Merge pull request #943 from AzureAD/nebharg/PassClaimsAndCapabilities

Token revocation for service fabric

Author: neha-bhargava

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractManagedIdentitySource.java

@@ -41,6 +41,7 @@ public ManagedIdentityResponse getManagedIdentityResponse(
             ManagedIdentityParameters parameters) {
 
         createManagedIdentityRequest(parameters.resource);
+        managedIdentityRequest.addTokenRevocationParametersToQuery(parameters);
         IHttpResponse response;
 
         try {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByManagedIdentitySupplier.java

@@ -83,6 +83,12 @@ AuthenticationResult execute() throws Exception {
                 result.metadata().tokenSource(TokenSource.CACHE);
                 return result;
             } else {
+                if (cacheRefreshReason == CacheRefreshReason.CLAIMS) {
+                    LOG.debug("Claims are passed, creating token hash and refreshing the token");
+                    managedIdentityParameters.revokedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+                    return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, CacheRefreshReason.CLAIMS);
+                }
+
                 LOG.debug(String.format("Refreshing access token. Cache refresh reason: %s", cacheRefreshReason));
                 return fetchNewAccessTokenAndSaveToCache(tokenRequestExecutor, cacheRefreshReason);
             }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthenticationErrorCode.java

@@ -147,4 +147,10 @@ public class AuthenticationErrorCode {
      * For more information on managed identity see https://aka.ms/msal4j-managed-identity.
      */
     public static final String MANAGED_IDENTITY_REQUEST_FAILED = "managed_identity_request_failed";
+
+    /**
+     * Indicates a cryptographic operation error occurred, such as when generating hash values
+     * or performing other cryptographic functions.
+     */
+    public static final String CRYPTO_ERROR = "crypto_error";
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/Constants.java

@@ -3,6 +3,9 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.util.HashSet;
+import java.util.Set;
+
 final class Constants {
 
     static final String CACHE_KEY_SEPARATOR = "-";
@@ -23,4 +26,13 @@ final class Constants {
     public static final String MSI_ENDPOINT = "MSI_ENDPOINT";
     public static final String IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT";
 
+    // Constants for token revocation and client capabilities
+    public static final String TOKEN_HASH_CLAIM = "token_sha256_to_refresh";
+    public static final String CLIENT_CAPABILITY_REQUEST_PARAM = "xms_cc";
+    
+    // Only Service Fabric managed identity environments support token revocation
+    public static final Set<ManagedIdentitySourceType> TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS = new HashSet<ManagedIdentitySourceType>() {{
+        add(ManagedIdentitySourceType.SERVICE_FABRIC);
+    }};
+
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityApplication.java

@@ -17,6 +17,7 @@
 public class ManagedIdentityApplication extends AbstractApplicationBase implements IManagedIdentityApplication {
 
     private final ManagedIdentityId managedIdentityId;
+    private List<String> clientCapabilities;
     static TokenCache sharedTokenCache = new TokenCache();
 
     //Deprecated the field in favor of the static getManagedIdentitySource method
@@ -44,6 +45,7 @@ private ManagedIdentityApplication(Builder builder) {
 
         this.managedIdentityId = builder.managedIdentityId;
         this.tenant = Constants.MANAGED_IDENTITY_DEFAULT_TENTANT;
+        this.clientCapabilities = builder.clientCapabilities;
     }
 
     public static TokenCache getSharedTokenCache() {
@@ -57,6 +59,8 @@ static IEnvironmentVariables getEnvironmentVariables() {
     public ManagedIdentityId getManagedIdentityId() {
         return this.managedIdentityId;
     }
+
+    public List<String> getClientCapabilities() { return this.clientCapabilities; }
 
     @Override
     public CompletableFuture<IAuthenticationResult> acquireTokenForManagedIdentity(ManagedIdentityParameters managedIdentityParameters)
@@ -105,7 +109,7 @@ public Builder resource(String resource) {
         /**
          * Informs the token issuer that the application is able to perform complex authentication actions.
          * For example, "cp1" means that the application is able to perform conditional access evaluation,
-         * because the application has been setup to parse WWW-Authenticate headers associated with a 401 response from the protected APIs,
+         * because the application has been set up to parse WWW-Authenticate headers associated with a 401 response from the protected APIs,
          * and to retry the request with claims API.
          * 
          * @param clientCapabilities a list of capabilities (e.g., ["cp1"]) recognized by the token service.

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityParameters.java

@@ -15,7 +15,8 @@ public class ManagedIdentityParameters implements IAcquireTokenParameters {
     String resource;
     boolean forceRefresh;
     String claims;
-
+    String revokedTokenHash;
+    
     private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims) {
         this.resource = resource;
         this.forceRefresh = forceRefresh;
@@ -78,6 +79,10 @@ public String resource() {
         return this.resource;
     }
 
+    public String revokedTokenHash() {
+        return this.revokedTokenHash;
+    }
+
     public static class ManagedIdentityParametersBuilder {
         private String resource;
         private boolean forceRefresh;

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityRequest.java

@@ -12,6 +12,7 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -75,4 +76,35 @@ void addUserAssignedIdToQuery(ManagedIdentityIdType idType, String userAssignedI
                 break;
         }
     }
+
+    void addTokenRevocationParametersToQuery(ManagedIdentityParameters parameters) {
+        // Check if the environment supports token revocation
+        ManagedIdentitySourceType sourceType = ManagedIdentityClient.getManagedIdentitySource();
+        boolean supportsTokenRevocation = Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS
+                .contains(sourceType);
+
+        // If token revocation is supported, pass the client capabilities and token revocation parameters
+        if (supportsTokenRevocation) {
+            ManagedIdentityApplication managedIdentityApplication =
+                    (ManagedIdentityApplication) this.application();
+
+            // Pass capabilities if present.
+            if (managedIdentityApplication.getClientCapabilities() != null &&
+                    !managedIdentityApplication.getClientCapabilities().isEmpty()) {
+                // Add client capabilities as a comma separated string for all the values in client capabilities
+                String clientCapabilities = String.join(",", managedIdentityApplication.getClientCapabilities());
+
+                queryParameters.put(Constants.CLIENT_CAPABILITY_REQUEST_PARAM, Collections.singletonList(clientCapabilities.toString()));
+            }
+
+            // Pass the token revocation parameter if the claims are present and there is a token to revoke
+            if (!StringHelper.isNullOrBlank(parameters.claims) && !StringHelper.isNullOrBlank(parameters.revokedTokenHash())) {
+                LOG.info("[Managed Identity] Adding token revocation parameter to request");
+                if (queryParameters == null) {
+                    queryParameters = new HashMap<>();
+                }
+                queryParameters.put(Constants.TOKEN_HASH_CLAIM, Collections.singletonList(parameters.revokedTokenHash()));
+            }
+        }
+    }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ServiceFabricManagedIdentitySource.java

@@ -57,6 +57,7 @@ public ManagedIdentityResponse getManagedIdentityResponse(
             ManagedIdentityParameters parameters) {
 
         createManagedIdentityRequest(parameters.resource);
+        managedIdentityRequest.addTokenRevocationParametersToQuery(parameters);
         IHttpResponse response;
 
         try {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/StringHelper.java

@@ -41,7 +41,40 @@ static private String createSha256Hash(String stringToHash, boolean base64Encode
         return res;
     }
 
-    public static boolean isNullOrBlank(final String str) {
+    /**
+     * Creates a SHA-256 hash of the input string and returns it as a lowercase hex string.
+     * This is used for token revocation and other scenarios requiring hex hash representation.
+     *
+     * @param stringToHash The string to hash
+     * @return The SHA-256 hash of the string as a lowercase hex string
+     * @throws MsalClientException If the SHA-256 algorithm is not available
+     */
+    static String createSha256HashHexString(String stringToHash) {
+        if (stringToHash == null || stringToHash.isEmpty()) {
+            throw new IllegalArgumentException("String to hash cannot be null or empty");
+        }
+
+        try {
+            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = messageDigest.digest(stringToHash.getBytes(StandardCharsets.UTF_8));
+            
+            // Convert to hex string
+            StringBuilder hexString = new StringBuilder();
+            for (byte b : hash) {
+                String hex = Integer.toHexString(0xff & b);
+                if (hex.length() == 1) {
+                    hexString.append('0');
+                }
+                hexString.append(hex);
+            }
+            return hexString.toString();
+        } catch (NoSuchAlgorithmException e) {
+            throw new MsalClientException("Failed to create SHA-256 hash: " + e.getMessage(),
+                    AuthenticationErrorCode.CRYPTO_ERROR);
+        }
+    }
+
+    static boolean isNullOrBlank(final String str) {
         return str == null || str.trim().length() == 0;
     }
 }

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/ManagedIdentityTests.java

@@ -70,16 +70,34 @@ private String getMsiErrorResponseNoRetry() {
         return "{\"statusCode\":\"123\",\"message\":\"Not one of the retryable error responses\",\"correlationId\":\"7d0c9763-ff1d-4842-a3f3-6d49e64f4513\"}";
     }
 
+    private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource, boolean hasClaims, boolean hasCapabilities, String expectedTokenHash) {
+        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned(), hasClaims, hasCapabilities, expectedTokenHash);
+    }
+
+    private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource, ManagedIdentityId id) {
+        return expectedRequest(source, resource, id, false, false, null);
+    }
+
     private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource) {
-        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned());
+        return expectedRequest(source, resource, ManagedIdentityId.systemAssigned(), false, false, null);
     }
 
     private HttpRequest expectedRequest(ManagedIdentitySourceType source, String resource,
-            ManagedIdentityId id) {
+            ManagedIdentityId id, boolean hasClaims, boolean hasCapabilities, String expectedTokenHash) {
         String endpoint = null;
         Map<String, String> headers = new HashMap<>();
         Map<String, List<String>> queryParameters = new HashMap<>();
 
+        if (Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS.contains(source)) {
+            if (hasCapabilities) {
+                queryParameters.put(Constants.CLIENT_CAPABILITY_REQUEST_PARAM, Collections.singletonList("cp1"));
+            }
+
+            if (hasClaims) {
+                queryParameters.put(Constants.TOKEN_HASH_CLAIM, Collections.singletonList(expectedTokenHash));
+            }
+        }
+
         switch (source) {
             case APP_SERVICE:
                 endpoint = appServiceEndpoint;
@@ -93,12 +111,6 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
                 headers.put("Metadata", "true");
                 queryParameters.put("resource", Collections.singletonList(resource));
                 break;
-            case IMDS:
-                endpoint = IMDS_ENDPOINT;
-                queryParameters.put("api-version", Collections.singletonList("2018-02-01"));
-                queryParameters.put("resource", Collections.singletonList(resource));
-                headers.put("Metadata", "true");
-                break;
             case AZURE_ARC:
                 endpoint = azureArcEndpoint;
                 queryParameters.put("api-version", Collections.singletonList("2019-11-01"));
@@ -111,6 +123,7 @@ private HttpRequest expectedRequest(ManagedIdentitySourceType source, String res
                 queryParameters.put("resource", Collections.singletonList(resource));
                 headers.put("secret", "secret");
                 break;
+            case IMDS:
             case NONE:
             case DEFAULT_TO_IMDS:
                 endpoint = IMDS_ENDPOINT;
@@ -657,6 +670,9 @@ void managedIdentityTest_WithClaims(ManagedIdentitySourceType source, String end
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
 
+        String expectedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+        when(httpClientMock.send(expectedRequest(source, resource, true, false, expectedTokenHash))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+
         // Third call, when claims are passed bypass the cache.
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
@@ -669,6 +685,46 @@ void managedIdentityTest_WithClaims(ManagedIdentitySourceType source, String end
         verify(httpClientMock, times(2)).send(any());
     }
 
+    @ParameterizedTest
+    @MethodSource("com.microsoft.aad.msal4j.ManagedIdentityTestDataProvider#createDataError")
+    void managedIdentityTest_WithCapabilitiesOnly(ManagedIdentitySourceType source, String endpoint) throws Exception {
+        IEnvironmentVariables environmentVariables = new EnvironmentVariablesHelper(source, endpoint);
+        ManagedIdentityApplication.setEnvironmentVariables(environmentVariables);
+        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
+        if (source == SERVICE_FABRIC) {
+            ServiceFabricManagedIdentitySource.setHttpClient(httpClientMock);
+        }
+
+        when(httpClientMock.send(expectedRequest(source, resource, false, true, null))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+
+        miApp = ManagedIdentityApplication
+                .builder(ManagedIdentityId.systemAssigned())
+                .httpClient(httpClientMock)
+                .clientCapabilities(singletonList("cp1"))
+                .build();
+
+        // Clear caching to avoid cross test pollution.
+        miApp.tokenCache().accessTokens.clear();
+
+        // First call, get the token from the identity provider.
+        IAuthenticationResult result = miApp.acquireTokenForManagedIdentity(
+                ManagedIdentityParameters.builder(resource)
+                        .build()).get();
+
+        assertNotNull(result.accessToken());
+        assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
+
+        // Second call, get the token from the cache without passing the claims.
+        result = miApp.acquireTokenForManagedIdentity(
+                ManagedIdentityParameters.builder(resource)
+                        .build()).get();
+
+        assertNotNull(result.accessToken());
+        assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
+
+        verify(httpClientMock, times(1)).send(any());
+    }
+
     @ParameterizedTest
     @MethodSource("com.microsoft.aad.msal4j.ManagedIdentityTestDataProvider#createDataError")
     void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, String endpoint) throws Exception {
@@ -679,7 +735,7 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
             ServiceFabricManagedIdentitySource.setHttpClient(httpClientMock);
         }
 
-        when(httpClientMock.send(expectedRequest(source, resource))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+        when(httpClientMock.send(expectedRequest(source, resource, false, true, null))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
 
         miApp = ManagedIdentityApplication
                 .builder(ManagedIdentityId.systemAssigned())
@@ -707,6 +763,9 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.CACHE, result.metadata().tokenSource());
 
+        String expectedTokenHash = StringHelper.createSha256HashHexString(result.accessToken());
+        when(httpClientMock.send(expectedRequest(source, resource, true, true, expectedTokenHash))).thenReturn(expectedResponse(200, getSuccessfulResponse(resource)));
+
         // Third call, when claims are passed bypass the cache.
         result = miApp.acquireTokenForManagedIdentity(
                 ManagedIdentityParameters.builder(resource)
@@ -715,8 +774,6 @@ void managedIdentity_ClaimsAndCapabilities(ManagedIdentitySourceType source, Str
 
         assertNotNull(result.accessToken());
         assertEquals(TokenSource.IDENTITY_PROVIDER, result.metadata().tokenSource());
-
-        verify(httpClientMock, times(2)).send(any());
     }
 
     @ParameterizedTest