Merge pull request #471 from AzureAD/dev

Release 1.11.2 changes

Author: siddhijain

README.md

@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.11.1
+Current version - 1.11.2
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,14 +28,12 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.11.1</version>
+    <version>1.11.2</version>
 </dependency>
 ```
 ### Gradle
 
-```
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.11.1'
-```
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.11.2'
 
 ## Usage
 

changelog.txt

@@ -1,3 +1,8 @@
+Version 1.11.2
+=============
+- Updated oauth2-oidc-sdk version to address security vulnerability
+- Fixed a bug where acquire token using client assertion failed
+
 Version 1.11.1
 =============
 - Updated Azure Key Vault dependencies to fix error in transitive dependency

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.11.1</version>
+	<version>1.11.2</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>
@@ -36,7 +36,7 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>oauth2-oidc-sdk</artifactId>
-            <version>9.7</version>
+            <version>9.22.1</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
@@ -100,9 +100,8 @@
         </dependency>
         <dependency>
             <groupId>com.azure</groupId>
-            <artifactId>azure-identity</artifactId>
-            <version>1.4.2</version>
-            <scope>test</scope>
+            <artifactId>azure-security-keyvault-secrets</artifactId>
+            <version>4.3.5</version>
         </dependency>
         <dependency>
             <groupId>com.azure</groupId>

src/integrationtest/java/com.microsoft.aad.msal4j/CertificateHelper.java

@@ -16,6 +16,8 @@ static KeyStore createKeyStore() throws KeyStoreException, NoSuchProviderExcepti
         String os = SystemUtils.OS_NAME;
         if (os.contains("Mac")) {
             return KeyStore.getInstance("KeychainStore");
+        } else if (os.contains("Linux")) {
+            return KeyStore.getInstance(KeyStore.getDefaultType());
         } else {
             return KeyStore.getInstance("Windows-MY", "SunMSCAPI");
         }

src/integrationtest/java/com.microsoft.aad.msal4j/ConfidentialClientApplicationUnitT.java

@@ -3,14 +3,17 @@
 
 package com.microsoft.aad.msal4j;
 
+import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.util.Base64;
 import com.nimbusds.jose.util.Base64URL;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
 import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
+import org.easymock.Capture;
 import org.easymock.EasyMock;
 import org.powermock.api.easymock.PowerMock;
 import org.powermock.core.classloader.annotations.PowerMockIgnore;
@@ -22,13 +25,14 @@
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URLEncoder;
 import java.security.*;
 import java.security.cert.CertificateException;
 import java.util.*;
 import java.util.concurrent.Future;
 
-import static org.testng.Assert.assertFalse;
-import static org.testng.Assert.assertNotNull;
+import static org.easymock.EasyMock.*;
+import static org.testng.Assert.*;
 
 @PowerMockIgnore({"javax.net.ssl.*"})
 @PrepareForTest({ConfidentialClientApplication.class,
@@ -206,29 +210,7 @@ private ClientAssertion buildShortJwt(String clientId,
 
     @Test
     public void testClientAssertion_noException() throws Exception{
-
-        IClientCertificate certificate = CertificateHelper.getClientCertificate();
-
-        final ClientCertificate credential = (ClientCertificate) certificate;
-
-        final JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
-                .issuer("issuer")
-                .subject("subject")
-                .build();
-
-        SignedJWT jwt;
-        JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.RS256);
-
-        List<Base64> certs = new ArrayList<>();
-        for (String cert : credential.getEncodedPublicKeyCertificateChain()) {
-            certs.add(new Base64(cert));
-        }
-        builder.x509CertChain(certs);
-
-        jwt = new SignedJWT(builder.build(), claimsSet);
-        final RSASSASigner signer = new RSASSASigner(credential.privateKey());
-
-        jwt.sign(signer);
+        SignedJWT jwt = createClientAssertion("issuer");
 
         ClientAssertion clientAssertion = new ClientAssertion(jwt.serialize());
 
@@ -245,14 +227,84 @@ public void testClientAssertion_noException() throws Exception{
 
     }
 
+    @Test
+    public void testClientAssertion_acquireToken() throws Exception{
+        SignedJWT jwt = createClientAssertion("issuer");
+
+        ClientAssertion clientAssertion = new ClientAssertion(jwt.serialize());
+        ConfidentialClientApplication app = ConfidentialClientApplication
+                .builder(TestConfiguration.AAD_CLIENT_ID, ClientCredentialFactory.createFromClientAssertion(clientAssertion.assertion()))
+                .authority(TestConfiguration.AAD_TENANT_ENDPOINT)
+                .build();
+
+        String scope = "requestedScope";
+        ClientCredentialRequest clientCredentialRequest = getClientCredentialRequest(app, scope);
+
+        IHttpClient httpClientMock = EasyMock.mock(IHttpClient.class);
+        Capture<HttpRequest> captureSingleArgument = newCapture();
+        expect(httpClientMock.send(capture(captureSingleArgument))).andReturn(new HttpResponse());
+        EasyMock.replay(httpClientMock);
+
+        TokenRequestExecutor tokenRequestExecutor = new TokenRequestExecutor(app.authenticationAuthority, clientCredentialRequest, mockedServiceBundle(httpClientMock));
+        try {
+            tokenRequestExecutor.executeTokenRequest();
+        } catch(Exception e) {
+            //Ignored, we only want to check the request that was send.
+        }
+        HttpRequest value = captureSingleArgument.getValue();
+        String body = value.body();
+        Assert.assertTrue(body.contains("grant_type=client_credentials"));
+        Assert.assertTrue(body.contains("client_assertion=" + clientAssertion.assertion()));
+        Assert.assertTrue(body.contains("client_assertion_type=" + URLEncoder.encode(JWTAuthentication.CLIENT_ASSERTION_TYPE, "utf-8")));
+        Assert.assertTrue(body.contains("scope=" + URLEncoder.encode("openid profile offline_access " + scope, "utf-8")));
+        Assert.assertTrue(body.contains("client_id=" + TestConfiguration.AAD_CLIENT_ID));
+    }
+
+    private ServiceBundle mockedServiceBundle(IHttpClient httpClientMock) {
+        ServiceBundle serviceBundle = new ServiceBundle(
+                null,
+                httpClientMock,
+                new TelemetryManager(null, false));
+        return serviceBundle;
+    }
+
+    private ClientCredentialRequest getClientCredentialRequest(ConfidentialClientApplication app, String scope) {
+        Set<String> scopes = new HashSet<>();
+        scopes.add(scope);
+        ClientCredentialParameters clientCredentials = ClientCredentialParameters.builder(scopes).tenant(IdToken.TENANT_IDENTIFIER).build();
+        RequestContext requestContext = new RequestContext(
+                app,
+                PublicApi.ACQUIRE_TOKEN_FOR_CLIENT,
+                clientCredentials);
+
+        ClientCredentialRequest clientCredentialRequest =
+                new ClientCredentialRequest(
+                        clientCredentials,
+                        app,
+                        requestContext);
+        return clientCredentialRequest;
+    }
+
     @Test(expectedExceptions = MsalClientException.class)
     public void testClientAssertion_throwsException() throws Exception{
+        SignedJWT jwt = createClientAssertion(null);
+
+        ClientAssertion clientAssertion = new ClientAssertion(jwt.serialize());
+
+        IClientCredential iClientCredential = ClientCredentialFactory.createFromClientAssertion(
+                clientAssertion.assertion());
 
+        ConfidentialClientApplication.builder(TestConfiguration.AAD_CLIENT_ID, iClientCredential).authority(TestConfiguration.AAD_TENANT_ENDPOINT).build();
+
+    }
+
+    private SignedJWT createClientAssertion(String issuer) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, NoSuchProviderException, JOSEException {
         IClientCertificate certificate = CertificateHelper.getClientCertificate();
+
         final ClientCertificate credential = (ClientCertificate) certificate;
 
         final JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
-                .issuer(null)
+                .issuer(issuer)
                 .subject("subject")
                 .build();
 
@@ -269,15 +321,7 @@ public void testClientAssertion_throwsException() throws Exception{
         final RSASSASigner signer = new RSASSASigner(credential.privateKey());
 
         jwt.sign(signer);
-
-        ClientAssertion clientAssertion = new ClientAssertion(jwt.serialize());
-
-        IClientCredential iClientCredential = ClientCredentialFactory.createFromClientAssertion(
-                clientAssertion.assertion());
-
-        ConfidentialClientApplication.builder(TestConfiguration.AAD_CLIENT_ID, iClientCredential).authority(TestConfiguration.AAD_TENANT_ENDPOINT).build();
-
+        return jwt;
     }
 
-
 }

src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -137,22 +137,11 @@ private ClientAuthentication createClientAuthFromClientAssertion(
             //This library is not supposed to validate Issuer and subject values.
             //The next lines of code ensures that exception is not thrown.
             if (e.getMessage().contains("Issuer and subject in client JWT assertion must designate the same client identifier")) {
-                String clientAssertion1 = MultivaluedMapUtils.getFirstValue(map, "client_assertion");
-                Base64URL[] parts;
-                try {
-                    parts = JOSEObject.split(clientAssertion1);
-
-                SignedJWT signedJWT = new SignedJWT(parts[0], parts[1], parts[2]);
-                String subjectValue = signedJWT.getJWTClaimsSet().getSubject();
                 return new CustomJWTAuthentication(
                         ClientAuthenticationMethod.PRIVATE_KEY_JWT,
-                        new ClientID(subjectValue)
+                        clientAssertion,
+                        new ClientID(clientId())
                 );
-
-                } catch (java.text.ParseException ex) {
-                    log.error("Ideally the system should not reach here. Parse Exception while trying to build CustomJWTAuthentication.");
-                    throw new MsalClientException(e);
-                }
             }
             throw new MsalClientException(e);
         }

src/main/java/com/microsoft/aad/msal4j/CustomJWTAuthentication.java

@@ -3,19 +3,59 @@
 
 package com.microsoft.aad.msal4j;
 
+import com.nimbusds.common.contenttype.ContentType;
+import com.nimbusds.oauth2.sdk.SerializeException;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
+import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
 import com.nimbusds.oauth2.sdk.http.HTTPRequest;
 import com.nimbusds.oauth2.sdk.id.ClientID;
+import com.nimbusds.oauth2.sdk.util.URLUtils;
+
+import java.net.URLEncoder;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 public class CustomJWTAuthentication extends ClientAuthentication {
+    private ClientAssertion clientAssertion;
 
-    protected CustomJWTAuthentication(ClientAuthenticationMethod method, ClientID clientID) {
+    protected CustomJWTAuthentication(ClientAuthenticationMethod method, ClientAssertion clientAssertion, ClientID clientID) {
         super(method, clientID);
+        this.clientAssertion = clientAssertion;
     }
 
     @Override
     public void applyTo(HTTPRequest httpRequest) {
+        if (httpRequest.getMethod() != HTTPRequest.Method.POST) {
+            throw new SerializeException("The HTTP request method must be POST");
+        } else {
+            ContentType ct = httpRequest.getEntityContentType();
+            if (ct == null) {
+                throw new SerializeException("Missing HTTP Content-Type header");
+            } else if (!ct.matches(ContentType.APPLICATION_URLENCODED)) {
+                throw new SerializeException("The HTTP Content-Type header must be " + ContentType.APPLICATION_URLENCODED);
+            } else {
+                Map<String, List<String>> params = httpRequest.getQueryParameters();
+                params.putAll(this.toParameters());
+                String queryString = URLUtils.serializeParameters(params);
+                httpRequest.setQuery(queryString);
+            }
+        }
+    }
+
+    public Map<String, List<String>> toParameters() {
+        HashMap<String, List<String>> params = new HashMap<>();
+
+        try {
+            params.put("client_assertion", Collections.singletonList(this.clientAssertion.assertion()));
+        } catch (IllegalStateException var3) {
+            throw new SerializeException("Couldn't serialize JWT to a client assertion string: " + var3.getMessage(), var3);
+        }
 
+        params.put("client_assertion_type", Collections.singletonList(JWTAuthentication.CLIENT_ASSERTION_TYPE));
+        params.put("client_id", Collections.singletonList(getClientID().getValue()));
+        return params;
     }
 }

src/samples/msal-b2c-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.11.1</version>
+			<version>1.11.2</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>

src/samples/msal-obo-sample/pom.xml

@@ -23,7 +23,7 @@
         <dependency>
             <groupId>com.microsoft.azure</groupId>
             <artifactId>msal4j</artifactId>
-            <version>1.11.1</version>
+            <version>1.11.2</version>
         </dependency>
         <dependency>
             <groupId>com.nimbusds</groupId>

src/samples/msal-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.11.1</version>
+			<version>1.11.2</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>