Merge remote-tracking branch 'origin/avdunn/nimbus-removal' into avdunn/json-removal

# Conflicts:
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JsonHelper.java

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthenticationResult.java

@@ -215,7 +215,7 @@ public AuthenticationResult build() {
         }
 
         public String toString() {
-            return "AuthenticationResult.AuthenticationResultBuilder(accessToken=" + this.accessToken + ", expiresOn=" + this.expiresOn + ", extExpiresOn=" + this.extExpiresOn + ", refreshToken=" + this.refreshToken + ", refreshOn=" + this.refreshOn + ", familyId=" + this.familyId + ", idToken=" + this.idToken + ", accountCacheEntity=" + this.accountCacheEntity + ", environment=" + this.environment + ", scopes=" + this.scopes + ", metadata" + this.metadata + ", isPopAuthorization=" + this.isPopAuthorization + ")";
+            return "AuthenticationResult.AuthenticationResultBuilder(accessToken=" + this.accessToken + ", expiresOn=" + this.expiresOn + ", extExpiresOn=" + this.extExpiresOn + ", refreshToken=" + this.refreshToken + ", refreshOn=" + this.refreshOn + ", familyId=" + this.familyId + ", idToken=" + this.idToken + ", accountCacheEntity=" + this.accountCacheEntity + ", environment=" + this.environment + ", scopes=" + this.scopes + ", metadata=" + this.metadata + ", isPopAuthorization=" + this.isPopAuthorization + ")";
         }
     }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/JsonHelper.java

@@ -21,6 +21,15 @@ class JsonHelper {
     private JsonHelper() {
     }
 
+    static <T> T convertJsonToObject(final String json, final Class<T> tClass) {
+        try {
+            return mapper.readValue(json, tClass);
+        } catch (Exception e) {
+            LOG.error(String.format("Error converting JSON string into %s: %s", tClass, e.getMessage()));
+            throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
+        }
+    }
+
     static IdToken createIdTokenFromEncodedTokenString(String token) {
         return convertJsonStringToJsonSerializableObject(getTokenPayloadClaims(token), IdToken::fromJson);
     }
@@ -29,11 +38,13 @@ static String getTokenPayloadClaims(String token) {
         try {
             return new String(Base64.getUrlDecoder().decode(token.split("\\.")[1]), StandardCharsets.UTF_8);
         } catch (ArrayIndexOutOfBoundsException e) {
+            LOG.error("Error parsing ID token, missing payload section.");
             throw new MsalClientException("Error parsing ID token, missing payload section.",
                     AuthenticationErrorCode.INVALID_JWT);
         }
     }
 
+    //Converts a generic JSON string to a Map<String, Object> with relevant types
     static Map<String, Object> parseJsonToMap(String jsonString) {
         if (StringHelper.isBlank(jsonString)) {
             return new HashMap<>();
@@ -43,31 +54,47 @@ static Map<String, Object> parseJsonToMap(String jsonString) {
             jsonReader.nextToken();
             return parseJsonObject(jsonReader);
         } catch (IOException e) {
+            LOG.error("JSON parsing error when attempting to convert JSON into a Map.");
             throw new MsalJsonParsingException(e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
         }
     }
 
-    private static List<Object> parseJsonArray(JsonReader jsonReader) throws IOException {
-        List<Object> array = new ArrayList<>();
-
-        while (jsonReader.nextToken() != JsonToken.END_ARRAY) {
-            array.add(parseValue(jsonReader));
-        }
-
-        return array;
-    }
-
     private static Map<String, Object> parseJsonObject(JsonReader jsonReader) throws IOException {
         Map<String, Object> object = new HashMap<>();
 
         while (jsonReader.nextToken() != JsonToken.END_OBJECT) {
             String fieldName = jsonReader.getFieldName();
-            object.put(fieldName, parseValue(jsonReader));
+            Object value = parseValue(jsonReader);
+            object.put(fieldName, handleSpecialFields(fieldName, value));
         }
 
         return object;
     }
 
+    //Due to the old usage of com.nimbusds for JWT parsing, customers may be relying on certain fields being treated as specific types.
+    // This method handles those special cases to help ensure backwards compatibility.
+    private static Object handleSpecialFields(String fieldName, Object value) {
+        //nimbus always treated the "aud" field as an ArrayList, even when it was a single string
+        if ("aud".equals(fieldName) && value instanceof String) {
+            ArrayList<String> list = new ArrayList<>();
+            list.add((String) value);
+            return list;
+        }
+
+        //nimbus converted certain unix timestamps to Date objects
+        if (isTimestampField(fieldName) && value instanceof Number) {
+            // Convert seconds to milliseconds for Date constructor
+            return new Date(((Number) value).longValue() * 1000);
+        }
+
+        return value;
+    }
+
+    private static boolean isTimestampField(String fieldName) {
+        return "exp".equals(fieldName) || "iat".equals(fieldName) ||
+                "nbf".equals(fieldName);
+    }
+
     private static Object parseValue(JsonReader jsonReader) throws IOException {
         JsonToken token = jsonReader.currentToken();
 
@@ -79,10 +106,14 @@ private static Object parseValue(JsonReader jsonReader) throws IOException {
                 } catch (ArithmeticException e) {
                     return jsonReader.getDouble();
                 }
-            case BOOLEAN: return jsonReader.getBoolean();
-            case NULL: return null;
-            case START_ARRAY: return parseJsonArray(jsonReader);
-            case START_OBJECT: return parseJsonObject(jsonReader);
+            case BOOLEAN:
+                return jsonReader.getBoolean();
+            case NULL:
+                return null;
+            case START_ARRAY:
+                return jsonReader.readArray(JsonReader::readUntyped);
+            case START_OBJECT:
+                return parseJsonObject(jsonReader);
             default:
                 jsonReader.skipChildren();
                 return null;

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/JsonCompatibilityTests.java

@@ -0,0 +1,154 @@
+package com.microsoft.aad.msal4j;
+
+import com.nimbusds.jwt.JWTParser;
+import org.junit.jupiter.api.Test;
+
+import java.text.ParseException;
+import java.util.Base64;
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+//These tests were added to ensure the new usages of com.azure.json are functionally the same as the old usages of com.nimbusds packages.
+//Once we are confident in the new behavior these should no longer be necessary.
+class JsonCompatibilityTests {
+
+    //New style, using helper methods in JsonHelper that use com.azure.json
+    private final Map<String, Object> newStyleParsedClaims = JsonHelper.parseJsonToMap(JsonHelper.getTokenPayloadClaims(TestHelper.ENCODED_JWT));
+    //Old style, using com.nimbusds methods
+    private final Map<String, Object> oldStyleParsedClaims = JWTParser.parse(TestHelper.ENCODED_JWT).getJWTClaimsSet().getClaims();
+
+    JsonCompatibilityTests() throws ParseException {
+    }
+
+    @Test
+    void testBasicClaimsMatching() {
+        // Test basic string claims
+        assertEquals(oldStyleParsedClaims.get("aud"), newStyleParsedClaims.get("aud"));
+        assertEquals(oldStyleParsedClaims.get("iss"), newStyleParsedClaims.get("iss"));
+        assertEquals(oldStyleParsedClaims.get("name"), newStyleParsedClaims.get("name"));
+        assertEquals(oldStyleParsedClaims.get("oid"), newStyleParsedClaims.get("oid"));
+        assertEquals(oldStyleParsedClaims.get("preferred_username"), newStyleParsedClaims.get("preferred_username"));
+        assertEquals(oldStyleParsedClaims.get("sub"), newStyleParsedClaims.get("sub"));
+        assertEquals(oldStyleParsedClaims.get("tid"), newStyleParsedClaims.get("tid"));
+        assertEquals(oldStyleParsedClaims.get("ver"), newStyleParsedClaims.get("ver"));
+    }
+
+    @Test
+    void testNullValues() {
+        // Check null values are handled the same
+        assertEquals(oldStyleParsedClaims.get("email"), newStyleParsedClaims.get("email"));
+    }
+
+    @Test
+    void testNumericValues() {
+        // Test numeric claims
+        assertEquals(oldStyleParsedClaims.get("exp"), newStyleParsedClaims.get("exp"));
+        assertEquals(oldStyleParsedClaims.get("iat"), newStyleParsedClaims.get("iat"));
+        assertEquals(oldStyleParsedClaims.get("nbf"), newStyleParsedClaims.get("nbf"));
+        assertEquals(oldStyleParsedClaims.get("auth_time"), newStyleParsedClaims.get("auth_time"));
+    }
+
+    @Test
+    void testListValues() {
+        // Test list claims
+        List<?> oldGroups = (List<?>) oldStyleParsedClaims.get("groups");
+        List<?> newGroups = (List<?>) newStyleParsedClaims.get("groups");
+        assertEquals(oldGroups, newGroups);
+
+        List<?> oldAmr = (List<?>) oldStyleParsedClaims.get("amr");
+        List<?> newAmr = (List<?>) newStyleParsedClaims.get("amr");
+        assertEquals(oldAmr, newAmr);
+
+        List<?> oldRoles = (List<?>) oldStyleParsedClaims.get("roles");
+        List<?> newRoles = (List<?>) newStyleParsedClaims.get("roles");
+        assertEquals(oldRoles, newRoles);
+    }
+
+    @Test
+    void testNestedObjects() {
+        // Test nested objects
+        Map<?, ?> oldExtensionData = (Map<?, ?>) oldStyleParsedClaims.get("extension_data");
+        Map<?, ?> newExtensionData = (Map<?, ?>) newStyleParsedClaims.get("extension_data");
+
+        assertEquals(oldExtensionData.get("department"), newExtensionData.get("department"));
+        assertEquals(oldExtensionData.get("manager"), newExtensionData.get("manager"));
+        assertEquals(oldExtensionData.get("employeeId"), newExtensionData.get("employeeId"));
+    }
+
+    @Test
+    void testCompleteTokenParsing() {
+        assertEquals(oldStyleParsedClaims.size(), newStyleParsedClaims.size());
+
+        // Check that all keys and values match
+        for (String key : oldStyleParsedClaims.keySet()) {
+            assertTrue(newStyleParsedClaims.containsKey(key), "New claims should contain key: " + key);
+
+            Object oldValue = oldStyleParsedClaims.get(key);
+            Object newValue = newStyleParsedClaims.get(key);
+
+            if (oldValue instanceof List) {
+                assertListsEqual((List<?>) oldValue, (List<?>) newValue);
+            } else if (oldValue instanceof Map) {
+                assertMapsEqual((Map<?, ?>) oldValue, (Map<?, ?>) newValue);
+            } else {
+                assertEquals(oldValue, newValue, "Value mismatch for key: " + key);
+            }
+        }
+    }
+
+    @Test
+    void testInvalidJSONHandling() {
+        // Test that both parsers throw exceptions for invalid JSON
+        String invalidJson = "{ this is not valid json }";
+
+        assertThrows(Exception.class, () -> JsonHelper.parseJsonToMap(invalidJson));
+        assertThrows(Exception.class, () -> JWTParser.parse("header." +
+                Base64.getUrlEncoder().encodeToString(invalidJson.getBytes()) + ".signature"));
+    }
+
+    /**
+     * Utility method to compare lists deeply
+     */
+    private void assertListsEqual(List<?> list1, List<?> list2) {
+        assertEquals(list1.size(), list2.size());
+        for (int i = 0; i < list1.size(); i++) {
+            Object item1 = list1.get(i);
+            Object item2 = list2.get(i);
+
+            if (item1 == null) {
+                assertNull(item2);
+            } else if (item1 instanceof List) {
+                assertListsEqual((List<?>) item1, (List<?>) item2);
+            } else if (item1 instanceof Map) {
+                assertMapsEqual((Map<?, ?>) item1, (Map<?, ?>) item2);
+            } else {
+                assertEquals(item1, item2);
+            }
+        }
+    }
+
+    /**
+     * Utility method to compare maps deeply
+     */
+    private void assertMapsEqual(Map<?, ?> map1, Map<?, ?> map2) {
+        assertEquals(map1.size(), map2.size());
+        for (Object key : map1.keySet()) {
+            assertTrue(map2.containsKey(key));
+
+            Object value1 = map1.get(key);
+            Object value2 = map2.get(key);
+
+            if (value1 == null) {
+                assertNull(value2);
+            } else if (value1 instanceof List) {
+                assertListsEqual((List<?>) value1, (List<?>) value2);
+            } else if (value1 instanceof Map) {
+                assertMapsEqual((Map<?, ?>) value1, (Map<?, ?>) value2);
+            } else {
+                assertEquals(value1, value2);
+            }
+        }
+    }
+}

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TestHelper.java

@@ -26,6 +26,38 @@ class TestHelper {
     //Signed JWT which should be enough to pass the parsing/validation in the library, useful if a unit test needs an
     // assertion but that is not the focus of the test
     static String signedAssertion = generateToken();
+
+    // Realistic token header
+    static final String TOKEN_HEADER = "{\"alg\":\"PS256\",\"typ\":\"JWT\"}";
+
+    // Realistic JWT payload, containing strings, numbers, timestamps, arrays, nested JSON objects, and nulls
+    static final String TOKEN_PAYLOAD = "{\n" +
+            "\"aud\": \"e854a4a7-6c34-449c-b237-fc7a28093d84\",\n" +
+            "\"iss\": \"https://login.microsoftonline.com/6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e/v2.0/\",\n" +
+            "\"name\": \"John Doe\",\n" +
+            "\"oid\": \"00000000-0000-0000-66f3-3332eca7ea81\",\n" +
+            "\"preferred_username\": \"[email protected]\",\n" +
+            "\"sub\": \"K4_SGGxKqW1SxUAmhg6C1F6VPiFzcx-Qd80ehIEdFus\",\n" +
+            "\"tid\": \"6c3d51dd-f0e5-4959-b4ea-a80c4e36fe5e\",\n" +
+            "\"ver\": \"2.0\",\n" +
+            "\"exp\": 1735689600,\n" +
+            "\"iat\": 1516239022,\n" +
+            "\"nbf\": 1516239022,\n" +
+            "\"email\": null,\n" +
+            "\"groups\": [\"admin\", \"user\", null],\n" +
+            "\"roles\": [],\n" +
+            "\"amr\": [\"pwd\", \"mfa\"],\n" +
+            "\"nonce\": \"12345\",\n" +
+            "\"auth_time\": 1516239022,\n" +
+            "\"given_name\": \"John\",\n" +
+            "\"family_name\": \"Doe\",\n" +
+            "\"at_hash\": \"jT3s9ygOQRtifgrpJgGz_w\",\n" +
+            "\"extension_data\": {\"department\": \"Engineering\", \"manager\": null, \"employeeId\": 12345}\n" +
+            "}";
+
+    // Base64URL encoded ID token, has a junk signature but is otherwise realistic and parsable
+    static final String ENCODED_JWT = createEncodedJwt(TOKEN_HEADER, TOKEN_PAYLOAD);
+
     private static final String successfulResponseFormat = "{\"access_token\":\"%s\",\"id_token\":\"%s\",\"refresh_token\":\"%s\"," +
             "\"client_id\":\"%s\",\"client_info\":\"%s\"," +
             "\"refresh_in\": %d,\"expires_on\": %d,\"expires_in\": %d," +
@@ -96,6 +128,14 @@ static String generateToken() {
         }
     }
 
+    private static String createEncodedJwt(String headerJson, String payloadJson) {
+        String encodedHeader = Base64.getUrlEncoder().withoutPadding().encodeToString(headerJson.getBytes());
+        String encodedPayload = Base64.getUrlEncoder().withoutPadding().encodeToString(payloadJson.getBytes());
+        String signature = "signature"; // Simple signature for testing purposes
+
+        return encodedHeader + "." + encodedPayload + "." + signature;
+    }
+
     //Maps various values to the successfulResponseFormat string to create a valid token response
     static String getSuccessfulTokenResponse(HashMap<String, String> responseValues) {
         //Will default to expiring in one hour if expiry time values are not set