Merge branch 'dev' into avdunn/merge-conflicts

# Conflicts:
#	README.md
#	changelog.txt
#	msal4j-sdk/README.md
#	msal4j-sdk/bnd.bnd
#	msal4j-sdk/pom.xml
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/HttpHelper.java
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityRequest.java
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/StringHelper.java
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java
#	msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/CacheFormatTests.java
#	msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ClientCertificateTest.java
#	msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java
#	msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TokenRequestExecutorTest.java

Author: Avery-Dunn

RELEASES.md

@@ -0,0 +1,41 @@
+# Microsoft Identity SDK Versioning and Servicing FAQ
+
+We have adopted the semantic versioning flow that is industry standard for OSS projects. It gives the maximum amount of control on what risk you take with what versions.
+
+## Semantic Versioning and API stability promises
+
+Microsoft Authentication Libraries are independent open source libraries that are used by  both internal and external Microsoft partners. As with the rest of Microsoft, we have moved to a rapid iteration model where bugs are fixed daily and new versions are produced as required. To communicate these frequent changes to external partners and customers, we follow the practices of other open source libraries and use semantic versioning for all our public Microsoft Authentication SDK libraries. This allows us to support our downstream partners which will lock on certain versions for stability purposes, as well as providing for the distribution over NuGet, CocoaPods, and Maven.
+
+The semantics are: MAJOR.MINOR.PATCH (example 1.1.5)
+
+We will update our code distributions to use the latest PATCH semantic version number in order to make sure our customers and partners get the latest bug fixes. Downstream partner needs to pull the latest PATCH version. Most partners should try lock on the latest MINOR version number in their builds and accept any updates in the PATCH number.
+
+Example:
+Using Maven, this ensures all 1.1.0 to 1.1.x updates are included when building your code, but not 1.2. 
+
+```
+<dependency>
+    <groupId>com.microsoft.azure</groupId>
+    <artifactId>msal4j</artifactId>
+    <version>[1.1.0,1.2.0)</version>
+</dependency>
+```
+
+| Version |                                                                                                                                                                                                                                                             Description                                                                                                                                                                                                                                                              |
+|:-------:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
+| x.x.x   | PATCH version number. Incrementing these numbers is for bug fixes and updates but do not introduce new features. This is used for close partners who build on our platform release (ex. Microsoft Entra Fabric, Office, etc.). In addition, Cocoapods, NuGet, and Maven use this number to deliver the latest release to customers. This will update frequently (sometimes within the same day). There are no new features, and no regressions or API surface changes. Code will continue to work unless affected by a particular code fix. |
+| x.x     |                                                          MINOR version numbers. These are for new feature additions that do not impact existing features or introduce regressions. They are purely additive, but may require testing to ensure nothing is impacted. All x.x.x bug fixes will also roll up in to this number. There is no regressions or API surface changes. Code will continue to work unless affected by a particular code fix or needs this new feature.                                                          |
+| x       |                                                   MAJOR version numbers. This should be considered a new, supported version of Microsoft Authentication SDK and begins the Azure one year support cycle anew. Major new features are introduced and API changes can occur. This should only be used after a large amount of testing and used only if those features are needed. We will continue to service MAJOR version numbers with bug fixes up to the one year support cycle.                                                   |
+
+## Serviceability
+
+When we release a new MINOR version, the previous MINOR versions shipped within one year MAY still accept bug report and receive patches. MINOR versions more than one year old will not receive any support. If you suspect there is an issue in a 1+ year old version that you are using, please upgrade to latest MINOR version and retry, before you send out a bug report.
+
+When we release a new MAJOR version, we will continue to apply bug fixes to the existing features in the previous MAJOR version for up to the 1-year support cycle for Azure.
+
+## Microsoft Authentication SDKs and Microsoft Entra
+
+Microsoft Authentication SDKs major versions will maintain backwards compatibility with Microsoft Entra web services through the support period. This means that the API surface area defined in a MAJOR version will continue to work for at least 1 year after release.
+
+We will respond to bugs quickly from our partners and customers submitted through GitHub and through our private alias ([email protected]) for security issues and update the PATCH version number. We will also submit a change summary for each PATCH number.
+Occasionally, there will be security bugs or breaking bugs from our partners that will require an immediate fix and an update to all partners and customers. When this occurs, we will do an emergency roll up to a PATCH version number and update all our distribution methods to the latest.

changelog.txt

@@ -4,6 +4,19 @@ Version 1.30.0-beta
 - Replace com.nimbusds dependencies with implementations of OAuth behavior (#926, #927, #928, #941, #945)
 - Replace com.fasterxml.jackson with com.azure.json for JSON behavior (#947, #948)
 
+Version 1.22.0
+=============
+- Validate issuer from OIDC endpoint when using the oidcAuthority() API (#970)
+- Bump oauth2-oidc-sdk dependency to avoid CVE-2025-53864 (#975)
+
+Version 1.21.0
+=============
+- Add support for claims, client capabilities, and token revocation in Service Fabric scenarios (#929, #943)
+- Improve retry logic for HTTP requests, and add API to disable retries (#960, #963, #964)
+- Support multiple date formats in Managed identity scenarios (#956)
+- Fix query parameter issue in IMDS scenarios (#954)
+- Update dependencies used in tests to avoid CVE warnings (#962)
+
  1.20.1
 =============
 - Fix Base64URL decoding bug (#938)

msal4j-sdk/pom.xml

@@ -30,14 +30,11 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <skip.unit.tests>false</skip.unit.tests>
+        <skip.integration.tests>false</skip.integration.tests>
     </properties>
 
     <dependencies>
-        <dependency>
-            <groupId>org.slf4j</groupId>
-            <artifactId>slf4j-api</artifactId>
-            <version>1.7.36</version>
-        </dependency>
         <dependency>
             <groupId>com.azure</groupId>
             <artifactId>azure-json</artifactId>
@@ -66,31 +63,31 @@
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-api</artifactId>
-            <version>5.9.2</version>
+            <version>5.13.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-params</artifactId>
-            <version>5.8.1</version>
+            <version>5.13.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-engine</artifactId>
-            <version>5.9.2</version>
+            <version>5.13.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-inline</artifactId>
-            <version>4.7.0</version>
+            <version>4.11.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-junit-jupiter</artifactId>
-            <version>4.7.0</version>
+            <version>4.11.0</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -102,19 +99,13 @@
         <dependency>
             <groupId>org.skyscreamer</groupId>
             <artifactId>jsonassert</artifactId>
-            <version>1.5.0</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
-            <version>4.5.13</version>
+            <version>1.5.3</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.azure</groupId>
             <artifactId>azure-security-keyvault-secrets</artifactId>
-            <version>4.3.5</version>
+            <version>4.9.4</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -124,15 +115,9 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>com.google.guava</groupId>
-            <artifactId>guava</artifactId>
-            <version>32.1.1-jre</version>
-            <scope>test</scope>
-        </dependency>
-        <dependency>
-            <groupId>ch.qos.logback</groupId>
-            <artifactId>logback-classic</artifactId>
-            <version>1.3.12</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.13.1</version>
             <scope>test</scope>
         </dependency>
         <dependency>
@@ -189,7 +174,9 @@
                 <executions>
                     <execution>
                         <id>check</id>
-                        <goals><goal>check</goal></goals>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
                     </execution>
                 </executions>
             </plugin>
@@ -214,9 +201,9 @@
                 <version>3.5.2</version>
                 <configuration>
                     <argLine>@{argLine} -noverify</argLine>
+                    <skipTests>${skip.unit.tests}</skipTests>
                 </configuration>
             </plugin>
-
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
@@ -291,6 +278,9 @@
                         </goals>
                     </execution>
                 </executions>
+                <configuration>
+                    <skipTests>${skip.integration.tests}</skipTests>
+                </configuration>
             </plugin>
             <plugin>
                 <groupId>biz.aQute.bnd</groupId>
@@ -323,6 +313,10 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>3.1.2</version>
+            </plugin>
         </plugins>
     </build>
 </project>

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -235,8 +235,8 @@ static AadInstanceDiscoveryResponse sendInstanceDiscoveryRequest(URL authorityUr
 
         AadInstanceDiscoveryResponse response = JsonHelper.convertJsonStringToJsonSerializableObject(httpResponse.body(), AadInstanceDiscoveryResponse::fromJson);
 
-        if (httpResponse.statusCode() != HttpHelper.HTTP_STATUS_200) {
-            if (httpResponse.statusCode() == HttpHelper.HTTP_STATUS_400 && response.error().equals("invalid_instance")) {
+        if (httpResponse.statusCode() != HttpStatus.HTTP_OK) {
+            if (httpResponse.statusCode() == HttpStatus.HTTP_BAD_REQUEST && response.error().equals("invalid_instance")) {
                 // instance discovery failed due to an invalid authority, throw an exception.
                 throw MsalServiceExceptionFactory.fromHttpResponse(httpResponse);
             }
@@ -310,7 +310,7 @@ static String discoverRegion(MsalRequest msalRequest, ServiceBundle serviceBundl
             log.info("Starting call to IMDS endpoint.");
             IHttpResponse httpResponse = future.get(IMDS_TIMEOUT, IMDS_TIMEOUT_UNIT);
             //If call to IMDS endpoint was successful, return region from response body
-            if (httpResponse.statusCode() == HttpHelper.HTTP_STATUS_200 && !httpResponse.body().isEmpty()) {
+            if (httpResponse.statusCode() == HttpStatus.HTTP_OK && !httpResponse.body().isEmpty()) {
                 log.info(String.format("Region retrieved from IMDS endpoint: %s", httpResponse.body()));
                 currentRequest.regionSource(RegionTelemetry.REGION_SOURCE_IMDS.telemetryValue);
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractApplicationBase.java

@@ -32,6 +32,7 @@ public abstract class AbstractApplicationBase implements IApplicationBase {
     private IHttpClient httpClient;
     private Integer connectTimeoutForDefaultHttpClient;
     private Integer readTimeoutForDefaultHttpClient;
+    private boolean retryDisabled;
     String tenant;
 
     //The following fields are set in only some applications and/or set internally by the library. To avoid excessive
@@ -150,6 +151,10 @@ public Integer readTimeoutForDefaultHttpClient() {
         return this.readTimeoutForDefaultHttpClient;
     }
 
+    boolean isRetryDisabled() {
+        return this.retryDisabled;
+    }
+
     String tenant() {
         return this.tenant;
     }
@@ -190,6 +195,7 @@ public abstract static class Builder<T extends Builder<T>> {
         Boolean onlySendFailureTelemetry = false;
         Integer connectTimeoutForDefaultHttpClient;
         Integer readTimeoutForDefaultHttpClient;
+        boolean disableInternalRetries;
         private String clientId;
         private Authority authenticationAuthority = createDefaultAADAuthority();
 
@@ -319,6 +325,18 @@ public T readTimeoutForDefaultHttpClient(Integer val) {
             return self();
         }
 
+        /**
+         * The library has a number of policies for retrying HTTP calls in different scenarios.
+         * <p>
+         * This will disable all internal retry behavior, allowing customized retry behavior via your own implementation of {@link IHttpClient}
+         *
+         * @return instance of the Builder on which method was called
+         */
+        public T disableInternalRetries() {
+            disableInternalRetries = true;
+            return self();
+        }
+
         T telemetryConsumer(Consumer<List<HashMap<String, String>>> val) {
             validateNotNull("telemetryConsumer", val);
 
@@ -356,5 +374,16 @@ private static Authority createDefaultAADAuthority() {
         readTimeoutForDefaultHttpClient = builder.readTimeoutForDefaultHttpClient;
         authenticationAuthority = builder.authenticationAuthority;
         clientId = builder.clientId;
+        retryDisabled = builder.disableInternalRetries;
+
+        if (builder.httpClient == null) {
+            httpClient = new DefaultHttpClient(
+                    builder.proxy,
+                    builder.sslSocketFactory,
+                    builder.connectTimeoutForDefaultHttpClient,
+                    builder.readTimeoutForDefaultHttpClient);
+        } else {
+            httpClient = builder.httpClient;
+        }
     }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -562,9 +562,7 @@ public T correlationId(String val) {
         super.serviceBundle = new ServiceBundle(
                 builder.executorService,
                 new TelemetryManager(telemetryConsumer, builder.onlySendFailureTelemetry),
-                new HttpHelper(builder.httpClient == null ?
-                        new DefaultHttpClient(builder.proxy, builder.sslSocketFactory, builder.connectTimeoutForDefaultHttpClient, builder.readTimeoutForDefaultHttpClient) :
-                        builder.httpClient)
+                new HttpHelper(this, new DefaultRetryPolicy())
         );
 
         if (aadAadInstanceDiscoveryResponse != null) {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -41,6 +41,7 @@ public ManagedIdentityResponse getManagedIdentityResponse(
             ManagedIdentityParameters parameters) {
 
         createManagedIdentityRequest(parameters.resource);
+        managedIdentityRequest.addTokenRevocationParametersToQuery(parameters);
         IHttpResponse response;
 
         try {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -6,6 +6,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.time.Instant;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -83,6 +84,12 @@ AuthenticationResult execute() throws Exception {
                 result.metadata().tokenSource(TokenSource.CACHE);
                 return result;
             } else {
+                if (cacheRefreshReason == CacheRefreshReason.CLAIMS) {
+                    LOG.debug("Claims are passed, creating token hash and refreshing the token");
+                    managedIdentityParameters.revokedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.CLAIMS);
+                }
+
                 LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
                 return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
             }
@@ -109,14 +116,13 @@ private AuthenticationResult fetchNewAccessTokenAndSaveToCache(TokenRequestExecu
 
         AuthenticationResult authenticationResult = createFromManagedIdentityResponse(managedIdentityResponse);
         clientApplication.tokenCache.saveTokens(tokenRequestExecutor, authenticationResult, clientApplication.authenticationAuthority.host);
-        AuthenticationResult result = authenticationResult;
-        result.metadata().tokenSource(TokenSource.IDENTITY_PROVIDER);
-        result.metadata().cacheRefreshReason(cacheRefreshReason);
-        return result;
+        authenticationResult.metadata().tokenSource(TokenSource.IDENTITY_PROVIDER);
+        authenticationResult.metadata().cacheRefreshReason(cacheRefreshReason);
+        return authenticationResult;
     }
 
     private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityResponse managedIdentityResponse) {
-        long expiresOn = Long.parseLong(managedIdentityResponse.expiresOn);
+        long expiresOn = getExpiresOnFromManagedIdentityTimestamp(managedIdentityResponse.expiresOn);
         long refreshOn = calculateRefreshOn(expiresOn);
         AuthenticationResultMetadata metadata = AuthenticationResultMetadata.builder()
                 .tokenSource(TokenSource.IDENTITY_PROVIDER)
@@ -133,6 +139,31 @@ private AuthenticationResult createFromManagedIdentityResponse(ManagedIdentityRe
                 .build();
     }
 
+    static long getExpiresOnFromManagedIdentityTimestamp(String dateTimeStamp) {
+        if (dateTimeStamp == null || dateTimeStamp.isEmpty()) {
+            return 0;
+        }
+
+        // Try parsing as Unix timestamp (seconds since epoch)
+        try {
+            return Long.parseLong(dateTimeStamp);
+        } catch (NumberFormatException e) {
+            // Not a number
+        }
+
+        // Try parsing as ISO 8601
+        try {
+            return Instant.parse(dateTimeStamp).getEpochSecond();
+        } catch (Exception e) {
+            // Not ISO 8601
+        }
+
+        throw new MsalClientException(
+                String.format("Failed to parse timestamp '%s'. Expected Unix epoch seconds or ISO 8601 format.",
+                        dateTimeStamp),
+                AuthenticationErrorCode.INVALID_TIMESTAMP_FORMAT);
+    }
+
     private long calculateRefreshOn(long expiresOn) {
         long timestampSeconds = System.currentTimeMillis() / 1000;
         long expiresIn = expiresOn - timestampSeconds;