Merge pull request #929 from AzureAD/nebharg/AddAPIsTR

Add APIs to add client capabilities and claims

Author: neha-bhargava

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -52,6 +52,7 @@ AuthenticationResult execute() throws Exception {
             SilentParameters parameters = SilentParameters
                     .builder(scopes)
                     .tenant(managedIdentityParameters.tenant())
+                    .claims(managedIdentityParameters.claims())
                     .build();
 
             RequestContext context = new RequestContext(

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityApplication.java

@@ -5,6 +5,7 @@
 
 import org.slf4j.LoggerFactory;
 
+import java.util.List;
 import java.util.concurrent.CompletableFuture;
 
 /**
@@ -56,6 +57,7 @@ static IEnvironmentVariables getEnvironmentVariables() {
     public ManagedIdentityId getManagedIdentityId() {
         return this.managedIdentityId;
     }
+    
     @Override
     public CompletableFuture<IAuthenticationResult> acquireTokenForManagedIdentity(ManagedIdentityParameters managedIdentityParameters)
             throws Exception {
@@ -86,6 +88,7 @@ public static class Builder extends AbstractApplicationBase.Builder<Builder> {
 
         private String resource;
         private ManagedIdentityId managedIdentityId;
+        private List<String> clientCapabilities;
 
         private Builder(ManagedIdentityId managedIdentityId) {
             super(managedIdentityId.getIdType() == ManagedIdentityIdType.SYSTEM_ASSIGNED ?
@@ -99,9 +102,22 @@ public Builder resource(String resource) {
             return self();
         }
 
+        /**
+         * Informs the token issuer that the application is able to perform complex authentication actions.
+         * For example, "cp1" means that the application is able to perform conditional access evaluation,
+         * because the application has been setup to parse WWW-Authenticate headers associated with a 401 response from the protected APIs,
+         * and to retry the request with claims API.
+         * 
+         * @param clientCapabilities a list of capabilities (e.g., ["cp1"]) recognized by the token service.
+         * @return instance of Builder of ManagedIdentityApplication.
+         */
+        public Builder clientCapabilities(List<String> clientCapabilities) {
+            this.clientCapabilities = clientCapabilities;
+            return self();
+        }
+
         @Override
         public ManagedIdentityApplication build() {
-
             return new ManagedIdentityApplication(this);
         }
 

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityParameters.java

@@ -14,10 +14,12 @@ public class ManagedIdentityParameters implements IAcquireTokenParameters {
 
     String resource;
     boolean forceRefresh;
+    String claims;
 
-    private ManagedIdentityParameters(String resource, boolean forceRefresh) {
+    private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims) {
         this.resource = resource;
         this.forceRefresh = forceRefresh;
+        this.claims = claims;
     }
 
     @Override
@@ -27,7 +29,17 @@ public Set<String> scopes() {
 
     @Override
     public ClaimsRequest claims() {
-        return null;
+        if (claims == null || claims.isEmpty()) {
+            return null;
+        }
+
+        try {
+            return ClaimsRequest.formatAsClaimsRequest(claims);
+        } catch (Exception ex) {
+            // Log the exception if the claims JSON is invalid
+            throw new MsalClientException("Failed to parse claims JSON: " + ex.getMessage(),
+                                         AuthenticationErrorCode.INVALID_JSON);
+        }
     }
 
     @Override
@@ -69,6 +81,7 @@ public String resource() {
     public static class ManagedIdentityParametersBuilder {
         private String resource;
         private boolean forceRefresh;
+        private String claims;
 
         ManagedIdentityParametersBuilder() {
         }
@@ -83,8 +96,25 @@ public ManagedIdentityParametersBuilder forceRefresh(boolean forceRefresh) {
             return this;
         }
 
+        /**
+         * Instructs the SDK to bypass any token caches and to request new tokens with an additional claims challenge.
+         * The claims challenge string is opaque to applications and should not be parsed.
+         * The claims challenge string is issued either by the STS as part of an error response or by the resource,
+         * as part of an HTTP 401 response, in the WWW-Authenticate header.
+         * For more details see https://learn.microsoft.com/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet
+         *
+         * @param claims a valid JSON string representing additional claims
+         * @return this builder instance
+         */
+        public ManagedIdentityParametersBuilder claims(String claims) {
+            ParameterValidationUtils.validateNotBlank("claims", claims);
+
+            this.claims = claims;
+            return this;
+        }
+
         public ManagedIdentityParameters build() {
-            return new ManagedIdentityParameters(this.resource, this.forceRefresh);
+            return new ManagedIdentityParameters(this.resource, this.forceRefresh, this.claims);
         }
 
         public String toString() {

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTestDataProvider.java

@@ -114,4 +114,11 @@ public static Stream<Arguments> createDataGetSource() {
                 Arguments.of(ManagedIdentitySourceType.IMDS, "", ManagedIdentitySourceType.DEFAULT_TO_IMDS),
                 Arguments.of(ManagedIdentitySourceType.SERVICE_FABRIC, ManagedIdentityTests.serviceFabricEndpoint, ManagedIdentitySourceType.SERVICE_FABRIC));
     }
+
+    public static Stream<Arguments> createInvalidClaimsData() {
+        return Stream.of(
+                Arguments.of("invalid json format"),
+                Arguments.of("{\"access_token\": }")
+        );
+    }
 }