Merge pull request #117 from AzureAD/sagonzal/addClientAssertion

Sagonzal/add client assertion

Author: sangonzal

src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenSilentIT.java

@@ -3,6 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
+import labapi.AppIdentityProvider;
 import labapi.FederationProvider;
 import labapi.LabResponse;
 import labapi.LabUserProvider;
@@ -13,6 +14,10 @@
 
 import java.util.Collections;
 import java.util.Set;
+import java.util.concurrent.ExecutionException;
+
+import static com.microsoft.aad.msal4j.TestConstants.GRAPH_DEFAULT_SCOPE;
+import static com.microsoft.aad.msal4j.TestConstants.KEYVAULT_DEFAULT_SCOPE;
 
 public class AcquireTokenSilentIT {
     private LabUserProvider labUserProvider;
@@ -151,43 +156,78 @@ public void acquireTokenSilent_MultipleAccountsInCache_UseCorrectAccount() throw
         Assert.assertEquals(result.account().username(), labResponse.getUser().getUpn());
     }
 
-    private IPublicClientApplication getPublicClientApplicationWithTokensInCache()
-            throws Exception {
+    @Test
+    public void acquireTokenSilent_usingCommonAuthority_returnCachedAt() throws Exception {
+        acquireTokenSilent_returnCachedTokens(TestConstants.ORGANIZATIONS_AUTHORITY);
+    }
+
+    @Test
+    public void acquireTokenSilent_usingTenantSpecificAuthority_returnCachedAt() throws Exception {
         LabResponse labResponse = labUserProvider.getDefaultUser(
                 NationalCloud.AZURE_CLOUD,
                 false);
-        String password = labUserProvider.getUserPassword(labResponse.getUser());
+        String tenantSpecificAuthority = TestConstants.MICROSOFT_AUTHORITY_HOST + labResponse.getUser().getTenantId();
+        acquireTokenSilent_returnCachedTokens(tenantSpecificAuthority);
+    }
 
-        PublicClientApplication pca = PublicClientApplication.builder(
-                labResponse.getAppId()).
-                authority(TestConstants.ORGANIZATIONS_AUTHORITY).
-                build();
+    @Test
+    public void acquireTokenSilent_ConfidentialClient_acquireTokenSilent() throws Exception{
 
-        pca.acquireToken(UserNamePasswordParameters.
-                builder(Collections.singleton(TestConstants.GRAPH_DEFAULT_SCOPE),
-                        labResponse.getUser().getUpn(),
-                        password.toCharArray())
+        IConfidentialClientApplication cca = getConfidentialClientApplications();
+
+        IAuthenticationResult result = cca.acquireToken(ClientCredentialParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
                 .build())
                 .get();
-        return pca;
+
+        Assert.assertNotNull(result);
+        Assert.assertNotNull(result.accessToken());
+
+        String cachedAt = result.accessToken();
+
+        result = cca.acquireTokenSilently(SilentParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertEquals(result.accessToken(), cachedAt);
     }
 
-    @Test
-    private void acquireTokenSilent_usingCommonAuthority_returnCachedAt() throws Exception {
-        acquireTokenSilent_returnCachedTokens(TestConstants.ORGANIZATIONS_AUTHORITY);
+    @Test(expectedExceptions = ExecutionException.class)
+    public void acquireTokenSilent_ConfidentialClient_acquireTokenSilentDifferentScopeThrowsException()
+            throws Exception {
+
+        IConfidentialClientApplication cca = getConfidentialClientApplications();
+
+        IAuthenticationResult result = cca.acquireToken(ClientCredentialParameters
+                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertNotNull(result.accessToken());
+
+        //Acquiring token for different scope, expect exception to be thrown
+        cca.acquireTokenSilently(SilentParameters
+                .builder(Collections.singleton(GRAPH_DEFAULT_SCOPE))
+                .build())
+                .get();
     }
 
-    @Test
-    private void acquireTokenSilent_usingTenantSpecificAuthority_returnCachedAt() throws Exception {
-        LabResponse labResponse = labUserProvider.getDefaultUser(
-                NationalCloud.AZURE_CLOUD,
-                false);
-        String tenantSpecificAuthority = TestConstants.MICROSOFT_AUTHORITY_HOST + labResponse.getUser().getTenantId();
+    private IConfidentialClientApplication getConfidentialClientApplications() throws Exception{
+        AppIdentityProvider appProvider = new AppIdentityProvider();
+        final String clientId = appProvider.getDefaultLabId();
+        final String password = appProvider.getDefaultLabPassword();
+        IClientCredential credential = ClientCredentialFactory.createFromSecret(password);
 
-        acquireTokenSilent_returnCachedTokens(tenantSpecificAuthority);
+        return ConfidentialClientApplication.builder(
+                clientId, credential).
+                authority(TestConstants.MICROSOFT_AUTHORITY).
+                build();
     }
 
-    void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
+    private void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
 
         LabResponse labResponse = labUserProvider.getDefaultUser(
                 NationalCloud.AZURE_CLOUD,
@@ -217,4 +257,25 @@ void acquireTokenSilent_returnCachedTokens(String authority) throws Exception {
         Assert.assertNotNull(silentAuthResult);
         Assert.assertEquals(interactiveAuthResult.accessToken(), silentAuthResult.accessToken());
     }
+
+    private IPublicClientApplication getPublicClientApplicationWithTokensInCache()
+            throws Exception {
+        LabResponse labResponse = labUserProvider.getDefaultUser(
+                NationalCloud.AZURE_CLOUD,
+                false);
+        String password = labUserProvider.getUserPassword(labResponse.getUser());
+
+        PublicClientApplication pca = PublicClientApplication.builder(
+                labResponse.getAppId()).
+                authority(TestConstants.ORGANIZATIONS_AUTHORITY).
+                build();
+
+        pca.acquireToken(
+                UserNamePasswordParameters.builder(
+                        Collections.singleton(TestConstants.GRAPH_DEFAULT_SCOPE),
+                        labResponse.getUser().getUpn(),
+                        password.toCharArray())
+                        .build()).get();
+        return pca;
+    }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/AuthorizationCodeIT.java

@@ -247,7 +247,7 @@ private IAuthenticationResult acquireTokenInteractiveB2C(LabResponse labResponse
                                                             String authCode) {
         IAuthenticationResult result;
         try{
-            IClientCredential credential = ClientCredentialFactory.create("");
+            IClientCredential credential = ClientCredentialFactory.createFromSecret("");
             ConfidentialClientApplication cca = ConfidentialClientApplication.builder(
                     labResponse.getAppId(),
                     credential)

src/integrationtest/java/com.microsoft.aad.msal4j/ClientCredentialsIT.java

@@ -23,6 +23,7 @@
 
 @Test
 public class ClientCredentialsIT {
+
     @Test
     public void acquireTokenClientCredentials_AsymmetricKeyCredential() throws Exception{
         String clientId = "55e7e5af-ca53-482d-9aa3-5cb1cc8eecb5";
@@ -35,7 +36,24 @@ public void acquireTokenClientCredentials_ClientSecret() throws Exception{
         AppIdentityProvider appProvider = new AppIdentityProvider();
         final String clientId = appProvider.getDefaultLabId();
         final String password = appProvider.getDefaultLabPassword();
-        IClientCredential credential = ClientCredentialFactory.create(password);
+        IClientCredential credential = ClientCredentialFactory.createFromSecret(password);
+
+        assertAcquireTokenCommon(clientId, credential);
+    }
+
+    @Test
+    public void acquireTokenClientCredentials_ClientAssertion() throws Exception{
+        String clientId = "55e7e5af-ca53-482d-9aa3-5cb1cc8eecb5";
+        IClientCredential certificateFromKeyStore = getCertificateFromKeyStore();
+
+        ClientAssertion clientAssertion = JwtHelper.buildJwt(
+                clientId,
+                (AsymmetricKeyCredential) certificateFromKeyStore,
+                "https://login.microsoftonline.com/common/oauth2/v2.0/token");
+
+
+        IClientCredential credential = ClientCredentialFactory.createFromClientAssertion(
+                clientAssertion.assertion());
 
         assertAcquireTokenCommon(clientId, credential);
     }
@@ -53,23 +71,6 @@ private void assertAcquireTokenCommon(String clientId, IClientCredential credent
 
         Assert.assertNotNull(result);
         Assert.assertNotNull(result.accessToken());
-
-        String cachedAt = result.accessToken();
-
-        result = cca.acquireTokenSilently(SilentParameters
-                .builder(Collections.singleton(GRAPH_DEFAULT_SCOPE))
-                .build())
-                .get();
-
-        Assert.assertNull(result);
-
-        result = cca.acquireTokenSilently(SilentParameters
-                .builder(Collections.singleton(KEYVAULT_DEFAULT_SCOPE))
-                .build())
-                .get();
-
-        Assert.assertNotNull(result);
-        Assert.assertEquals(result.accessToken(), cachedAt);
     }
 
 
@@ -84,6 +85,6 @@ private IClientCredential getCertificateFromKeyStore() throws
         X509Certificate publicCertificate = (X509Certificate)keystore.getCertificate(
                 certificateAlias);
 
-        return ClientCredentialFactory.create(key, publicCertificate);
+        return ClientCredentialFactory.createFromCertificate(key, publicCertificate);
     }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/OnBehalfOfIT.java

@@ -50,7 +50,7 @@ public void acquireTokenWithOBO_Managed() throws Exception {
         final String password = appProvider.getOboPassword();
 
         ConfidentialClientApplication cca =
-                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.create(password)).
+                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.createFromSecret(password)).
                         authority(msidlab4Authority).
                         build();
 

src/integrationtest/java/labapi/KeyVaultSecretsProvider.java

@@ -78,6 +78,6 @@ private IClientCredential getClientCredentialFromKeyStore() {
         } catch (Exception e){
             throw new RuntimeException("Error getting certificate from keystore: " + e.getMessage());
         }
-        return ClientCredentialFactory.create(key, publicCertificate);
+        return ClientCredentialFactory.createFromCertificate(key, publicCertificate);
    }
 }

src/main/java/com/microsoft/aad/msal4j/AsymmetricKeyCredential.java

@@ -29,7 +29,7 @@
  */
 public final class AsymmetricKeyCredential implements IClientCredential{
 
-    public final static int MIN_KEY_SIZE_IN_BITS = 2048;
+    private final static int MIN_KEY_SIZE_IN_BITS = 2048;
 
     /**
      * Returns private key of the credential.
@@ -93,23 +93,22 @@ else if("sun.security.mscapi.RSAPrivateKey".equals(key.getClass().getName())){
      * @throws CertificateEncodingException if an encoding error occurs
      * @throws NoSuchAlgorithmException if requested algorithm is not available in the environment
      */
-    public String getPublicCertificateHash()
+    public String publicCertificateHash()
             throws CertificateEncodingException, NoSuchAlgorithmException {
         return Base64.encodeBase64String(AsymmetricKeyCredential
                 .getHash(this.publicCertificate.getEncoded()));
     }
 
     /**
      * Base64 encoded public certificate.
-     * 
+     *
      * @return base64 encoded string
      * @throws CertificateEncodingException if an encoding error occurs
      */
     public String publicCertificate() throws CertificateEncodingException {
         return Base64.encodeBase64String(this.publicCertificate.getEncoded());
     }
 
-
     /**
      * Static method to create KeyCredential instance.
      *
@@ -126,7 +125,7 @@ public String publicCertificate() throws CertificateEncodingException {
      * @throws IOException {@link IOException}
      * @throws UnrecoverableKeyException {@link UnrecoverableKeyException}
      */
-    public static AsymmetricKeyCredential create(final InputStream pkcs12Certificate, final String password)
+    static AsymmetricKeyCredential create(final InputStream pkcs12Certificate, final String password)
             throws KeyStoreException, NoSuchProviderException,
             NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException {
         final KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
@@ -149,7 +148,7 @@ public static AsymmetricKeyCredential create(final InputStream pkcs12Certificate
      *            Public certificate used for thumb print.
      * @return KeyCredential instance
      */
-    public static AsymmetricKeyCredential create(final PrivateKey key, final X509Certificate publicCertificate) {
+    static AsymmetricKeyCredential create(final PrivateKey key, final X509Certificate publicCertificate) {
         return new AsymmetricKeyCredential(key, publicCertificate);
     }
 

src/main/java/com/microsoft/aad/msal4j/ClientAssertion.java

@@ -15,7 +15,7 @@
 @Accessors(fluent = true)
 @Getter
 @EqualsAndHashCode
-public final class ClientAssertion {
+public final class ClientAssertion implements IClientCredential{
 
     public static final String assertionType = JWTAuthentication.CLIENT_ASSERTION_TYPE;
     private final String assertion;
@@ -26,7 +26,7 @@ public final class ClientAssertion {
      *
      * @param assertion The jwt used as credential.
      */
-    public ClientAssertion(final String assertion) {
+    ClientAssertion(final String assertion) {
         if (StringHelper.isBlank(assertion)) {
             throw new NullPointerException("assertion");
         }

src/main/java/com/microsoft/aad/msal4j/ClientCredentialFactory.java

@@ -15,41 +15,48 @@
 public class ClientCredentialFactory {
 
     /**
-     *
+     * Static method to create a {@link ClientSecret} instance from a client secret
      * @param secret secret of application requesting a token
      * @return {@link ClientSecret}
      */
-    public static IClientCredential create(String secret){
+    public static IClientCredential createFromSecret(String secret){
         return new ClientSecret(secret);
     }
 
     /**
-     *
+     * Static method to create a {@link AsymmetricKeyCredential} instance from a certificate
      * @param pkcs12Certificate InputStream containing PCKS12 formatted certificate
      * @param password certificate password
-     * @return {@link IClientCredential}
+     * @return {@link AsymmetricKeyCredential}
      * @throws CertificateException
      * @throws UnrecoverableKeyException
      * @throws NoSuchAlgorithmException
      * @throws KeyStoreException
      * @throws NoSuchProviderException
      * @throws IOException
      */
-    public static IClientCredential create
-            (final InputStream pkcs12Certificate, final String password)
+    public static IClientCredential createFromCertificate(final InputStream pkcs12Certificate, final String password)
             throws CertificateException, UnrecoverableKeyException, NoSuchAlgorithmException,
             KeyStoreException, NoSuchProviderException, IOException {
         return AsymmetricKeyCredential.create(pkcs12Certificate, password);
     }
 
     /**
-     *
+     * Static method to create a {@link AsymmetricKeyCredential} instance.
      * @param key  RSA private key to sign the assertion.
      * @param publicCertificate x509 public certificate used for thumbprint
-     * @return {@link IClientCredential}
+     * @return {@link AsymmetricKeyCredential}
      */
-    public static IClientCredential create
-            (final PrivateKey key, final X509Certificate publicCertificate) {
+    public static IClientCredential createFromCertificate(final PrivateKey key, final X509Certificate publicCertificate) {
         return AsymmetricKeyCredential.create(key, publicCertificate);
     }
+
+    /**
+     * Static method to create a {@link ClientAssertion} instance.
+     * @param clientAssertion Jwt token encoded as a base64 URL encoded string
+     * @return {@link ClientAssertion}
+     */
+    public static IClientCredential createFromClientAssertion(String clientAssertion){
+        return new ClientAssertion(clientAssertion);
+    }
 }

src/main/java/com/microsoft/aad/msal4j/ClientSecret.java

@@ -25,7 +25,7 @@ public final class ClientSecret implements IClientCredential {
      * @param clientSecret
      *            Secret of the client requesting the token.
      */
-    public ClientSecret(final String clientSecret) {
+    ClientSecret(final String clientSecret) {
         if (StringHelper.isBlank(clientSecret)) {
             throw new IllegalArgumentException("clientSecret is null or empty");
         }

src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -74,6 +74,8 @@ private void initClientAuthentication(IClientCredential clientCredential) {
                     this.authenticationAuthority.selfSignedJwtAudience());
 
             clientAuthentication = createClientAuthFromClientAssertion(clientAssertion);
+        } else if (clientCredential instanceof ClientAssertion){
+            clientAuthentication = createClientAuthFromClientAssertion((ClientAssertion) clientCredential);
         } else {
             throw new IllegalArgumentException("Unsupported client credential");
         }