Re-add behavior for refreshing assertions

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -5,6 +5,8 @@
 
 import org.slf4j.LoggerFactory;
 
+import java.util.Base64;
+import java.util.Date;
 import java.util.concurrent.CompletableFuture;
 import java.util.function.Function;
 
@@ -20,7 +22,8 @@
 public class ConfidentialClientApplication extends AbstractClientApplicationBase implements IConfidentialClientApplication {
 
     private ClientCertificate clientCertificate;
-    String assertion;
+    private String assertion;
+    private IClientCredential clientCredential;
     String secret;
 
     /** AppTokenProvider creates a Credential from a function that provides access tokens. The function
@@ -81,6 +84,8 @@ private ConfidentialClientApplication(Builder builder) {
     private void initClientAuthentication(IClientCredential clientCredential) {
         validateNotNull("clientCredential", clientCredential);
 
+        this.clientCredential = clientCredential;
+
         if (clientCredential instanceof ClientSecret) {
             this.secret = ((ClientSecret) clientCredential).clientSecret();
         } else if (clientCredential instanceof ClientCertificate) {
@@ -93,23 +98,58 @@ private void initClientAuthentication(IClientCredential clientCredential) {
         }
     }
 
+    /**
+     * Generates a JWT-formatted assertion string based on the provided client credential. Returns null in cases where
+     * the request for that credential type would not use a JWT assertion (e.g. client secret).
+     *
+     * @param clientCredential  The client credential to use for token acquisition.
+     * @return JWT-formatted assertion string
+     */
     String getAssertionString(IClientCredential clientCredential) {
         if (clientCredential instanceof ClientCertificate) {
-            boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
-
-            return JwtHelper.buildJwt(
-                    clientId(),
-                    clientCertificate,
-                    this.authenticationAuthority.selfSignedJwtAudience(),
-                    sendX5c,
-                    useSha1).assertion();
+            // Check if the current assertion is null or has expired, and if so create a new one
+            if (this.assertion == null || hasJwtExpired(this.assertion)) {
+                boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
+
+                this.assertion = JwtHelper.buildJwt(
+                        clientId(),
+                        clientCertificate,
+                        this.authenticationAuthority.selfSignedJwtAudience(),
+                        sendX5c,
+                        useSha1).assertion();
+            }
+            return this.assertion;
         } else if (clientCredential instanceof ClientAssertion) {
             return ((ClientAssertion) clientCredential).assertion();
+        } else if (clientCredential instanceof ClientSecret) {
+            return null;
         } else {
             throw new IllegalArgumentException("Unsupported client credential");
         }
     }
 
+    //Overload for the common case where the application's default credential was not overridden in the request.
+    String getAssertionString() {
+        return this.getAssertionString(this.clientCredential);
+    }
+
+    /**
+     * Checks if the JWT-formatted assertion has expired by parsing the "exp" claim.
+     *
+     * @param jwt JWT string
+     * @return true if the JWT has expired. Otherwise false
+     */
+    boolean hasJwtExpired(String jwt) {
+        final Date currentDateTime = new Date(System.currentTimeMillis());
+        Base64.Decoder decoder = Base64.getUrlDecoder();
+
+        String payload = new String(decoder.decode(jwt.split("\\.")[1]));
+
+        final Date expirationTime = (Date) JsonHelper.parseJsonToMap(payload).get("exp");
+
+        return expirationTime.before(currentDateTime);
+    }
+
     /**
      * Creates instance of Builder of ConfidentialClientApplication
      *

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java

@@ -93,8 +93,8 @@ private void addQueryParameters(OAuthHttpRequest oauthHttpRequest) {
                 IClientCredential credential = ((ClientCredentialRequest) msalRequest).parameters.clientCredential();
                 addJWTBearerAssertionParams(queryParameters, ((ConfidentialClientApplication) msalRequest.application()).getAssertionString(credential));
             } else {
-                if (((ConfidentialClientApplication) msalRequest.application()).assertion != null) {
-                    addJWTBearerAssertionParams(queryParameters, ((ConfidentialClientApplication) msalRequest.application()).assertion);
+                if (((ConfidentialClientApplication) msalRequest.application()).getAssertionString() != null) {
+                    addJWTBearerAssertionParams(queryParameters, ((ConfidentialClientApplication) msalRequest.application()).getAssertionString());
                 } else if (((ConfidentialClientApplication) msalRequest.application()).secret != null) {
                     // Client secrets have a different parameter than bearer assertions
                     queryParameters.put("client_secret", ((ConfidentialClientApplication) msalRequest.application()).secret);

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ClientCertificateTest.java

@@ -77,9 +77,9 @@ void testIClientCertificateInterface_CredentialFactoryUsesSha256() throws Except
             HttpRequest request = parameters.getArgument(0);
             String requestBody = request.body();
 
-            SignedJWT signedJWT = SignedJWT.parse(cca.assertion);
+            SignedJWT signedJWT = SignedJWT.parse(cca.getAssertionString());
 
-            if (requestBody.contains(cca.assertion)
+            if (requestBody.contains(cca.getAssertionString())
                     && signedJWT.getHeader().toJSONObject().containsKey("x5t#S256")) {
                 return TestHelper.expectedResponse(200, TestHelper.getSuccessfulTokenResponse(tokenResponseValues));
             }