Release 1.12.0 (#507)

* Initial commit

* fix: Correct scope for test dependency in POM

The `azure-security-keyvault-secrets` test dependency was include twice
and without the correct `test` scope.

* Updated keyvault secrets version

* Allow client assertion to be a callback and a per-request parameter (#482)

* Allow creating a client assertion from a callback

* Allow client credentials as a per-request parameter

* Minor changes to fix build issues

* Bump version numbers for 1.11.3 release (#484)

* Revert unintentional commit

* Add client_id to http request

* Retrigger the build

* Moving code to be executed for all client_Assertion requests

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Cause the User Principal to be Serializable when held in the HttpSession
as an attribute. This allows the J2EE web.xml "distributable" tag to
work.

https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/development_guide/clustering_in_web_applications

* Update oauth2-oidc-sdk dependency

* Changes in the relevant classes

* Update error message when Authority does not contain path

* Update IllegalArgumentExceptionMessages.java

fix typo

* Fix java.io.IOException: too many bytes written (#453)

Current implementation relies on system location for getting bytes, and if it is not "UTF-8" underlying outputstream will error with 
```java.io.IOException: too many bytes written```

Also fixed minor bug with wrong message being output

* Add trailing slash to authorities in silent calls (#431)

* Add trailing slash to authorities in silent calls

* Move trailing slash helper method to Authority class

* Silent calls now use cached environment info (#427)

* issue #428 resolution

* Fixed failing tests

* Updated vulnerable libraries' versions

* Revert some changes from the old PR

* Update regional endpoints (#504)

* Minor fixes/enhancements

* Update regional endpoint formatting

* Changelog and version changes for 1.12 release (#506)

Co-authored-by: siddhijain <[email protected]>
Co-authored-by: B. Schellhaas <[email protected]>
Co-authored-by: DidunAyodeji <[email protected]>
Co-authored-by: Dave Smith (Middleware Support) <[email protected]>
Co-authored-by: Matt Mazzola <[email protected]>
Co-authored-by: Marcelo Castro <[email protected]>

Author: 7 people

README.md

@@ -4,19 +4,19 @@
 --------------------|-----------------|---------------
 [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=main)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762) | [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=dev)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762)| [![Javadocs](http://javadoc.io/badge/com.microsoft.azure/msal4j.svg)](http://javadoc.io/doc/com.microsoft.azure/msal4j)
 
-The Microsoft Authentication Library for Java (MSAL4J) enables applications to integrate with the [Microsoft identity platform](https://aka.ms/aaddevv2). It allows you to sign in users or apps with Microsoft identities (Azure AD, Microsoft accounts and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as [Microsoft Graph](https://graph.microsoft.io/) or your own APIs registered with the Microsoft identity platform. It is built using industry standard OAuth2 and OpenID Connect protocols.
+The Microsoft Authentication Library for Java (MSAL4J) enables applications to integrate with the [Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/). It allows you to sign in users or apps with Microsoft identities (Azure AD, Microsoft accounts and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as [Microsoft Graph](https://graph.microsoft.io/) or your own APIs registered with the Microsoft identity platform. It is built using industry standard OAuth2 and OpenID Connect protocols.
 
 Quick links:
 
-| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/quickstart-v2-java-webapp) | [Docs](https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki) | [Samples](https://aka.ms/aaddevsamplesv2) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/6AhHwQp3pe)
+| [Getting Started](https://docs.microsoft.com/en-us/azure/active-directory/develop/web-app-quickstart?pivots=devlang-java) | [Home](https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki) | [Samples](https://github.com/Azure-Samples/ms-identity-msal-java-samples) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/6AhHwQp3pe)
 | --- | --- | --- | --- | --- |
 
 ## Install
 
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.11.3
+Current version - 1.12.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,12 +28,12 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.11.3</version>
+    <version>1.12.0</version>
 </dependency>
 ```
 ### Gradle
 
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.11.3'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.12.0'
 
 ## Usage
 
@@ -58,7 +58,7 @@ This project has adopted the Microsoft Open Source Code of Conduct. For more inf
 
 ## Samples and Documentation
 
-We provide a [full suite of sample applications](https://aka.ms/aaddevsamplesv2) and [documentation](https://aka.ms/aaddevv2) to help you get started with learning the Microsoft identity platform.
+We provide a [full suite of sample applications](https://aka.ms/aaddevsamplesv2) and [documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/) to help you get started with learning the Microsoft identity platform.
 
 ## Community Help and Support
 

changelog.txt

@@ -1,3 +1,9 @@
+Version 1.12.0
+=============
+- Updates several dependencies to avoid security vulnerabilities
+- Improves serialization of ID tokens and authentication results
+- Various bug fixes related to authority paths, regional endpoints, and unclear logs
+
 Version 1.11.3
 =============
 - Allow client assertions as callbacks and as per-request parameters

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.11.3</version>
+	<version>1.12.0</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>
@@ -36,12 +36,17 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>oauth2-oidc-sdk</artifactId>
-            <version>9.22.1</version>
+            <version>9.32</version>
+        </dependency>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>2.4.8</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.28</version>
+            <version>1.7.36</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -52,7 +57,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.12.1</version>
+            <version>2.13.2.1</version>
         </dependency>
 
         <!-- test dependencies -->

src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenInteractiveIT.java

@@ -167,19 +167,35 @@ private void assertAcquireTokenInstanceAware(User user) {
         Assert.assertNotEquals(pca.authenticationAuthority.host, result.environment());
         Assert.assertEquals(result.account().environment(), result.environment());
         Assert.assertEquals(result.account().environment(), pca.getAccounts().join().iterator().next().environment());
+
+        IAuthenticationResult cachedResult;
+        try {
+            cachedResult = acquireTokenSilently(pca, result.account(), cfg.graphDefaultScope());
+        } catch (Exception ex) {
+            throw new RuntimeException(ex.getMessage());
+        }
+
+        //Ensure that the cached environment matches the original auth result environment (.us) instead of the client app's (.com)
+        Assert.assertEquals(result.account().environment(), cachedResult.environment());
     }
 
     @Test
     public void acquireTokensInHomeAndGuestClouds_ArlingtonAccount() throws MalformedURLException, ExecutionException, InterruptedException {
-        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_US_GOVERNMENT, TestConstants.AUTHORITY_ARLINGTON);
+        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_US_GOVERNMENT);
     }
 
     @Test
     public void acquireTokensInHomeAndGuestClouds_MooncakeAccount() throws MalformedURLException, ExecutionException, InterruptedException {
-        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_CHINA, TestConstants.AUTHORITY_MOONCAKE);
+        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_CHINA);
+    }
+
+    private IAuthenticationResult acquireTokenSilently(IPublicClientApplication pca, IAccount account, String scope) throws InterruptedException, ExecutionException, MalformedURLException {
+        return pca.acquireTokenSilently(SilentParameters.builder(Collections.singleton(scope), account)
+                .build())
+                .get();
     }
 
-    public void acquireTokensInHomeAndGuestClouds(String homeCloud, String homeCloudAuthority) throws MalformedURLException, ExecutionException, InterruptedException {
+    public void acquireTokensInHomeAndGuestClouds(String homeCloud) throws MalformedURLException {
 
         User user = labUserProvider.getUserByGuestHomeAzureEnvironments
                 (AzureEnvironment.AZURE, homeCloud);

src/integrationtest/java/com.microsoft.aad.msal4j/DeviceCodeIT.java

@@ -44,7 +44,7 @@ public void DeviceCodeFlowADTest(String environment) throws Exception {
                 build();
 
         Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
-            runAutomatedDeviceCodeFlow(deviceCode, user, environment);
+            runAutomatedDeviceCodeFlow(deviceCode, user);
         };
 
         IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
@@ -57,8 +57,8 @@ public void DeviceCodeFlowADTest(String environment) throws Exception {
         Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
     }
 
-    @Test(dataProvider = "environments", dataProviderClass = EnvironmentsProvider.class)
-    public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
+    @Test()
+    public void DeviceCodeFlowADFSv2019Test() throws Exception {
 
         User user = labUserProvider.getOnPremAdfsUser(FederationProvider.ADFS_2019);
 
@@ -68,7 +68,7 @@ public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
                 build();
 
         Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
-            runAutomatedDeviceCodeFlow(deviceCode, user, environment);
+            runAutomatedDeviceCodeFlow(deviceCode, user);
         };
 
         IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
@@ -81,7 +81,39 @@ public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
         Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
     }
 
-    private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user, String environment) {
+    @Test()
+    public void DeviceCodeFlowMSATest() throws Exception {
+
+        User user = labUserProvider.getMSAUser();
+
+        PublicClientApplication pca = PublicClientApplication.builder(
+                user.getAppId()).
+                authority(TestConstants.CONSUMERS_AUTHORITY).
+                build();
+
+        Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
+            runAutomatedDeviceCodeFlow(deviceCode, user);
+        };
+
+        IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
+                .builder(Collections.singleton(""),
+                        deviceCodeConsumer)
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
+
+        result = pca.acquireTokenSilently(SilentParameters.
+                builder(Collections.singleton(""), result.account()).
+                build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
+    }
+
+    private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user) {
         boolean isRunningLocally = true;//!Strings.isNullOrEmpty(
         //System.getenv(TestConstants.LOCAL_FLAG_ENV_VAR));
 

src/integrationtest/java/com.microsoft.aad.msal4j/OAuthRequestValidationUnitT.java

@@ -31,7 +31,7 @@ public void oAuthRequest_for_acquireTokenByClientCertificate() throws Exception
         }
 
         Map<String, String> queryParams = splitQuery(query);
-        Assert.assertEquals(queryParams.size(), 7);
+        Assert.assertEquals(queryParams.size(), 8);
 
         // validate Authorization Grants query params
         Assert.assertEquals(queryParams.get("grant_type"), GRANT_TYPE_JWT);
@@ -55,6 +55,8 @@ public void oAuthRequest_for_acquireTokenByClientCertificate() throws Exception
         Assert.assertEquals(queryParams.get("requested_token_use"), ON_BEHALF_OF_USE_JWT);
 
         Assert.assertEquals(queryParams.get("client_info"), CLIENT_INFO_VALUE);
+        Assert.assertEquals(queryParams.get("client_id"), CLIENT_ID);
+
     }
 
     @Test
@@ -83,7 +85,7 @@ public void oAuthRequest_for_acquireTokenByClientAssertion() throws Exception {
 
         Map<String, String> queryParams = splitQuery(query);
 
-        Assert.assertEquals(queryParams.size(), 5);
+        Assert.assertEquals(queryParams.size(), 6);
 
         // validate Authorization Grants query params
         Assert.assertEquals(queryParams.get("grant_type"), CLIENT_CREDENTIALS_GRANT_TYPE);
@@ -96,5 +98,6 @@ public void oAuthRequest_for_acquireTokenByClientAssertion() throws Exception {
         Assert.assertEquals(queryParams.get("scope"), "https://SomeResource.azure.net openid profile offline_access");
 
         Assert.assertEquals(queryParams.get("client_info"), CLIENT_INFO_VALUE);
+        Assert.assertEquals(queryParams.get("client_id"), CLIENT_ID);
     }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/TestConstants.java

@@ -25,6 +25,7 @@ public class TestConstants {
 
     public final static String ORGANIZATIONS_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "organizations/";
     public final static String COMMON_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "common/";
+    public final static String CONSUMERS_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "consumers/";
     public final static String COMMON_AUTHORITY_WITH_PORT = MICROSOFT_AUTHORITY_HOST_WITH_PORT + "msidlab4.onmicrosoft.com";
     public final static String MICROSOFT_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "microsoft.onmicrosoft.com";
     public final static String TENANT_SPECIFIC_AUTHORITY = MICROSOFT_AUTHORITY_HOST + MICROSOFT_AUTHORITY_TENANT;

src/integrationtest/java/labapi/LabUserProvider.java

@@ -78,6 +78,13 @@ public User getB2cUser(String azureEnvironment, String b2cProvider) {
         return getLabUser(query);
     }
 
+    public User getMSAUser() {
+        UserQueryParameters query = new UserQueryParameters();
+        query.parameters.put(UserQueryParameters.USER_TYPE, UserType.MSA);
+
+        return getLabUser(query);
+    }
+
     public User getUserByAzureEnvironment(String azureEnvironment) {
 
         UserQueryParameters query = new UserQueryParameters();

src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -22,7 +22,8 @@ class AadInstanceDiscoveryProvider {
     private final static String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
     private final static String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
     private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}:{port}/common/discovery/instance";
-    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.{host}:{port}/common/discovery/instance";
+    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.r.{host}:{port}/common/discovery/instance";
+    private final static String INSTANCE_DISCOVERY_SOVEREIGN_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.{host}:{port}/common/discovery/instance";
     private final static String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
     private final static String REGION_NAME = "REGION_NAME";
     private final static int PORT_NOT_SET = -1;
@@ -31,19 +32,24 @@ class AadInstanceDiscoveryProvider {
     private final static String IMDS_ENDPOINT = "https://169.254.169.254/metadata/instance/compute/location?" + DEFAULT_API_VERSION + "&format=text";
 
     final static TreeSet<String> TRUSTED_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+    final static TreeSet<String> TRUSTED_SOVEREIGN_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
 
     private final static Logger log = LoggerFactory.getLogger(HttpHelper.class);
 
     static ConcurrentHashMap<String, InstanceDiscoveryMetadataEntry> cache = new ConcurrentHashMap<>();
 
     static {
-        TRUSTED_HOSTS_SET.addAll(Arrays.asList(
-                "login.windows.net",
+        TRUSTED_SOVEREIGN_HOSTS_SET.addAll(Arrays.asList(
                 "login.chinacloudapi.cn",
                 "login-us.microsoftonline.com",
                 "login.microsoftonline.de",
-                "login.microsoftonline.com",
                 "login.microsoftonline.us"));
+
+        TRUSTED_HOSTS_SET.addAll(Arrays.asList(
+                "login.windows.net",
+                "login.microsoftonline.com"));
+
+        TRUSTED_HOSTS_SET.addAll(TRUSTED_SOVEREIGN_HOSTS_SET);
     }
 
     static InstanceDiscoveryMetadataEntry getMetadataEntry(URL authorityUrl,
@@ -133,10 +139,17 @@ private static String getInstanceDiscoveryEndpointWithRegion(URL authorityUrl, S
                 authorityUrl.getDefaultPort() :
                 authorityUrl.getPort();
 
-        return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION.
-                replace("{region}", region).
-                replace("{host}", discoveryHost).
-                replace("{port}", String.valueOf(port));
+        if (TRUSTED_SOVEREIGN_HOSTS_SET.contains(authorityUrl.getHost())) {
+            return INSTANCE_DISCOVERY_SOVEREIGN_ENDPOINT_TEMPLATE_WITH_REGION.
+                    replace("{region}", region).
+                    replace("{host}", discoveryHost).
+                    replace("{port}", String.valueOf(port));
+        } else {
+            return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION.
+                    replace("{region}", region).
+                    replace("{host}", discoveryHost).
+                    replace("{port}", String.valueOf(port));
+        }
     }
 
 

src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -28,7 +28,7 @@
  * Abstract class containing common methods and properties to both {@link PublicClientApplication}
  * and {@link ConfidentialClientApplication}.
  */
-abstract class AbstractClientApplicationBase implements IClientApplicationBase {
+public abstract class AbstractClientApplicationBase implements IClientApplicationBase {
 
     protected Logger log;
     protected Authority authenticationAuthority;
@@ -300,16 +300,7 @@ ServiceBundle getServiceBundle() {
         return serviceBundle;
     }
 
-    protected static String enforceTrailingSlash(String authority) {
-        authority = authority.toLowerCase();
-
-        if (!authority.endsWith("/")) {
-            authority += "/";
-        }
-        return authority;
-    }
-
-    abstract static class Builder<T extends Builder<T>> {
+    public abstract static class Builder<T extends Builder<T>> {
         // Required parameters
         private String clientId;
 
@@ -358,7 +349,7 @@ public Builder(String clientId) {
          * @throws MalformedURLException if val is malformed URL
          */
         public T authority(String val) throws MalformedURLException {
-            authority = enforceTrailingSlash(val);
+            authority = Authority.enforceTrailingSlash(val);
 
             URL authorityURL = new URL(authority);
             Authority.validateAuthority(authorityURL);
@@ -378,7 +369,7 @@ public T authority(String val) throws MalformedURLException {
         }
 
         public T b2cAuthority(String val) throws MalformedURLException {
-            authority = enforceTrailingSlash(val);
+            authority = Authority.enforceTrailingSlash(val);
 
             URL authorityURL = new URL(authority);
             Authority.validateAuthority(authorityURL);

src/main/java/com/microsoft/aad/msal4j/AcquireTokenSilentSupplier.java

@@ -3,6 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.net.URL;
 import java.util.Date;
 
 class AcquireTokenSilentSupplier extends AuthenticationResultSupplier {
@@ -69,6 +70,14 @@ AuthenticationResult execute() throws Exception {
                 }
 
                 if (!StringHelper.isBlank(res.refreshToken())) {
+                    //There are certain scenarios where the cached authority may differ from the client app's authority,
+                    // such as when a request is instance aware. Unless overridden by SilentParameters.authorityUrl, the
+                    // cached authority should be used in the token refresh request
+                    if (silentRequest.parameters().authorityUrl() == null && !res.account().environment().equals(requestAuthority.host)) {
+                        requestAuthority = Authority.createAuthority(new URL(requestAuthority.authority().replace(requestAuthority.host(),
+                                res.account().environment())));
+                    }
+
                     RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest(
                             RefreshTokenParameters.builder(silentRequest.parameters().scopes(), res.refreshToken()).build(),
                             silentRequest.application(),