientAssertion {
      *
      * @param assertion The jwt used as credential.
      */
-    public ClientAssertion(final String assertion) {
+    ClientAssertion(final String assertion) {
         if (StringHelper.isBlank(assertion)) {
             throw new NullPointerException("assertion");
         }

src/main/java/com/microsoft/aad/msal4j/ClientCredentialFactory.java

@@ -19,7 +19,7 @@ public class ClientCredentialFactory {
      * @param secret secret of application requesting a token
      * @return {@link ClientSecret}
      */
-    public static IClientCredential create(String secret){
+    public static IClientCredential createFromSecret(String secret){
         return new ClientSecret(secret);
     }
 
@@ -35,8 +35,7 @@ public static IClientCredential create(String secret){
      * @throws NoSuchProviderException
      * @throws IOException
      */
-    public static IClientCredential create
-            (final InputStream pkcs12Certificate, final String password)
+    public static IClientCredential createFromCertificate(final InputStream pkcs12Certificate, final String password)
             throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException,
             KeyStoreException, NoSuchProviderException, IOException {
         return AsymmetricKeyCredential.create(pkcs12Certificate, password);
@@ -48,8 +47,16 @@ public static IClientCredential create(String secret){
      * @param publicCertificate x509 public certificate used for thumbprint
      * @return {@link IClientCredential}
      */
-    public static IClientCredential create
-            (final PrivateKey key, final X509Certificate publicCertificate) {
+    public static IClientCredential createFromCertificate(final PrivateKey key, final X509Certificate publicCertificate) {
         return AsymmetricKeyCredential.create(key, publicCertificate);
     }
+
+    /**
+     *
+     * @param clientAssertion Jwt token encoded as a base64 URL encoded string
+     * @return {@link IClientCredential}
+     */
+    public static IClientCredential createFromClientAssertion(String clientAssertion){
+        return new ClientAssertion(clientAssertion);
+    }
 }

src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -74,6 +74,8 @@ private void initClientAuthentication(IClientCredential clientCredential) {
                     this.authenticationAuthority.selfSignedJwtAudience());
 
             clientAuthentication = createClientAuthFromClientAssertion(clientAssertion);
+        } else if (clientCredential instanceof ClientAssertion){
+            clientAuthentication = createClientAuthFromClientAssertion((ClientAssertion) clientCredential);
         } else {
             throw new IllegalArgumentException("Unsupported client credential");
         }

src/main/java/com/microsoft/aad/msal4j/JwtHelper.java

@@ -45,12 +45,13 @@ static ClientAssertion buildJwt(String clientId, final AsymmetricKeyCredential c
 
         SignedJWT jwt;
         try {
-            JWSHeader.Builder builder = new Builder(JWSAlgorithm.RS256);
-            List<Base64> certs = new ArrayList<Base64>();
+            List<Base64> certs = new ArrayList<>();
             certs.add(new Base64(credential.publicCertificate()));
+
+            JWSHeader.Builder builder = new Builder(JWSAlgorithm.RS256);
             builder.x509CertChain(certs);
-            builder.x509CertThumbprint(new Base64URL(credential
-                    .getPublicCertificateHash()));
+            builder.x509CertThumbprint(new Base64URL(credential.getPublicCertificateHash()));
+
             jwt = new SignedJWT(builder.build(), claimsSet);
             final RSASSASigner signer = new RSASSASigner(credential.key());
 

src/test/java/com/microsoft/aad/msal4j/AcquireTokenSilentlyTest.java

@@ -35,7 +35,7 @@ public void publicAppAcquireTokenSilently_emptyCache_MsalClientException() throw
     public void confidentialAppAcquireTokenSilently_emptyCache_MsalClientException() throws Throwable {
 
         ConfidentialClientApplication application = ConfidentialClientApplication
-                .builder(TestConfiguration.AAD_CLIENT_ID, ClientCredentialFactory.create(TestConfiguration.AAD_CLIENT_SECRET))
+                .builder(TestConfiguration.AAD_CLIENT_ID, ClientCredentialFactory.createFromSecret(TestConfiguration.AAD_CLIENT_SECRET))
                 .b2cAuthority(TestConfiguration.B2C_AUTHORITY).build();
 
         SilentParameters parameters = SilentParameters.builder(Collections.singleton("scope")).build();