Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ClientCredential and OBO acquireToken requests with claims will now skip the cache #6999

Merged
merged 20 commits into from
Apr 30, 2024
Merged

ClientCredential and OBO acquireToken requests with claims will now skip the cache #6999

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
cda1842
claims are now taken into consideration when checking the cache
Robbie-Microsoft Apr 3, 2024
1f59508
small bugfix
Robbie-Microsoft Apr 3, 2024
48f5e31
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 9, 2024
5cfc9dd
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 10, 2024
015ed04
cache is skipped on any claims
Robbie-Microsoft Apr 11, 2024
a0fc75f
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 11, 2024
f0df434
Change files
Robbie-Microsoft Apr 11, 2024
b6ce90c
Implemented GitHub Feedback
Robbie-Microsoft Apr 11, 2024
b3c7221
Change files
Robbie-Microsoft Apr 11, 2024
f218368
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 26, 2024
474a6c3
Fixed broken unit test
Robbie-Microsoft Apr 26, 2024
fe49721
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 26, 2024
a1d53eb
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 29, 2024
053c051
Fixed broken unit tests and moved some around
Robbie-Microsoft Apr 29, 2024
ae5494f
Removed claimsBasedCaching from msal-browser
Robbie-Microsoft Apr 29, 2024
da3a324
Change files
Robbie-Microsoft Apr 29, 2024
94848e4
removed claimsBasedHasing unit tests from msal-browser
Robbie-Microsoft Apr 29, 2024
6722bcd
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 30, 2024
99ce409
Merge branch 'dev' into claims_bugfix
Robbie-Microsoft Apr 30, 2024
650c083
removed thrown error claimsBasedCaching. Marked it as deprecated in m…
Robbie-Microsoft Apr 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions change/@azure-msal-common-c7f27295-64bd-44e2-b07f-d4bf9c4b7d6a.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "ClientCredential and OBO acquireToken requests with claims will now skip the cache",
"packageName": "@azure/msal-common",
"email": "[email protected]",
"dependentChangeType": "patch"
}
7 changes: 7 additions & 0 deletions change/@azure-msal-node-2c770c1f-88f0-42d9-b87e-591e60e975b6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "ClientCredential and OBO acquireToken requests with claims will now skip the cache",
"packageName": "@azure/msal-node",
"email": "[email protected]",
"dependentChangeType": "patch"
}
10 changes: 10 additions & 0 deletions lib/msal-common/src/config/ClientConfiguration.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ import {
ClientAuthErrorCodes,
createClientAuthError,
} from "../error/ClientAuthError";
import {
ClientConfigurationErrorCodes,
createClientConfigurationError,
} from "../error/ClientConfigurationError";

/**
* Use the configuration object to configure MSAL Modules and initialize the base interfaces for MSAL.
Expand Down Expand Up @@ -233,6 +237,12 @@ export function buildClientConfiguration({
persistencePlugin: persistencePlugin,
serializableCache: serializableCache,
}: ClientConfiguration): CommonClientConfiguration {
if (userCacheOptions?.claimsBasedCachingEnabled) {
throw createClientConfigurationError(
ClientConfigurationErrorCodes.claimsBasedCachingEnabled
);
}

const loggerOptions = {
...DEFAULT_LOGGER_IMPLEMENTATION,
...userLoggerOption,
Expand Down
2 changes: 2 additions & 0 deletions lib/msal-common/src/error/ClientConfigurationError.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ export const ClientConfigurationErrorMessages = {
"Cannot set allowNativeBroker parameter to true when not in AAD protocol mode.",
[ClientConfigurationErrorCodes.authorityMismatch]:
"Authority mismatch error. Authority provided in login request or PublicClientApplication config does not match the environment of the provided account. Please use a matching account or make an interactive request to login to this authority.",
[ClientConfigurationErrorCodes.claimsBasedCachingEnabled]:
"Claims based caching is not supported in MSALJS.",
};

/**
Expand Down
1 change: 1 addition & 0 deletions lib/msal-common/src/error/ClientConfigurationErrorCodes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,4 @@ export const invalidAuthenticationHeader = "invalid_authentication_header";
export const cannotSetOIDCOptions = "cannot_set_OIDCOptions";
export const cannotAllowNativeBroker = "cannot_allow_native_broker";
export const authorityMismatch = "authority_mismatch";
export const claimsBasedCachingEnabled = "claims_based_caching_enabled";
2 changes: 1 addition & 1 deletion lib/msal-node/src/client/ClientCredentialClient.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ export class ClientCredentialClient extends BaseClient {
public async acquireToken(
request: CommonClientCredentialRequest
): Promise<AuthenticationResult | null> {
if (request.skipCache) {
if (request.skipCache || request.claims) {
return this.executeTokenRequest(request, this.authority);
}

Expand Down
2 changes: 1 addition & 1 deletion lib/msal-node/src/client/OnBehalfOfClient.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ export class OnBehalfOfClient extends BaseClient {
request.oboAssertion
);

if (request.skipCache) {
if (request.skipCache || request.claims) {
return this.executeTokenRequest(
request,
this.authority,
Expand Down
8 changes: 8 additions & 0 deletions lib/msal-node/src/config/Configuration.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import {
AzureCloudOptions,
ApplicationTelemetry,
INativeBrokerPlugin,
createClientConfigurationError,
ClientConfigurationErrorCodes,
} from "@azure/msal-common";
import { HttpClient } from "../network/HttpClient.js";
import http from "http";
Expand Down Expand Up @@ -203,6 +205,12 @@ export function buildAppConfiguration({
system,
telemetry,
}: Configuration): NodeConfiguration {
if (cache?.claimsBasedCachingEnabled) {
throw createClientConfigurationError(
ClientConfigurationErrorCodes.claimsBasedCachingEnabled
);
}

const systemOptions: Required<NodeSystemOptions> = {
...DEFAULT_SYSTEM_OPTIONS,
networkClient: new HttpClient(
Expand Down
70 changes: 68 additions & 2 deletions lib/msal-node/test/client/ClientCredentialClient.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import {
createClientAuthError,
ClientAuthErrorCodes,
CacheHelpers,
createClientConfigurationError,
ClientConfigurationErrorCodes,
} from "@azure/msal-common";
import { ClientCredentialClient, UsernamePasswordClient } from "../../src";
import {
Expand Down Expand Up @@ -420,14 +422,17 @@ describe("ClientCredentialClient unit tests", () => {
])(
"Validates that claims and client capabilities are correctly merged",
async (claims, mergedClaims) => {
clientCredentialRequest.claims = claims;
// acquire a token with a client that has client capabilities, but no claims in the request
// verify that it comes from the IDP
const authResult = (await client.acquireToken(
clientCredentialRequest
)) as AuthenticationResult;
expect(authResult.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
);
expect(authResult.fromCache).toBe(false);

// verify that the client capabilities have been merged with the (empty) claims
const returnVal: string = createTokenRequestBodySpy.mock
.results[0].value as string;
expect(
Expand All @@ -437,19 +442,80 @@ describe("ClientCredentialClient unit tests", () => {
.filter((key: string) => key.includes("claims="))[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);
).toEqual(CAE_CONSTANTS.MERGED_EMPTY_CLAIMS);

// acquire a token (without changing anything) and verify that it comes from the cache
// verify that it comes from the cache
const cachedAuthResult = (await client.acquireToken(
clientCredentialRequest
)) as AuthenticationResult;
expect(cachedAuthResult.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
);
expect(cachedAuthResult.fromCache).toBe(true);

// acquire a token with a client that has client capabilities, and has claims in the request
// verify that it comes from the IDP
clientCredentialRequest.claims = claims;
const authResult2 = (await client.acquireToken(
clientCredentialRequest
)) as AuthenticationResult;
expect(authResult2.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
);
expect(authResult2.fromCache).toBe(false);
Robbie-Microsoft marked this conversation as resolved.
Show resolved Hide resolved

// verify that the client capabilities have been merged with the claims
const returnVal2: string = createTokenRequestBodySpy.mock
.results[1].value as string;
expect(
decodeURIComponent(
returnVal2
.split("&")
.filter((key: string) => key.includes("claims="))[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);

// acquire a token with a client that has client capabilities, but no claims in the request
// verify that it comes from the cache
delete clientCredentialRequest.claims;
const authResult3 = (await client.acquireToken(
clientCredentialRequest
)) as AuthenticationResult;
expect(authResult3.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
);
expect(authResult3.fromCache).toBe(true);

// acquire a token with a client that has client capabilities, and has claims in the request
// verify that it comes from the IDP
clientCredentialRequest.claims = claims;
const authResult4 = (await client.acquireToken(
clientCredentialRequest
)) as AuthenticationResult;
expect(authResult4.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body.access_token
);
expect(authResult4.fromCache).toBe(false);
}
);
});

it("An error is thrown when claims based caching is enabled", async () => {
expect(() => {
// will use msal-common's buildAppConfiguration
new ClientCredentialClient({
...config,
cacheOptions: { claimsBasedCachingEnabled: true },
});
}).toThrow(
createClientConfigurationError(
ClientConfigurationErrorCodes.claimsBasedCachingEnabled
)
);
});

it("Does not add claims when empty object provided", async () => {
const client: ClientCredentialClient = new ClientCredentialClient(
config
Expand Down
49 changes: 47 additions & 2 deletions lib/msal-node/test/client/ConfidentialClientApplication.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ import {
CommonClientCredentialRequest,
createClientAuthError,
ClientAuthErrorCodes,
createClientConfigurationError,
ClientConfigurationErrorCodes,
} from "@azure/msal-common";
import { TEST_CONSTANTS } from "../utils/TestConstants";
import {
Expand Down Expand Up @@ -132,15 +134,18 @@ describe("ConfidentialClientApplication", () => {
])(
"Validates that claims and client capabilities are correctly merged",
async (claims, mergedClaims) => {
authorizationCodeRequest.claims = claims;
// acquire a token with a client that has client capabilities, but no claims in the request
// verify that it comes from the IDP
const authResult = (await client.acquireTokenByCode(
authorizationCodeRequest
)) as AuthenticationResult;
expect(authResult.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body
.access_token
);
expect(authResult.fromCache).toBe(false);

// verify that the client capabilities have been merged with the (empty) claims
const returnVal: string = (await createTokenRequestBodySpy
.mock.results[0].value) as string;
expect(
Expand All @@ -152,9 +157,35 @@ describe("ConfidentialClientApplication", () => {
)[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);
).toEqual(CAE_CONSTANTS.MERGED_EMPTY_CLAIMS);

// skip cache lookup verification because acquireTokenByCode does not pull elements from the cache

// acquire a token with a client that has client capabilities, and has claims in the request
// verify that it comes from the IDP
authorizationCodeRequest.claims = claims;
const authResult2 = (await client.acquireTokenByCode(
authorizationCodeRequest
)) as AuthenticationResult;
expect(authResult2.accessToken).toEqual(
CONFIDENTIAL_CLIENT_AUTHENTICATION_RESULT.body
.access_token
);
expect(authResult2.fromCache).toBe(false);

// verify that the client capabilities have been merged with the claims
const returnVal2: string = (await createTokenRequestBodySpy
.mock.results[1].value) as string;
expect(
decodeURIComponent(
returnVal2
.split("&")
.filter((key: string) =>
key.includes("claims=")
)[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);
}
);
});
Expand Down Expand Up @@ -356,4 +387,18 @@ describe("ConfidentialClientApplication", () => {
const authApp = new ConfidentialClientApplication(appConfig);
await authApp.acquireTokenByClientCredential(request);
});

it("An error is thrown when claims based caching is enabled", async () => {
expect(() => {
// will use msal-node's buildAppConfiguration
new ConfidentialClientApplication({
...appConfig,
cache: { claimsBasedCachingEnabled: true },
});
}).toThrow(
createClientConfigurationError(
ClientConfigurationErrorCodes.claimsBasedCachingEnabled
)
);
});
});
56 changes: 54 additions & 2 deletions lib/msal-node/test/client/OnBehalfOfClient.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,14 +142,17 @@ describe("OnBehalfOf unit tests", () => {
])(
"Validates that claims and client capabilities are correctly merged",
async (claims, mergedClaims) => {
oboRequest.claims = claims;
// acquire a token with a client that has client capabilities, but no claims in the request
// verify that it comes from the IDP
const authResult = (await client.acquireToken(
oboRequest
)) as AuthenticationResult;
expect(authResult.accessToken).toEqual(
AUTHENTICATION_RESULT.body.access_token
);
expect(authResult.fromCache).toBe(false);

// verify that the client capabilities have been merged with the (empty) claims
const returnVal: string = createTokenRequestBodySpy.mock
.results[0].value as string;
expect(
Expand All @@ -161,15 +164,64 @@ describe("OnBehalfOf unit tests", () => {
)[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);
).toEqual(CAE_CONSTANTS.MERGED_EMPTY_CLAIMS);

// acquire a token (without changing anything) and verify that it comes from the cache
// verify that it comes from the cache
const cachedAuthResult = (await client.acquireToken(
oboRequest
)) as AuthenticationResult;
expect(cachedAuthResult.accessToken).toEqual(
AUTHENTICATION_RESULT.body.access_token
);
expect(cachedAuthResult.fromCache).toBe(true);

// acquire a token with a client that has client capabilities, and has claims in the request
// verify that it comes from the IDP
oboRequest.claims = claims;
const authResult2 = (await client.acquireToken(
oboRequest
)) as AuthenticationResult;
expect(authResult2.accessToken).toEqual(
AUTHENTICATION_RESULT.body.access_token
);
expect(authResult2.fromCache).toBe(false);

// verify that the client capabilities have been merged with the claims
const returnVal2: string = createTokenRequestBodySpy.mock
.results[1].value as string;
expect(
decodeURIComponent(
returnVal2
.split("&")
.filter((key: string) =>
key.includes("claims=")
)[0]
.split("claims=")[1]
)
).toEqual(mergedClaims);

// acquire a token with a client that has client capabilities, but no claims in the request
// verify that it comes from the cache
delete oboRequest.claims;
const authResult3 = (await client.acquireToken(
oboRequest
)) as AuthenticationResult;
expect(authResult3.accessToken).toEqual(
AUTHENTICATION_RESULT.body.access_token
);
expect(authResult3.fromCache).toBe(true);

// acquire a token with a client that has client capabilities, and has claims in the request
// verify that it comes from the IDP
oboRequest.claims = claims;
const authResult4 = (await client.acquireToken(
oboRequest
)) as AuthenticationResult;
expect(authResult4.accessToken).toEqual(
AUTHENTICATION_RESULT.body.access_token
);
expect(authResult4.fromCache).toBe(false);
}
);
});
Expand Down
Loading