Update code

Author: neha-bhargava

msal4j-sdk/pom.xml

@@ -157,12 +157,6 @@
             <version>2.14.0</version>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>jakarta.xml.bind</groupId>
-            <artifactId>jakarta.xml.bind-api</artifactId>
-            <version>2.3.2</version>
-            <scope>compile</scope>
-        </dependency>
     </dependencies>
 
     <!-- force https -->

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -41,6 +41,7 @@ public ManagedIdentityResponse getManagedIdentityResponse(
             ManagedIdentityParameters parameters) {
 
         createManagedIdentityRequest(parameters.resource);
+        managedIdentityRequest.addTokenRevocationParametersToQuery(parameters);
         IHttpResponse response;
 
         try {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -83,6 +83,12 @@ AuthenticationResult execute() throws Exception {
                 result.metadata().tokenSource(TokenSource.CACHE);
                 return result;
             } else {
+                if (cacheRefreshReason == CacheRefreshReason.CLAIMS) {
+                    LOG.debug("Claims are passed, creating token hash and refreshing the token");
+                    managedIdentityParameters.revokedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.CLAIMS);
+                }
+
                 LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
                 return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
             }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/Constants.java

@@ -3,6 +3,9 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.util.HashSet;
+import java.util.Set;
+
 final class Constants {
 
     static final String CACHE_KEY_SEPARATOR = "-";
@@ -24,13 +27,12 @@ final class Constants {
     public static final String IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT";
 
     // Constants for token revocation and client capabilities
-    public static final String CLIENT_CAPABILITY_CP1 = "cp1";
-    public static final String TOKEN_REVOCATION_REQUEST_PARAM = "x-ms-revoke-token";
-    public static final String TOKEN_HASH_CLAIM = "x-ms-token-hash";
+    public static final String TOKEN_HASH_CLAIM = "token_sha256_to_refresh";
+    public static final String CLIENT_CAPABILITY_REQUEST_PARAM = "xms_cc";
 
     // Only Service Fabric and App Service managed identity environments support token revocation
-    public static final ManagedIdentitySourceType[] TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS = {
-            ManagedIdentitySourceType.SERVICE_FABRIC
-    };
+    public static final Set<ManagedIdentitySourceType> TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS = new HashSet<ManagedIdentitySourceType>() {{
+        add(ManagedIdentitySourceType.SERVICE_FABRIC);
+    }};
 
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityParameters.java

@@ -15,12 +15,11 @@ public class ManagedIdentityParameters implements IAcquireTokenParameters {
     String resource;
     boolean forceRefresh;
     String claims;
-    private String tokenToRevoke;    
-    private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims, String tokenToRevoke) {
+    String revokedTokenHash;
+    private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims) {
         this.resource = resource;
         this.forceRefresh = forceRefresh;
         this.claims = claims;
-        this.tokenToRevoke = tokenToRevoke;
     }
 
     @Override
@@ -79,19 +78,14 @@ public String resource() {
         return this.resource;
     }
 
-    /**
-     * Gets the token to be revoked in supported Managed Identity environments.
-     * @return the token to be revoked
-     */
-    public String getTokenToRevoke() {
-        return this.tokenToRevoke;
+    public String revokedTokenHash() {
+        return this.revokedTokenHash;
     }
 
     public static class ManagedIdentityParametersBuilder {
         private String resource;
         private boolean forceRefresh;
         private String claims;
-        private String tokenToRevoke;
 
         ManagedIdentityParametersBuilder() {
         }
@@ -122,23 +116,9 @@ public ManagedIdentityParametersBuilder claims(String claims) {
             this.claims = claims;
             return this;
         }
-        
-        /**
-         * Specifies a token to be revoked in supported Managed Identity environments (App Service, Service Fabric).
-         * The token will be converted to a SHA256 hash for revocation to avoid transmitting the original token.
-         * 
-         * @param tokenToRevoke The access token to revoke
-         * @return this builder instance
-         */
-        public ManagedIdentityParametersBuilder tokenToRevoke(String tokenToRevoke) {
-            ParameterValidationUtils.validateNotBlank("tokenToRevoke", tokenToRevoke);
-            
-            this.tokenToRevoke = tokenToRevoke;
-            return this;
-        }
 
         public ManagedIdentityParameters build() {
-            return new ManagedIdentityParameters(this.resource, this.forceRefresh, this.claims, this.tokenToRevoke);
+            return new ManagedIdentityParameters(this.resource, this.forceRefresh, this.claims);
         }
 
         public String toString() {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityRequest.java

@@ -32,36 +32,6 @@ class ManagedIdentityRequest extends MsalRequest {
 
     public ManagedIdentityRequest(ManagedIdentityApplication managedIdentityApplication, RequestContext requestContext) {
         super(managedIdentityApplication, requestContext);
-        
-        // Check if the environment supports token revocation
-        ManagedIdentitySourceType sourceType = ManagedIdentityClient.getManagedIdentitySource();
-        boolean supportsTokenRevocation = false;
-        
-        for (ManagedIdentitySourceType type : Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS) {
-            if (type == sourceType) {
-                supportsTokenRevocation = true;
-                break;
-            }
-        }
-        
-        // If client capabilities include CP1 (token revocation) and the source type supports it,
-        // add the token revocation parameter to query parameters
-        if (supportsTokenRevocation && 
-            managedIdentityApplication.getClientCapabilities() != null &&
-            managedIdentityApplication.getClientCapabilities().contains(Constants.CLIENT_CAPABILITY_CP1)) {
-            
-            if (requestContext.apiParameters() instanceof ManagedIdentityParameters) {
-                ManagedIdentityParameters parameters = (ManagedIdentityParameters) requestContext.apiParameters();
-                if (parameters.getTokenToRevoke() != null && !parameters.getTokenToRevoke().isEmpty()) {
-                    LOG.info("[Managed Identity] Adding token revocation parameter to request");
-                    if (queryParameters == null) {
-                        queryParameters = new HashMap<>();
-                    }
-                    String tokenHash = StringHelper.createSha256HashHexString(parameters.getTokenToRevoke());
-                    queryParameters.put(Constants.TOKEN_REVOCATION_REQUEST_PARAM, Collections.singletonList(tokenHash));
-                }
-            }
-        }
     }
 
     public String getBodyAsString() {
@@ -106,4 +76,35 @@ void addUserAssignedIdToQuery(ManagedIdentityIdType idType, String userAssignedI
                 break;
         }
     }
+
+    void addTokenRevocationParametersToQuery(ManagedIdentityParameters parameters) {
+        // Check if the environment supports token revocation
+        ManagedIdentitySourceType sourceType = ManagedIdentityClient.getManagedIdentitySource();
+        boolean supportsTokenRevocation = Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS
+                .contains(sourceType);
+
+        // If token revocation is supported, pass the client capabilities and token revocation parameters
+        if (supportsTokenRevocation) {
+            ManagedIdentityApplication managedIdentityApplication =
+                    (ManagedIdentityApplication) this.application();
+
+            // Pass capabilities if present.
+            if (managedIdentityApplication.getClientCapabilities() != null &&
+                    !managedIdentityApplication.getClientCapabilities().isEmpty()) {
+                // Add client capabilities as a comma separated string for all the values in client capabilities
+                String clientCapabilities = String.join(",", managedIdentityApplication.getClientCapabilities());
+
+                queryParameters.put(Constants.CLIENT_CAPABILITY_REQUEST_PARAM, Collections.singletonList(clientCapabilities.toString()));
+            }
+
+            // Pass the token revocation parameter if the claims are present and there is a token to revoke
+            if (!StringHelper.isNullOrBlank(parameters.claims) && !StringHelper.isNullOrBlank(parameters.revokedTokenHash())) {
+                LOG.info("[Managed Identity] Adding token revocation parameter to request");
+                if (queryParameters == null) {
+                    queryParameters = new HashMap<>();
+                }
+                queryParameters.put(Constants.TOKEN_HASH_CLAIM, Collections.singletonList(parameters.revokedTokenHash()));
+            }
+        }
+    }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ServiceFabricManagedIdentitySource.java

@@ -57,6 +57,7 @@ public ManagedIdentityResponse getManagedIdentityResponse(
             ManagedIdentityParameters parameters) {
 
         createManagedIdentityRequest(parameters.resource);
+        managedIdentityRequest.addTokenRevocationParametersToQuery(parameters);
         IHttpResponse response;
 
         try {

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java

@@ -70,16 +70,34 @@ private String getMsiErrorResponseNoRetry() {
         return "{\"statusCode\":\"123\",\"message\":\"Not one of the retryable error responses\",\"correlationId\":\"7d0c9763-ff1d-4842-a3f3-6d49e64f4513\"}";
     }
 
+    private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource, boolean hasClaims, boolean hasCapabilities, String expectedTokenHash) {
+        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned(), hasClaims, hasCapabilities, expectedTokenHash);
+    }
+
+    private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource, ManagedIdentityId id) {
+        return expectedRequest(source, resource, id, false, false, null);
+    }
+
     private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource) {
-        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned());
+        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned(), false, false, null);
     }
 
     private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource,
-            ManagedIdentityId id) {
+            ManagedIdentityId id, boolean hasClaims, boolean hasCapabilities, String expectedTokenHash) {
         String endpoint = null;
         Map<String, String> headers = new HashMap<>();
         Map<String, List<String>> queryParameters = new HashMap<>();
 
+        if (Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS.contains(source)) {
+            if (hasCapabilities) {
+                queryParameters.put(Constants.CLIENT_CAPABILITY_REQUEST_PARAM, Collections.singletonList("cp1"));
+            }
+
+            if (hasClaims) {
+                queryParameters.put(Constants.TOKEN_HASH_CLAIM, Collections.singletonList(expectedTokenHash));
+            }
+        }
+
         switch (source) {
             case APP_SERVICE:
                 endpoint = appServiceEndpoint;
@@ -93,12 +111,6 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
                 headers.put("Metadata", "true");
                 queryParameters.put("resource", Collections.singletonList(resource));
                 break;
-            case IMDS:
-                endpoint = IMDS_ENDPOINT;
-                queryParameters.put("api-version", Collections.singletonList("2018-02-01"));
-                queryParameters.put("resource", Collections.singletonList(resource));
-                headers.put("Metadata", "true");
-                break;
             case AZURE_ARC:
                 endpoint = azureArcEndpoint;
                 queryParameters.put("api-version", Collections.singletonList("2019-11-01"));
@@ -111,6 +123,7 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
                 queryParameters.put("resource", Collections.singletonList(resource));
                 headers.put("secret", "secret");
                 break;
+            case IMDS:
             case NONE:
             case DEFAULT_TO_IMDS:
                 endpoint = IMDS_ENDPOINT;
@@ -657,6 +670,9 @@ void managedIdentityTest_WithClaims(ManagedIdentitySourceType source, String end
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
 
+        String expectedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+        when(httpClientMock.send(expectedRequest(source, resource, true, false, expectedTokenHash))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+
         // Third call, when claims are passed bypass the cache.
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
@@ -679,7 +695,7 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
             ServiceFabricManagedIdentitySource.setHttpClient(httpClientMock);
         }
 
-        when(httpClientMock.send(expectedRequest(source, resource))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+        when(httpClientMock.send(expectedRequest(source, resource, false, true, null))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
 
         miApp = ManagedIdentityApplication
                 .builder(ManagedIdentityId.systemAssigned())
@@ -707,6 +723,9 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
 
+        String expectedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+        when(httpClientMock.send(expectedRequest(source, resource, true, true, expectedTokenHash))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+
         // Third call, when claims are passed bypass the cache.
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
@@ -715,8 +734,6 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
 
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
-
-        verify(httpClientMock, times(2)).send(any());
     }
 
     @ParameterizedTest

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TokenRevocationTest.java

@@ -33,26 +33,11 @@ public void testTokenToRevokeValidation() {
     @Test
     public void testManagedIdentityParametersBuilder() {
         ManagedIdentityParameters params = ManagedIdentityParameters.builder(TEST_RESOURCE)
-                .tokenToRevoke(TEST_TOKEN)
                 .build();
-        
+
+        params.revokedTokenHash = StringHelper.createSha256HashHexString(TEST_TOKEN);
+
         assertEquals(TEST_RESOURCE, params.resource());
-        assertEquals(TEST_TOKEN, params.getTokenToRevoke());
-    }
-    
-    @Test
-    public void testManagedIdentityParametersBuilderValidation() {
-        // Should throw exception when tokenToRevoke is null or empty
-        assertThrows(IllegalArgumentException.class, () -> {
-            ManagedIdentityParameters.builder(TEST_RESOURCE)
-                .tokenToRevoke(null)
-                .build();
-        });
-        
-        assertThrows(IllegalArgumentException.class, () -> {
-            ManagedIdentityParameters.builder(TEST_RESOURCE)
-                .tokenToRevoke("")
-                .build();
-        });
+        assertEquals(EXPECTED_TOKEN_HASH, params.revokedTokenHash());
     }
 }