Refactor assertion behavior to be entirely per-request

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCertificate.java

@@ -55,6 +55,33 @@ public List<String> getEncodedPublicKeyCertificateChain() throws CertificateEnco
         return result;
     }
 
+    /**
+     * Gets a newly created JWT assertion using the certificate.
+     * <p>
+     * This method creates a fresh JWT assertion on each call, which prevents issues
+     * with token expiration and ensures each request has a unique assertion.
+     *
+     * @param authority The authority for which the assertion is being created, must not be null
+     * @param clientId The client ID of the application, used as the subject of the JWT
+     * @param sendX5c Whether to include the x5c claim (certificate chain) in the JWT
+     * @return A JWT assertion for client authentication
+     * @throws NullPointerException if authority is null
+     */
+    public String getAssertion(Authority authority, String clientId, boolean sendX5c) {
+        if (authority == null) {
+            throw new NullPointerException("Authority cannot be null");
+        }
+
+        boolean useSha1 = Authority.detectAuthorityType(authority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
+
+        return JwtHelper.buildJwt(
+                clientId,
+                this,
+                authority.selfSignedJwtAudience(),
+                sendX5c,
+                useSha1).assertion();
+    }
+
     static ClientCertificate create(InputStream pkcs12Certificate, String password)
             throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException,
             CertificateException, IOException, UnrecoverableKeyException {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ConfidentialClientApplication.java

@@ -21,18 +21,14 @@
  */
 public class ConfidentialClientApplication extends AbstractClientApplicationBase implements IConfidentialClientApplication {
 
-    private ClientCertificate clientCertificate;
-    private String assertion;
-    private IClientCredential clientCredential;
-    String secret;
+    IClientCredential clientCredential;
+    private boolean sendX5c;
 
     /** AppTokenProvider creates a Credential from a function that provides access tokens. The function
      must be concurrency safe. This is intended only to allow the Azure SDK to cache MSI tokens. It isn't
      useful to applications in general because the token provider must implement all authentication logic. */
     public Function<AppTokenProviderParameters, CompletableFuture<TokenProviderResult>> appTokenProvider;
 
-    private boolean sendX5c;
-
     @Override
     public CompletableFuture<IAuthenticationResult> acquireToken(ClientCredentialParameters parameters) {
         validateNotNull("parameters", parameters);
@@ -76,80 +72,11 @@ private ConfidentialClientApplication(Builder builder) {
 
         log = LoggerFactory.getLogger(ConfidentialClientApplication.class);
 
-        initClientAuthentication(builder.clientCredential);
+        this.clientCredential = builder.clientCredential;
 
         this.tenant = this.authenticationAuthority.tenant;
     }
 
-    private void initClientAuthentication(IClientCredential clientCredential) {
-        validateNotNull("clientCredential", clientCredential);
-
-        this.clientCredential = clientCredential;
-
-        if (clientCredential instanceof ClientSecret) {
-            this.secret = ((ClientSecret) clientCredential).clientSecret();
-        } else if (clientCredential instanceof ClientCertificate) {
-            this.clientCertificate = (ClientCertificate) clientCredential;
-            this.assertion = getAssertionString(clientCredential);
-        } else if (clientCredential instanceof ClientAssertion) {
-            this.assertion = getAssertionString(clientCredential);
-        } else {
-            throw new IllegalArgumentException("Unsupported client credential");
-        }
-    }
-
-    /**
-     * Generates a JWT-formatted assertion string based on the provided client credential. Returns null in cases where
-     * the request for that credential type would not use a JWT assertion (e.g. client secret).
-     *
-     * @param clientCredential  The client credential to use for token acquisition.
-     * @return JWT-formatted assertion string
-     */
-    String getAssertionString(IClientCredential clientCredential) {
-        if (clientCredential instanceof ClientCertificate) {
-            // Check if the current assertion is null or has expired, and if so create a new one
-            if (this.assertion == null || hasJwtExpired(this.assertion)) {
-                boolean useSha1 = Authority.detectAuthorityType(this.authenticationAuthority.canonicalAuthorityUrl()) == AuthorityType.ADFS;
-
-                this.assertion = JwtHelper.buildJwt(
-                        clientId(),
-                        clientCertificate,
-                        this.authenticationAuthority.selfSignedJwtAudience(),
-                        sendX5c,
-                        useSha1).assertion();
-            }
-            return this.assertion;
-        } else if (clientCredential instanceof ClientAssertion) {
-            return ((ClientAssertion) clientCredential).assertion();
-        } else if (clientCredential instanceof ClientSecret) {
-            return null;
-        } else {
-            throw new IllegalArgumentException("Unsupported client credential");
-        }
-    }
-
-    //Overload for the common case where the application's default credential was not overridden in the request.
-    String getAssertionString() {
-        return this.getAssertionString(this.clientCredential);
-    }
-
-    /**
-     * Checks if the JWT-formatted assertion has expired by parsing the "exp" claim.
-     *
-     * @param jwt JWT string
-     * @return true if the JWT has expired. Otherwise false
-     */
-    boolean hasJwtExpired(String jwt) {
-        final Date currentDateTime = new Date(System.currentTimeMillis());
-        Base64.Decoder decoder = Base64.getUrlDecoder();
-
-        String payload = new String(decoder.decode(jwt.split("\\.")[1]));
-
-        final Date expirationTime = (Date) JsonHelper.parseJsonToMap(payload).get("exp");
-
-        return expirationTime.before(currentDateTime);
-    }
-
     /**
      * Creates instance of Builder of ConfidentialClientApplication
      *
@@ -177,6 +104,9 @@ public static class Builder extends AbstractClientApplicationBase.Builder<Builde
 
         private Builder(String clientId, IClientCredential clientCredential) {
             super(clientId);
+
+            validateNotNull("clientCredential", clientCredential);
+
             this.clientCredential = clientCredential;
         }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java

@@ -86,25 +86,76 @@ private void addQueryParameters(OAuthHttpRequest oauthHttpRequest) {
         String clientID = msalRequest.application().clientId();
         queryParameters.put("client_id", clientID);
 
-        // If the client application has a client assertion to apply to the request, check if a new client assertion
-        //  was supplied as a request parameter. If so, use the request's assertion instead of the application's
+        // Add client authentication parameters if this is a confidential client
         if (msalRequest.application() instanceof ConfidentialClientApplication) {
-            if (msalRequest instanceof ClientCredentialRequest && ((ClientCredentialRequest) msalRequest).parameters.clientCredential() != null) {
-                IClientCredential credential = ((ClientCredentialRequest) msalRequest).parameters.clientCredential();
-                addJWTBearerAssertionParams(queryParameters, ((ConfidentialClientApplication) msalRequest.application()).getAssertionString(credential));
-            } else {
-                if (((ConfidentialClientApplication) msalRequest.application()).getAssertionString() != null) {
-                    addJWTBearerAssertionParams(queryParameters, ((ConfidentialClientApplication) msalRequest.application()).getAssertionString());
-                } else if (((ConfidentialClientApplication) msalRequest.application()).secret != null) {
-                    // Client secrets have a different parameter than bearer assertions
-                    queryParameters.put("client_secret", ((ConfidentialClientApplication) msalRequest.application()).secret);
-                }
-            }
+            ConfidentialClientApplication application = (ConfidentialClientApplication) msalRequest.application();
+
+            // Determine which credential to use - either from the request or from the application
+            IClientCredential credential = getCredentialToUse(application);
+
+            // Add appropriate authentication parameters based on the credential type
+            addCredentialToRequest(queryParameters, credential, application);
         }
 
         oauthHttpRequest.setQuery(StringHelper.serializeQueryParameters(queryParameters));
     }
 
+    /**
+     * Determines which credential to use for authentication:
+     * - If the request is a ClientCredentialRequest with a specified credential, use that
+     * - Otherwise use the application's credential
+     *
+     * @param application The confidential client application
+     * @return The credential to use, may be null if no credential is available
+     */
+    private IClientCredential getCredentialToUse(ConfidentialClientApplication application) {
+        if (msalRequest instanceof ClientCredentialRequest &&
+            ((ClientCredentialRequest) msalRequest).parameters.clientCredential() != null) {
+            return ((ClientCredentialRequest) msalRequest).parameters.clientCredential();
+        }
+        return application.clientCredential;
+    }
+
+    /**
+     * Adds the appropriate authentication parameters to the request based on credential type.
+     * Handles different credential types (secret, assertion, certificate) by adding the appropriate
+     * parameters to the request.
+     *
+     * @param queryParameters The map of query parameters to add to
+     * @param credential The credential to use for authentication, may be null
+     * @param application The confidential client application
+     */
+    private void addCredentialToRequest(Map<String, String> queryParameters,
+                                       IClientCredential credential,
+                                       ConfidentialClientApplication application) {
+        if (credential == null) {
+            return;
+        }
+
+        if (credential instanceof ClientSecret) {
+            // For client secret, add client_secret parameter
+            queryParameters.put("client_secret", ((ClientSecret) credential).clientSecret());
+        } else if (credential instanceof ClientAssertion) {
+            // For client assertion, add client_assertion and client_assertion_type parameters
+            addJWTBearerAssertionParams(queryParameters, ((ClientAssertion) credential).assertion());
+        } else if (credential instanceof ClientCertificate) {
+            // For client certificate, generate a new assertion and add it to the request
+            ClientCertificate certificate = (ClientCertificate) credential;
+            String assertion = certificate.getAssertion(
+                application.authenticationAuthority,
+                application.clientId(),
+                application.sendX5c());
+            addJWTBearerAssertionParams(queryParameters, assertion);
+        }
+        // If credential is of an unknown type, no additional parameters are added
+    }
+
+    /**
+     * Adds the JWT bearer token assertion parameters to the request
+     *
+     * @param queryParameters The map of query parameters to add to
+     * @param assertion The JWT assertion string
+     */
     private void addJWTBearerAssertionParams(Map<String, String> queryParameters, String assertion) {
         queryParameters.put("client_assertion", assertion);
         queryParameters.put("client_assertion_type", ClientAssertion.ASSERTION_TYPE_JWT_BEARER);

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ClientCertificateTest.java

@@ -3,25 +3,25 @@
 
 package com.microsoft.aad.msal4j;
 
-import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
 import com.nimbusds.jwt.SignedJWT;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.*;
 
 import java.math.BigInteger;
 import java.security.*;
 import java.security.cert.CertificateException;
 import java.security.interfaces.RSAPrivateKey;
-import java.text.ParseException;
 import java.util.*;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class ClientCertificateTest {
@@ -77,12 +77,17 @@ void testIClientCertificateInterface_CredentialFactoryUsesSha256() throws Except
             HttpRequest request = parameters.getArgument(0);
             String requestBody = request.body();
 
-            SignedJWT signedJWT = SignedJWT.parse(cca.getAssertionString());
+            String clientAssertion = extractClientAssertion(requestBody);
 
-            if (requestBody.contains(cca.getAssertionString())
-                    && signedJWT.getHeader().toJSONObject().containsKey("x5t#S256")) {
-                return TestHelper.expectedResponse(200, TestHelper.getSuccessfulTokenResponse(tokenResponseValues));
+            if (clientAssertion != null) {
+                SignedJWT signedJWT = SignedJWT.parse(clientAssertion);
+                if (signedJWT.getHeader().toJSONObject().containsKey("x5t#S256")) {
+                    return TestHelper.expectedResponse(200, TestHelper.getSuccessfulTokenResponse(tokenResponseValues));
+                }
             }
+
+            //If the client assertion is null or does not contain the x5t#S256 header,
+            // that indicates a problem in assertion generation and this test should fail.
             return null;
         });
 
@@ -94,6 +99,86 @@ void testIClientCertificateInterface_CredentialFactoryUsesSha256() throws Except
         assertEquals("accessTokenSha256", result.accessToken());
     }
 
+    @Test
+    void testClientCertificate_GeneratesNewAssertionEachTime() throws Exception {
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+        List<String> capturedAssertions = new ArrayList<>();
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder("clientId", ClientCredentialFactory.createFromCertificate(TestHelper.getPrivateKey(), TestHelper.getX509Cert()))
+                        .authority("https://login.microsoftonline.com/tenant")
+                        .instanceDiscovery(false)
+                        .validateAuthority(false)
+                        .httpClient(httpClientMock)
+                        .build();
+
+        // Mock the HTTP client to capture assertions from each request
+        when(httpClientMock.send(any(HttpRequest.class))).thenAnswer(parameters -> {
+            HttpRequest request = parameters.getArgument(0);
+            String requestBody = request.body();
+
+            String clientAssertion = extractClientAssertion(requestBody);
+            if (clientAssertion != null) {
+                capturedAssertions.add(clientAssertion);
+
+                // Verify it's a valid JWT with proper headers
+                SignedJWT signedJWT = SignedJWT.parse(clientAssertion);
+                if (signedJWT.getHeader().toJSONObject().containsKey("x5t#S256")) {
+                    HashMap<String, String> tokenResponseValues = new HashMap<>();
+                    tokenResponseValues.put("access_token", "access_token_" + capturedAssertions.size());
+                    return TestHelper.expectedResponse(200, TestHelper.getSuccessfulTokenResponse(tokenResponseValues));
+                }
+            }
+            return null;
+        });
+
+        ClientCredentialParameters parameters = ClientCredentialParameters.builder(Collections.singleton("scopes")).skipCache(true).build();
+
+        // Make two token requests
+        IAuthenticationResult result1 = cca.acquireToken(parameters).get();
+        IAuthenticationResult result2 = cca.acquireToken(parameters).get();
+
+        // Verify two unique assertions were generated
+        assertEquals(2, capturedAssertions.size(), "Two assertions should have been generated");
+        assertNotEquals(capturedAssertions.get(0), capturedAssertions.get(1),
+                "Each token request should generate a unique assertion");
+
+        // Optional: Parse and verify JWT properties if needed
+        SignedJWT jwt1 = SignedJWT.parse(capturedAssertions.get(0));
+        SignedJWT jwt2 = SignedJWT.parse(capturedAssertions.get(1));
+
+        // Different JTI (JWT ID) should be used for each assertion
+        assertNotEquals(jwt1.getJWTClaimsSet().getJWTID(), jwt2.getJWTClaimsSet().getJWTID(),
+                "Each assertion should have a unique JTI claim");
+
+        // Verify the tokens are different
+        assertNotEquals(result1.accessToken(), result2.accessToken(),
+                "The access tokens from each request should be different");
+    }
+
+    /**
+     * Extracts the client_assertion value from a URL-encoded request body
+     * @param requestBody The request body string
+     * @return The extracted client assertion or null if not found
+     */
+    private String extractClientAssertion(String requestBody) {
+        try {
+            // Split the request body into key-value pairs
+            String[] pairs = requestBody.split("&");
+            for (String pair : pairs) {
+                // Find the client_assertion parameter
+                if (pair.startsWith("client_assertion=")) {
+                    // Extract and URL-decode the value
+                    return URLDecoder.decode(pair.substring("client_assertion=".length()), StandardCharsets.UTF_8.toString());
+                }
+            }
+        } catch (Exception e) {
+            // In case of any parsing errors
+            System.err.println("Error extracting client assertion: " + e.getMessage());
+        }
+        return null;
+    }
+
     class TestClientCredential implements IClientCertificate {
         @Override
         public PrivateKey privateKey() {