Fix tenant override API not being properly used in certain confidential flows

Author: Avery-Dunn

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenInteractiveIT.java

@@ -108,7 +108,7 @@ void acquireTokenInteractive_ManagedUser_InstanceAware() {
 
     @Test
     void acquireTokenInteractive_Ciam() {
-        User user = labUserProvider.getCiamUser();
+        User user = labUserProvider.getCiamCudUser();
 
         Map<String, String> extraQueryParameters = new HashMap<>();
 

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/ClientCredentialsIT.java

@@ -48,7 +48,6 @@ void acquireTokenClientCredentials_ClientCertificate() throws Exception {
     void acquireTokenClientCredentials_ClientSecret() throws Exception {
         AppCredentialProvider appProvider = new AppCredentialProvider(AzureEnvironment.AZURE);
         final String clientId = appProvider.getLabVaultAppId();
-        final String password = appProvider.getLabVaultPassword();
         IClientCredential credential = CertificateHelper.getClientCertificate();
 
         assertAcquireTokenCommon(clientId, credential, TestConstants.MICROSOFT_AUTHORITY);
@@ -68,7 +67,7 @@ void acquireTokenClientCredentials_ClientAssertion() throws Exception {
     @Test
     void acquireTokenClientCredentials_ClientSecret_Ciam() throws Exception {
 
-        User user = labUserProvider.getCiamUser();
+        User user = labUserProvider.getCiamCudUser();
         String clientId = user.getAppId();
 
         AppCredentialProvider appProvider = new AppCredentialProvider(AzureEnvironment.CIAM);

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/OnBehalfOfIT.java

@@ -39,8 +39,7 @@ void acquireTokenWithOBO_Managed(String environment) throws Exception {
                         new UserAssertion(accessToken)).build()).
                         get();
 
-        assertNotNull(result);
-        assertNotNull(result.accessToken());
+        assertResultNotNull(result);
     }
 
     @ParameterizedTest
@@ -63,8 +62,7 @@ void acquireTokenWithOBO_testCache(String environment) throws Exception {
                         new UserAssertion(accessToken)).build()).
                         get();
 
-        assertNotNull(result1);
-        assertNotNull(result1.accessToken());
+        assertResultNotNull(result1);
 
         // Same scope and userAssertion, should return cached tokens
         IAuthenticationResult result2 =
@@ -82,8 +80,7 @@ void acquireTokenWithOBO_testCache(String environment) throws Exception {
                         new UserAssertion(accessToken)).build()).
                         get();
 
-        assertNotNull(result3);
-        assertNotNull(result3.accessToken());
+        assertResultNotNull(result3);
         assertNotEquals(result2.accessToken(), result3.accessToken());
 
         // Scope 2, should return cached token
@@ -105,8 +102,7 @@ void acquireTokenWithOBO_testCache(String environment) throws Exception {
                                 .build()).
                         get();
 
-        assertNotNull(result5);
-        assertNotNull(result5.accessToken());
+        assertResultNotNull(result5);
         assertNotEquals(result5.accessToken(), result4.accessToken());
         assertNotEquals(result5.accessToken(), result2.accessToken());
 
@@ -121,13 +117,60 @@ void acquireTokenWithOBO_testCache(String environment) throws Exception {
                                 .build()).
                         get();
 
-        assertNotNull(result6);
-        assertNotNull(result6.accessToken());
+        assertResultNotNull(result6);
         assertNotEquals(result6.accessToken(), result5.accessToken());
         assertNotEquals(result6.accessToken(), result4.accessToken());
         assertNotEquals(result6.accessToken(), result2.accessToken());
     }
 
+    @Test
+    void acquireTokenWithOBO_TenantOverride() throws Exception {
+        cfg = new Config(AzureEnvironment.AZURE);
+        String accessToken = this.getAccessToken();
+
+        final String clientId = cfg.appProvider.getOboAppId();
+        final String password = cfg.appProvider.getOboAppPassword();
+
+        ConfidentialClientApplication cca =
+                ConfidentialClientApplication.builder(clientId, ClientCredentialFactory.createFromSecret(password)).
+                        authority(cfg.tenantSpecificAuthority()).
+                        build();
+
+        //This token should be cached with the tenant-specific authority set at the application level
+        IAuthenticationResult resultNoOverride = cca.acquireToken(OnBehalfOfParameters.builder(
+                                Collections.singleton(cfg.graphDefaultScope()),
+                                new UserAssertion(accessToken)).build()).
+                        get();
+
+        //This token should be cached with an 'organizations' authority set at the request level
+        IAuthenticationResult resultOrganizations = cca.acquireToken(OnBehalfOfParameters.builder(
+                                Collections.singleton(cfg.graphDefaultScope()),
+                                new UserAssertion(accessToken))
+                                .tenant("organizations")
+                                .build()).
+                        get();
+
+        //This token should come from the cache and match the token with the 'organizations' authority
+        IAuthenticationResult resultOrganizationsCached = cca.acquireToken(OnBehalfOfParameters.builder(
+                                Collections.singleton(cfg.graphDefaultScope()),
+                                new UserAssertion(accessToken))
+                                .tenant("organizations")
+                                .build()).
+                        get();
+
+        assertResultNotNull(resultNoOverride);
+        assertResultNotNull(resultOrganizations);
+        assertResultNotNull(resultOrganizationsCached);
+
+        assertNotEquals(resultNoOverride.accessToken(), resultOrganizations.accessToken());
+        assertEquals(resultOrganizations.accessToken(), resultOrganizationsCached.accessToken());
+    }
+
+    private void assertResultNotNull(IAuthenticationResult result) {
+        assertNotNull(result);
+        assertNotNull(result.accessToken());
+    }
+
     private String getAccessToken() throws Exception {
 
         LabUserProvider labUserProvider = LabUserProvider.getInstance();

msal4j-sdk/src/integrationtest/java/com.microsoft.aad.msal4j/UsernamePasswordIT.java

@@ -94,7 +94,7 @@ void acquireTokenWithUsernamePassword_Ciam() throws Exception {
 
         Map<String, String> extraQueryParameters = new HashMap<>();
 
-        User user = labUserProvider.getCiamUser();
+        User user = labUserProvider.getCiamCudUser();
         PublicClientApplication pca = PublicClientApplication.builder(user.getAppId())
                 .authority("https://" + user.getLabName() + ".ciamlogin.com/")
                 .build();

msal4j-sdk/src/integrationtest/java/labapi/AppCredentialProvider.java

@@ -7,7 +7,6 @@ public class AppCredentialProvider {
     private KeyVaultSecretsProvider keyVaultSecretsProvider;
 
     private String labVaultClientId;
-    private String labVaultPassword;
 
     private String clientId;
 
@@ -19,7 +18,6 @@ public AppCredentialProvider(String azureEnvironment) {
         keyVaultSecretsProvider = new KeyVaultSecretsProvider();
 
         labVaultClientId = keyVaultSecretsProvider.getSecret(LabConstants.APP_ID_KEY_VAULT_SECRET);
-        labVaultPassword = keyVaultSecretsProvider.getSecret(LabConstants.APP_PASSWORD_KEY_VAULT_SECRET);
 
         switch (azureEnvironment) {
             case AzureEnvironment.AZURE:
@@ -65,8 +63,4 @@ public String getOboAppPassword() {
     public String getLabVaultAppId() {
         return labVaultClientId;
     }
-
-    public String getLabVaultPassword() {
-        return labVaultPassword;
-    }
 }

msal4j-sdk/src/integrationtest/java/labapi/LabConstants.java

@@ -14,7 +14,7 @@ public class LabConstants {
     public final static String USER_MSA_USERNAME_URL = "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-UserName";
     public final static String USER_MSA_PASSWORD_URL = "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-Password";
     public final static String OBO_APP_PASSWORD_URL = "https://msidlabs.vault.azure.net/secrets/TodoListServiceV2-OBO";
-    public final static String CIAM_KEY_VAULT_SECRET_KEY = "https://msidlabs.vault.azure.net/secrets/MSIDLABCIAM2-cc";
+    public final static String CIAM_KEY_VAULT_SECRET_KEY = "https://msidlabs.vault.azure.net/secrets/MSIDLABCIAM6-cc";
 
     public final static String ARLINGTON_APP_ID = "cb7faed4-b8c0-49ee-b421-f5ed16894c83";
     public final static String ARLINGTON_OBO_APP_ID = "c0555d2d-02f2-4838-802e-3463422e571d";

msal4j-sdk/src/integrationtest/java/labapi/LabUserProvider.java

@@ -105,14 +105,6 @@ public User getUserByGuestHomeAzureEnvironments(String guestEnvironment, String
         return getLabUser(query);
     }
 
-    public User getCiamUser() {
-
-        UserQueryParameters query = new UserQueryParameters();
-        query.parameters.put(UserQueryParameters.FEDERATION_PROVIDER, FederationProvider.CIAM);
-
-        return getLabUser(query);
-    }
-
     public User getCiamCudUser() {
         UserQueryParameters query = new UserQueryParameters();
         query.parameters.put(UserQueryParameters.FEDERATION_PROVIDER, FederationProvider.CIAMCUD);

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByClientCredentialSupplier.java

@@ -26,6 +26,7 @@ AuthenticationResult execute() throws Exception {
                 SilentParameters parameters = SilentParameters
                         .builder(this.clientCredentialRequest.parameters.scopes())
                         .claims(this.clientCredentialRequest.parameters.claims())
+                        .tenant(this.clientCredentialRequest.parameters.tenant())
                         .build();
 
                 RequestContext context = new RequestContext(

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByOnBehalfOfSupplier.java

@@ -26,6 +26,7 @@ AuthenticationResult execute() throws Exception {
                 SilentParameters parameters = SilentParameters
                         .builder(this.onBehalfOfRequest.parameters.scopes())
                         .claims(this.onBehalfOfRequest.parameters.claims())
+                        .tenant(this.onBehalfOfRequest.parameters.tenant())
                         .build();
 
                 RequestContext context = new RequestContext(