1.9.0 release (#347)

* Exception Improvements (#254)

* Add null checks for MsalException error code references

* Better exception handling for invalid tokens

* Better exception handling for invalid tokens

* Sync with changes to Azure-Samples/ms-identity-java-desktop (#259)

* extra scopes for consent during authorizaion

* typo

* minor

* HTTPClient default timeouts (#264)

* Add default timeouts for DefaultHttpClient

* Handle 'stay signed in' confirmation page in DeviceCodeIT tests

* Small best-practices changes

* append extra scopes as suffix

* 1.6.2 release (#268)

* fixing integ test

* Tenant Profiles (#263)

* Classes for tenant profile functionality

* Implement tenant profile feature

* Tests for tenant profile feature

* Simplify tenant profile class structure

* 1.6.2 release

* Classes for tenant profile redesign

* Tests for tenant profile redesign

* Adjust sample cached ID tokens to have realistic headers

* Redesign how Tenant Pofiles are added to Accounts

* New error code for JWT parse exceptions

* Add claims and tenant profiles fields to Account

* Remove annotation excluding realm field from comparisons

* Use more generic token

* Remove ID token claims field from Account

* Minor changes for clarity

* Adjust tests for tenant profile design refactor

* Refactor tenant profile structure

* Minor fixes

* Minor fixes

* Minor fixes

* Simplify tenant profile class

Co-authored-by: SomkaPe <[email protected]>

* Improve HTTP client timeouts (#275)

* 1.6.2 release (#269)

* 1.6.2 release

* Make DefaultHttpClient timeouts settable

* Refactor timeout names

Co-authored-by: SomkaPe <[email protected]>

* Bewaters certchain (#276)

* Support for certificate chain

* 1.7.0 release (#277)

* Update DefaultHttpClient.java

* Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282)

* sendX5c api (#285)

* refactoring (#287)

* refactoring

* refactoring

* refactoring

* Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293)

* Add public constants for cloud endpoints (#298)

* Add public constants for cloud endpoints

* Add license header

* Added javadocs

* Removed unneeded test

* Make IAccount serializable (#297)

* Make IAccount objects serializable

* Make AuthenticationResult objects not serializable

* Add tenant profile/id claims to auth result (#300)

* Add tenant profile/id claims to auth result

* Minor fix

* treat null password as default one - empty string (#304)

* treat null password as default one - empty string

* Support for refresh_in (#305)

* Support for refresh_in

* Tests for refresh_in

* Add extra null check

* Add test for refreshOn cache persistence

* refresh on is optional field (#312)

* refresh on optional field

* 1.8.0 Release (#313)

1.8.0 release

* Fix spelling mistake in Prompt.java

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322)

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes

* Add enum for HTTP content-type constants

* Remove use of javax.mail.internet.ContentType

* Support for claims request parameter (#315)

* ClaimsRequest classes

* Support for claims request parameter

* Tests for claims request

* Use Jackson library for JSON processing

* Change access level of userinfo and access_token claims

* Better merge tests

* Remove ability to set claims in userinfo field

* Refactor claims field naming

* 1.8.1 release (#326)

* Version number updates for 1.8.1 release

* Minor rewording

* Add missing check when creating tenant profile (#331)

* 1.8.1 release (#327)

* Exception Improvements (#254)

* Add null checks for MsalException error code references

* Better exception handling for invalid tokens

* Better exception handling for invalid tokens

* Sync with changes to Azure-Samples/ms-identity-java-desktop (#259)

* extra scopes for consent during authorizaion

* typo

* minor

* HTTPClient default timeouts (#264)

* Add default timeouts for DefaultHttpClient

* Handle 'stay signed in' confirmation page in DeviceCodeIT tests

* Small best-practices changes

* append extra scopes as suffix

* 1.6.2 release (#268)

* fixing integ test

* Tenant Profiles (#263)

* Classes for tenant profile functionality

* Implement tenant profile feature

* Tests for tenant profile feature

* Simplify tenant profile class structure

* 1.6.2 release

* Classes for tenant profile redesign

* Tests for tenant profile redesign

* Adjust sample cached ID tokens to have realistic headers

* Redesign how Tenant Pofiles are added to Accounts

* New error code for JWT parse exceptions

* Add claims and tenant profiles fields to Account

* Remove annotation excluding realm field from comparisons

* Use more generic token

* Remove ID token claims field from Account

* Minor changes for clarity

* Adjust tests for tenant profile design refactor

* Refactor tenant profile structure

* Minor fixes

* Minor fixes

* Minor fixes

* Simplify tenant profile class

Co-authored-by: SomkaPe <[email protected]>

* Improve HTTP client timeouts (#275)

* 1.6.2 release (#269)

* 1.6.2 release

* Make DefaultHttpClient timeouts settable

* Refactor timeout names

Co-authored-by: SomkaPe <[email protected]>

* Bewaters certchain (#276)

* Support for certificate chain

* 1.7.0 release (#277)

* Update DefaultHttpClient.java

* Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282)

* sendX5c api (#285)

* refactoring (#287)

* refactoring

* refactoring

* refactoring

* Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293)

* Add public constants for cloud endpoints (#298)

* Add public constants for cloud endpoints

* Add license header

* Added javadocs

* Removed unneeded test

* Make IAccount serializable (#297)

* Make IAccount objects serializable

* Make AuthenticationResult objects not serializable

* Add tenant profile/id claims to auth result (#300)

* Add tenant profile/id claims to auth result

* Minor fix

* treat null password as default one - empty string (#304)

* treat null password as default one - empty string

* Support for refresh_in (#305)

* Support for refresh_in

* Tests for refresh_in

* Add extra null check

* Add test for refreshOn cache persistence

* refresh on is optional field (#312)

* refresh on optional field

* 1.8.0 Release (#313)

1.8.0 release

* Fix spelling mistake in Prompt.java

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322)

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes

* Add enum for HTTP content-type constants

* Remove use of javax.mail.internet.ContentType

* Support for claims request parameter (#315)

* ClaimsRequest classes

* Support for claims request parameter

* Tests for claims request

* Use Jackson library for JSON processing

* Change access level of userinfo and access_token claims

* Better merge tests

* Remove ability to set claims in userinfo field

* Refactor claims field naming

* 1.8.1 release (#326)

* Version number updates for 1.8.1 release

* Minor rewording

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Add check for empty String

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Update lab API urls

* Release pointing to the main branch

shows not built... some infrastructure needs to get updated to reflect that this thing is being built.

* Region discovery support (#343)

* Add Azure regional support

* Refactor

* Add logs for success/failure to find regional info

* Extra log

* Upgrade oauth2-oidc-sdk version (#345)

* 1.8.1 release (#327)

* Exception Improvements (#254)

* Add null checks for MsalException error code references

* Better exception handling for invalid tokens

* Better exception handling for invalid tokens

* Sync with changes to Azure-Samples/ms-identity-java-desktop (#259)

* extra scopes for consent during authorizaion

* typo

* minor

* HTTPClient default timeouts (#264)

* Add default timeouts for DefaultHttpClient

* Handle 'stay signed in' confirmation page in DeviceCodeIT tests

* Small best-practices changes

* append extra scopes as suffix

* 1.6.2 release (#268)

* fixing integ test

* Tenant Profiles (#263)

* Classes for tenant profile functionality

* Implement tenant profile feature

* Tests for tenant profile feature

* Simplify tenant profile class structure

* 1.6.2 release

* Classes for tenant profile redesign

* Tests for tenant profile redesign

* Adjust sample cached ID tokens to have realistic headers

* Redesign how Tenant Pofiles are added to Accounts

* New error code for JWT parse exceptions

* Add claims and tenant profiles fields to Account

* Remove annotation excluding realm field from comparisons

* Use more generic token

* Remove ID token claims field from Account

* Minor changes for clarity

* Adjust tests for tenant profile design refactor

* Refactor tenant profile structure

* Minor fixes

* Minor fixes

* Minor fixes

* Simplify tenant profile class

Co-authored-by: SomkaPe <[email protected]>

* Improve HTTP client timeouts (#275)

* 1.6.2 release (#269)

* 1.6.2 release

* Make DefaultHttpClient timeouts settable

* Refactor timeout names

Co-authored-by: SomkaPe <[email protected]>

* Bewaters certchain (#276)

* Support for certificate chain

* 1.7.0 release (#277)

* Update DefaultHttpClient.java

* Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282)

* sendX5c api (#285)

* refactoring (#287)

* refactoring

* refactoring

* refactoring

* Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293)

* Add public constants for cloud endpoints (#298)

* Add public constants for cloud endpoints

* Add license header

* Added javadocs

* Removed unneeded test

* Make IAccount serializable (#297)

* Make IAccount objects serializable

* Make AuthenticationResult objects not serializable

* Add tenant profile/id claims to auth result (#300)

* Add tenant profile/id claims to auth result

* Minor fix

* treat null password as default one - empty string (#304)

* treat null password as default one - empty string

* Support for refresh_in (#305)

* Support for refresh_in

* Tests for refresh_in

* Add extra null check

* Add test for refreshOn cache persistence

* refresh on is optional field (#312)

* refresh on optional field

* 1.8.0 Release (#313)

1.8.0 release

* Fix spelling mistake in Prompt.java

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322)

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes

* Add enum for HTTP content-type constants

* Remove use of javax.mail.internet.ContentType

* Support for claims request parameter (#315)

* ClaimsRequest classes

* Support for claims request parameter

* Tests for claims request

* Use Jackson library for JSON processing

* Change access level of userinfo and access_token claims

* Better merge tests

* Remove ability to set claims in userinfo field

* Refactor claims field naming

* 1.8.1 release (#326)

* Version number updates for 1.8.1 release

* Minor rewording

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Upgrade oauth2-oidc-sdk dependency version

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Add String-to-ClaimsRequest helper method (#344)

* 1.8.1 release (#327)

* Exception Improvements (#254)

* Add null checks for MsalException error code references

* Better exception handling for invalid tokens

* Better exception handling for invalid tokens

* Sync with changes to Azure-Samples/ms-identity-java-desktop (#259)

* extra scopes for consent during authorizaion

* typo

* minor

* HTTPClient default timeouts (#264)

* Add default timeouts for DefaultHttpClient

* Handle 'stay signed in' confirmation page in DeviceCodeIT tests

* Small best-practices changes

* append extra scopes as suffix

* 1.6.2 release (#268)

* fixing integ test

* Tenant Profiles (#263)

* Classes for tenant profile functionality

* Implement tenant profile feature

* Tests for tenant profile feature

* Simplify tenant profile class structure

* 1.6.2 release

* Classes for tenant profile redesign

* Tests for tenant profile redesign

* Adjust sample cached ID tokens to have realistic headers

* Redesign how Tenant Pofiles are added to Accounts

* New error code for JWT parse exceptions

* Add claims and tenant profiles fields to Account

* Remove annotation excluding realm field from comparisons

* Use more generic token

* Remove ID token claims field from Account

* Minor changes for clarity

* Adjust tests for tenant profile design refactor

* Refactor tenant profile structure

* Minor fixes

* Minor fixes

* Minor fixes

* Simplify tenant profile class

Co-authored-by: SomkaPe <[email protected]>

* Improve HTTP client timeouts (#275)

* 1.6.2 release (#269)

* 1.6.2 release

* Make DefaultHttpClient timeouts settable

* Refactor timeout names

Co-authored-by: SomkaPe <[email protected]>

* Bewaters certchain (#276)

* Support for certificate chain

* 1.7.0 release (#277)

* Update DefaultHttpClient.java

* Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282)

* sendX5c api (#285)

* refactoring (#287)

* refactoring

* refactoring

* refactoring

* Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293)

* Add public constants for cloud endpoints (#298)

* Add public constants for cloud endpoints

* Add license header

* Added javadocs

* Removed unneeded test

* Make IAccount serializable (#297)

* Make IAccount objects serializable

* Make AuthenticationResult objects not serializable

* Add tenant profile/id claims to auth result (#300)

* Add tenant profile/id claims to auth result

* Minor fix

* treat null password as default one - empty string (#304)

* treat null password as default one - empty string

* Support for refresh_in (#305)

* Support for refresh_in

* Tests for refresh_in

* Add extra null check

* Add test for refreshOn cache persistence

* refresh on is optional field (#312)

* refresh on optional field

* 1.8.0 Release (#313)

1.8.0 release

* Fix spelling mistake in Prompt.java

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322)

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes

* Add enum for HTTP content-type constants

* Remove use of javax.mail.internet.ContentType

* Support for claims request parameter (#315)

* ClaimsRequest classes

* Support for claims request parameter

* Tests for claims request

* Use Jackson library for JSON processing

* Change access level of userinfo and access_token claims

* Better merge tests

* Remove ability to set claims in userinfo field

* Refactor claims field naming

* 1.8.1 release (#326)

* Version number updates for 1.8.1 release

* Minor rewording

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Add helper method to create a ClaimsRequest from a string

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* 1.9.0 release  (#346)

* 1.8.1 release (#327)

* Exception Improvements (#254)

* Add null checks for MsalException error code references

* Better exception handling for invalid tokens

* Better exception handling for invalid tokens

* Sync with changes to Azure-Samples/ms-identity-java-desktop (#259)

* extra scopes for consent during authorizaion

* typo

* minor

* HTTPClient default timeouts (#264)

* Add default timeouts for DefaultHttpClient

* Handle 'stay signed in' confirmation page in DeviceCodeIT tests

* Small best-practices changes

* append extra scopes as suffix

* 1.6.2 release (#268)

* fixing integ test

* Tenant Profiles (#263)

* Classes for tenant profile functionality

* Implement tenant profile feature

* Tests for tenant profile feature

* Simplify tenant profile class structure

* 1.6.2 release

* Classes for tenant profile redesign

* Tests for tenant profile redesign

* Adjust sample cached ID tokens to have realistic headers

* Redesign how Tenant Pofiles are added to Accounts

* New error code for JWT parse exceptions

* Add claims and tenant profiles fields to Account

* Remove annotation excluding realm field from comparisons

* Use more generic token

* Remove ID token claims field from Account

* Minor changes for clarity

* Adjust tests for tenant profile design refactor

* Refactor tenant profile structure

* Minor fixes

* Minor fixes

* Minor fixes

* Simplify tenant profile class

Co-authored-by: SomkaPe <[email protected]>

* Improve HTTP client timeouts (#275)

* 1.6.2 release (#269)

* 1.6.2 release

* Make DefaultHttpClient timeouts settable

* Refactor timeout names

Co-authored-by: SomkaPe <[email protected]>

* Bewaters certchain (#276)

* Support for certificate chain

* 1.7.0 release (#277)

* Update DefaultHttpClient.java

* Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282)

* sendX5c api (#285)

* refactoring (#287)

* refactoring

* refactoring

* refactoring

* Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293)

* Add public constants for cloud endpoints (#298)

* Add public constants for cloud endpoints

* Add license header

* Added javadocs

* Removed unneeded test

* Make IAccount serializable (#297)

* Make IAccount objects serializable

* Make AuthenticationResult objects not serializable

* Add tenant profile/id claims to auth result (#300)

* Add tenant profile/id claims to auth result

* Minor fix

* treat null password as default one - empty string (#304)

* treat null password as default one - empty string

* Support for refresh_in (#305)

* Support for refresh_in

* Tests for refresh_in

* Add extra null check

* Add test for refreshOn cache persistence

* refresh on is optional field (#312)

* refresh on optional field

* 1.8.0 Release (#313)

1.8.0 release

* Fix spelling mistake in Prompt.java

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322)

* Remove use of Nimbus Oauth2 SDK's CommonContentTypes

* Add enum for HTTP content-type constants

* Remove use of javax.mail.internet.ContentType

* Support for claims request parameter (#315)

* ClaimsRequest classes

* Support for claims request parameter

* Tests for claims request

* Use Jackson library for JSON processing

* Change access level of userinfo and access_token claims

* Better merge tests

* Remove ability to set claims in userinfo field

* Refactor claims field naming

* 1.8.1 release (#326)

* Version number updates for 1.8.1 release

* Minor rewording

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

* Add helper method for creating ClaimsRequest from a string

* Version number updates for 1.9.0 release

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>

Co-authored-by: SomkaPe <[email protected]>
Co-authored-by: Roman Nosachev <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: Santiago Gonzalez <[email protected]>
Co-authored-by: henrikm <[email protected]>

Author: 6 people

README.md

@@ -2,7 +2,7 @@
 
 `master` branch    | `dev` branch    | Reference Docs
 --------------------|-----------------|---------------
-[![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=master)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762) | [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=dev)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762)| [![Javadocs](http://javadoc.io/badge/com.microsoft.azure/msal4j.svg)](http://javadoc.io/doc/com.microsoft.azure/msal4j)
+[![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=main)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762) | [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=dev)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762)| [![Javadocs](http://javadoc.io/badge/com.microsoft.azure/msal4j.svg)](http://javadoc.io/doc/com.microsoft.azure/msal4j)
 
 The Microsoft Authentication Library for Java (MSAL4J) enables applications to integrate with the [Microsoft identity platform](https://aka.ms/aaddevv2). It allows you to sign in users or apps with Microsoft identities (Azure AD, Microsoft accounts and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as [Microsoft Graph](https://graph.microsoft.io/) or your own APIs registered with the Microsoft identity platform. It is built using industry standard OAuth2 and OpenID Connect protocols.
 
@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.8.1
+Current version - 1.9.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.8.1</version>
+    <version>1.9.0</version>
 </dependency>
 ```
 ### Gradle
 
 ```
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.8.1'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.9.0'
 ```
 
 ## Usage

changelog.txt

@@ -1,3 +1,9 @@
+Version 1.9.0
+=============
+- Add support for Azure region discovery to keep token traffic regional when possible
+- New helper methods in ClaimsRequest class to convert Strings of claims to ClaimsRequest objects
+- Upgrade nimbusds.oauth2-oidc-sdk dependency to better support newer Spring Framework versions
+
 Version 1.8.1
 =============
 - New ClaimsRequest class to allow ID token claims to be requested as part of any token request

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.8.1</version>
+	<version>1.9.0</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>
@@ -36,7 +36,7 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>oauth2-oidc-sdk</artifactId>
-            <version>7.4</version>
+            <version>8.23.1</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>

src/integrationtest/java/labapi/LabConstants.java

@@ -9,11 +9,11 @@ public class LabConstants {
     public final static String LAB_APP_ENDPOINT = "https://msidlab.com/api/App";
     public final static String LAB_LAB_ENDPOINT = "https://msidlab.com/api/Lab";
 
-    public final static String APP_ID_KEY_VAULT_SECRET = "https://msidlabs.vault.azure.net/secrets/LabVaultAppID/4032a45f48dc424d8edd445a42d25960";
-    public final static String APP_PASSWORD_KEY_VAULT_SECRET = "https://msidlabs.vault.azure.net/secrets/LabVaultAppSecret/c2be68b1f01d4861819d6afde2ec71e3";
-    public final static String USER_MSA_USERNAME_URL = "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-UserName/a6df85b08cf54347a64db17fe34d9a5f";
-    public final static String USER_MSA_PASSWORD_URL= "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-Password/69850200618d43cf86c5b51e4cf8a7e5";
-    public final static String OBO_APP_PASSWORD_URL = "https://msidlabs.vault.azure.net/secrets/TodoListServiceV2-OBO/c58ba97c34ca4464886943a847d1db56";
+    public final static String APP_ID_KEY_VAULT_SECRET = "https://msidlabs.vault.azure.net/secrets/LabVaultAppID";
+    public final static String APP_PASSWORD_KEY_VAULT_SECRET = "https://msidlabs.vault.azure.net/secrets/LabVaultAppSecret";
+    public final static String USER_MSA_USERNAME_URL = "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-UserName";
+    public final static String USER_MSA_PASSWORD_URL= "https://msidlabs.vault.azure.net/secrets/MSA-MSIDLAB4-Password";
+    public final static String OBO_APP_PASSWORD_URL = "https://msidlabs.vault.azure.net/secrets/TodoListServiceV2-OBO";
 
     public final static String ARLINGTON_APP_ID = "cb7faed4-b8c0-49ee-b421-f5ed16894c83";
     public final static String ARLINGTON_OBO_APP_ID = "c0555d2d-02f2-4838-802e-3463422e571d";

src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -3,22 +3,36 @@
 
 package com.microsoft.aad.msal4j;
 
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
 import java.util.TreeSet;
+import java.util.Map;
+import java.util.HashMap;
 import java.util.concurrent.ConcurrentHashMap;
 
 class AadInstanceDiscoveryProvider {
 
     private final static String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
     private final static String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
     private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}/common/discovery/instance";
+    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.{host}/common/discovery/instance";
     private final static String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
+    private final static String REGION_NAME = "REGION_NAME";
+    // For information of the current api-version refer: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service#versioning
+    private final static String DEFAULT_API_VERSION = "2020-06-01";
+    private final static String IMDS_ENDPOINT = "https://169.254.169.254/metadata/instance/compute/location?" + DEFAULT_API_VERSION + "&format=text";
 
     final static TreeSet<String> TRUSTED_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
 
+    private final static Logger log = LoggerFactory.getLogger(HttpHelper.class);
+
     static ConcurrentHashMap<String, InstanceDiscoveryMetadataEntry> cache = new ConcurrentHashMap<>();
 
     static {
@@ -102,26 +116,98 @@ private static String getInstanceDiscoveryEndpoint(String host) {
                 replace("{host}", discoveryHost);
     }
 
+    private static String getInstanceDiscoveryEndpointWithRegion(String host, String region) {
+
+        String discoveryHost = TRUSTED_HOSTS_SET.contains(host) ? host : DEFAULT_TRUSTED_HOST;
+
+        return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION.
+                replace("{region}", region).
+                replace("{host}", discoveryHost);
+    }
+
     private static AadInstanceDiscoveryResponse sendInstanceDiscoveryRequest(URL authorityUrl,
                                                                              MsalRequest msalRequest,
                                                                              ServiceBundle serviceBundle) {
 
-        String instanceDiscoveryRequestUrl = getInstanceDiscoveryEndpoint(authorityUrl.getAuthority()) +
-                INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE.replace("{authorizeEndpoint}",
-                        getAuthorizeEndpoint(authorityUrl.getAuthority(),
-                                Authority.getTenant(authorityUrl, Authority.detectAuthorityType(authorityUrl))));
+        String region = StringHelper.EMPTY_STRING;
+        IHttpResponse httpResponse = null;
+
+        //If the autoDetectRegion parameter in the request is set, attempt to discover the region
+        if (msalRequest.application().autoDetectRegion()) {
+            region = discoverRegion(msalRequest, serviceBundle);
+        }
+
+        //If the region is known, attempt to make instance discovery request with region endpoint
+        if (!region.isEmpty()) {
+            String instanceDiscoveryRequestUrl = getInstanceDiscoveryEndpointWithRegion(authorityUrl.getAuthority(), region) +
+                    formInstanceDiscoveryParameters(authorityUrl);
+
+            httpResponse = httpRequest(instanceDiscoveryRequestUrl, msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
+        }
+
+        //If the region is unknown or the instance discovery failed at the region endpoint, try the global endpoint
+        if (region.isEmpty() || httpResponse == null || httpResponse.statusCode() != HTTPResponse.SC_OK) {
+            if (!region.isEmpty()) {
+                log.warn("Could not retrieve regional instance discovery metadata, falling back to global endpoint");
+            }
+
+            String instanceDiscoveryRequestUrl = getInstanceDiscoveryEndpoint(authorityUrl.getAuthority()) +
+                    formInstanceDiscoveryParameters(authorityUrl);
+
+            httpResponse = httpRequest(instanceDiscoveryRequestUrl, msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
+        }
 
+        return JsonHelper.convertJsonToObject(httpResponse.body(), AadInstanceDiscoveryResponse.class);
+    }
+
+    private static String formInstanceDiscoveryParameters(URL authorityUrl) {
+        return INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE.replace("{authorizeEndpoint}",
+                getAuthorizeEndpoint(authorityUrl.getAuthority(),
+                        Authority.getTenant(authorityUrl, Authority.detectAuthorityType(authorityUrl))));
+    }
+
+    private static IHttpResponse httpRequest(String requestUrl, Map<String, String> headers, MsalRequest msalRequest, ServiceBundle serviceBundle) {
         HttpRequest httpRequest = new HttpRequest(
                 HttpMethod.GET,
-                instanceDiscoveryRequestUrl,
-                msalRequest.headers().getReadonlyHeaderMap());
+                requestUrl,
+                headers);
 
-        IHttpResponse httpResponse= HttpHelper.executeHttpRequest(
+        return HttpHelper.executeHttpRequest(
                 httpRequest,
                 msalRequest.requestContext(),
                 serviceBundle);
+    }
 
-        return JsonHelper.convertJsonToObject(httpResponse.body(), AadInstanceDiscoveryResponse.class);
+    private static String discoverRegion(MsalRequest msalRequest, ServiceBundle serviceBundle) {
+
+        //Check if the REGION_NAME environment variable has a value for the region
+        if (System.getenv(REGION_NAME) != null) {
+            log.info("Region found in environment variable: " + System.getenv(REGION_NAME));
+
+            return System.getenv(REGION_NAME);
+        }
+
+        try {
+            //Check the IMDS endpoint to retrieve current region (will only work if application is running in an Azure VM)
+            Map<String, String> headers = new HashMap<>();
+            headers.put("Metadata", "true");
+            IHttpResponse httpResponse = httpRequest(IMDS_ENDPOINT, headers, msalRequest, serviceBundle);
+
+            //If call to IMDS endpoint was successful, return region from response body
+            if (httpResponse.statusCode() == HTTPResponse.SC_OK && !httpResponse.body().isEmpty()) {
+                log.info("Region retrieved from IMDS endpoint: " + httpResponse.body());
+
+                return httpResponse.body();
+            }
+
+            log.warn(String.format("Call to local IMDS failed with status code: %s, or response was empty", httpResponse.statusCode()));
+
+            return StringHelper.EMPTY_STRING;
+        } catch (Exception e) {
+            //IMDS call failed, cannot find region
+            log.warn(String.format("Exception during call to local IMDS endpoint: %s", e.getMessage()));
+            return StringHelper.EMPTY_STRING;
+        }
     }
 
     private static void doInstanceDiscoveryAndCache(URL authorityUrl,

src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -96,6 +96,10 @@ abstract class AbstractClientApplicationBase implements IClientApplicationBase {
     @Getter
     private String clientCapabilities;
 
+    @Accessors(fluent = true)
+    @Getter
+    private boolean autoDetectRegion;
+
     @Override
     public CompletableFuture<IAuthenticationResult> acquireToken(AuthorizationCodeParameters parameters) {
 
@@ -292,6 +296,7 @@ abstract static class Builder<T extends Builder<T>> {
         private ITokenCacheAccessAspect tokenCacheAccessAspect;
         private AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse;
         private String clientCapabilities;
+        private boolean autoDetectRegion;
         private Integer connectTimeoutForDefaultHttpClient;
         private Integer readTimeoutForDefaultHttpClient;
 
@@ -573,6 +578,22 @@ public T clientCapabilities(Set<String> capabilities) {
             return self();
         }
 
+        /**
+         * Indicates that the library should attempt to discover the Azure region the application is running in when
+         *  fetching the instance discovery metadata.
+         *
+         * If the region is found, token requests will be sent to the regional ESTS endpoint rather than the global endpoint.
+         * If region information could not be found, the library will fall back to using the global endpoint, which is also
+         *  the default behavior if this value is not set.
+         *
+         * @param val boolean (default is false)
+         * @return instance of the Builder on which method was called
+         */
+        public T autoDetectRegion(boolean val) {
+            autoDetectRegion = val;
+            return self();
+        }
+
         abstract AbstractClientApplicationBase build();
     }
 
@@ -599,6 +620,7 @@ public T clientCapabilities(Set<String> capabilities) {
         tokenCache = new TokenCache(builder.tokenCacheAccessAspect);
         aadAadInstanceDiscoveryResponse = builder.aadInstanceDiscoveryResponse;
         clientCapabilities = builder.clientCapabilities;
+        autoDetectRegion = builder.autoDetectRegion;
 
         if(aadAadInstanceDiscoveryResponse != null){
             AadInstanceDiscoveryProvider.cacheInstanceDiscoveryMetadata(

src/main/java/com/microsoft/aad/msal4j/AuthenticationResult.java

@@ -72,7 +72,7 @@ private IAccount getAccount() {
     private final ITenantProfile tenantProfile = getTenantProfile();
 
     private ITenantProfile getTenantProfile() {
-        if (idToken == null) {
+        if (StringHelper.isBlank(idToken)) {
             return null;
         }
 

src/main/java/com/microsoft/aad/msal4j/ClaimsRequest.java

@@ -3,10 +3,17 @@
 
 package com.microsoft.aad.msal4j;
 
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectReader;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import lombok.Getter;
 import lombok.Setter;
+
+import java.util.Iterator;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -34,6 +41,17 @@ public void requestClaimInIdToken(String claim, RequestedClaimAdditionalInfo req
         idTokenRequestedClaims.add(new RequestedClaim(claim, requestedClaimAdditionalInfo));
     }
 
+    /**
+
+     * Inserts a claim into the list of claims to be added to the "userinfo" section of an OIDC claims request
+     *
+     * @param claim the name of the claim to be requested
+     * @param requestedClaimAdditionalInfo additional information about the claim being requested
+     */
+    protected void requestClaimInUserInfo(String claim, RequestedClaimAdditionalInfo requestedClaimAdditionalInfo) {
+        userInfoRequestedClaims.add(new RequestedClaim(claim, requestedClaimAdditionalInfo));
+    }
+
     /**
      * Inserts a claim into the list of claims to be added to the "access_token" section of an OIDC claims request
      *
@@ -70,9 +88,63 @@ private ObjectNode convertClaimsToObjectNode(List<RequestedClaim> claims) {
         ObjectMapper mapper = new ObjectMapper();
         ObjectNode claimsNode = mapper.createObjectNode();
 
-        for (RequestedClaim claim: claims) {
+
+        for (RequestedClaim claim : claims) {
             claimsNode.setAll((ObjectNode) mapper.valueToTree(claim));
         }
         return claimsNode;
     }
+
+    /**
+     * Creates an instance of ClaimsRequest from a JSON-formatted String which follows the specification for the OIDC claims request parameter
+     *
+     * @param claims a String following JSON formatting
+     * @return a ClaimsRequest instance
+     */
+    public static ClaimsRequest formatAsClaimsRequest(String claims) {
+        try {
+            ClaimsRequest cr = new ClaimsRequest();
+
+            ObjectMapper mapper = new ObjectMapper();
+            ObjectReader reader = mapper.readerFor(new TypeReference<List<String>>() {});
+
+            JsonNode jsonClaims = mapper.readTree(claims);
+
+            addClaimsFromJsonNode(jsonClaims.get("id_token"), "id_token", cr, reader);
+            addClaimsFromJsonNode(jsonClaims.get("userinfo"), "userinfo", cr, reader);
+            addClaimsFromJsonNode(jsonClaims.get("access_token"), "access_token", cr, reader);
+
+            return cr;
+        } catch (IOException e) {
+            throw new MsalClientException("Could not convert string to ClaimsRequest: " + e.getMessage(), AuthenticationErrorCode.INVALID_JSON);
+        }
+    }
+
+    private static void addClaimsFromJsonNode(JsonNode claims, String group, ClaimsRequest cr, ObjectReader reader) throws IOException {
+        Iterator<String> claimsIterator;
+
+        if (claims != null) {
+            claimsIterator = claims.fieldNames();
+            while (claimsIterator.hasNext()) {
+                String claim = claimsIterator.next();
+                Boolean essential = null;
+                String value = null;
+                List<String> values = null;
+                RequestedClaimAdditionalInfo claimInfo = null;
+
+                if (claims.get(claim).has("essential")) essential = claims.get(claim).get("essential").asBoolean();
+                if (claims.get(claim).has("value")) value = claims.get(claim).get("value").textValue();
+                if (claims.get(claim).has("values")) values = reader.readValue(claims.get(claim).get("values"));
+
+                //'null' is a valid value for RequestedClaimAdditionalInfo, so only initialize it if one of the parameters is not null
+                if (essential != null || value != null || values != null) {
+                    claimInfo = new RequestedClaimAdditionalInfo(essential == null ? false : essential, value, values);
+                }
+
+                if (group.equals("id_token")) cr.requestClaimInIdToken(claim, claimInfo);
+                if (group.equals("userinfo")) cr.requestClaimInUserInfo(claim, claimInfo);
+                if (group.equals("access_token")) cr.requestClaimInAccessToken(claim, claimInfo);
+            }
+        }
+    }
 }

src/samples/msal-b2c-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.8.1</version>
+			<version>1.9.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>