Add exception comment to the public API methods. Remove exception if …

…Initiate is called with already existing key. Update tests.
AzureAD · Nov 12, 2021 · 627b4d9 · 627b4d9
1 parent b4e8fbd
commit 627b4d9
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 37 deletions.
diff --git a/src/client/Microsoft.Identity.Client/ILongRunningWebApi.cs b/src/client/Microsoft.Identity.Client/ILongRunningWebApi.cs
@@ -36,6 +36,8 @@ public interface ILongRunningWebApi
         /// <param name="scopes">Scopes requested to access a protected API</param>
         /// <param name="longRunningProcessSessionKey">Key by which to look up the token in the cache</param>
         /// <returns>A builder enabling you to add optional parameters before executing the token request</returns>
+        /// <exception cref="MsalClientException"> is thrown if the token cache does not contain a token
+        /// with an OBO cache key that matches the <paramref name="longRunningProcessSessionKey"/>.</exception>
         AcquireTokenOnBehalfOfParameterBuilder AcquireTokenInLongRunningProcess(IEnumerable<string> scopes, string longRunningProcessSessionKey);
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/MsalError.cs b/src/client/Microsoft.Identity.Client/MsalError.cs
@@ -1032,15 +1032,6 @@ public static class MsalError
         /// </summary>
         public const string RegionalAndAuthorityOverride = "authority_override_regional";
 
-        /// <summary>
-        /// <para>What happens?</para>The token cache already contains a token with an OBO cache key that
-        /// matches the <c>longRunningProcessSessionKey</c> passed into <see cref="ILongRunningWebApi.AcquireTokenInLongRunningProcess"/>.
-        /// <para>Mitigation</para>Call <see cref="ILongRunningWebApi.InitiateLongRunningProcessInWebApi"/> with a new <c>longRunningProcessSessionKey</c>
-        /// that does not exist in the token cache or call <see cref="ILongRunningWebApi.AcquireTokenInLongRunningProcess"/> with an already used
-        /// <c>longRunningProcessSessionKey</c>.
-        /// </summary>
-        public const string OboCacheKeyAlreadyInCacheError = "obo_cache_key_already_in_cache_error";
-
         /// <summary>
         /// <para>What happens?</para>The token cache does not contain a token with an OBO cache key that
         /// matches the <c>longRunningProcessSessionKey</c> passed into <see cref="ILongRunningWebApi.AcquireTokenInLongRunningProcess"/>.
@@ -1050,4 +1041,4 @@ public static class MsalError
         /// </summary>
         public const string OboCacheKeyNotInCacheError = "obo_cache_key_not_in_cache_error";
     }
-}      
+}
diff --git a/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs b/src/client/Microsoft.Identity.Client/MsalErrorMessage.cs
@@ -406,8 +406,6 @@ public static string InitializeProcessSecurityError(string errorCode) =>
 
         public const string RegionalAndAuthorityOverride = "You configured WithAuthority at the request level, and also WithAzureRegion. This is not supported when the environment changes from application to request. Use WithTenantId at the request level instead.";
 
-        public const string OboCacheKeyAlreadyInCache = "The token cache already contains a token with an OBO cache key that matches the longRunningProcessSessionKey passed into IConfidentialClientApplication.AcquireTokenInLongRunningProcess method. Call IConfidentialClientApplication.InitiateLongRunningProcessInWebApi method with a new longRunningProcessSessionKey that does not exist in the token cache or call IConfidentialClientApplication.AcquireTokenInLongRunningProcess method with an already used longRunningProcessSessionKey.";
-
         public const string OboCacheKeyNotInCache = "The token cache does not contain a token with an OBO cache key that matches the longRunningProcessSessionKey passed into IConfidentialClientApplication.AcquireTokenInLongRunningProcess method. Call IConfidentialClientApplication.InitiateLongRunningProcessInWebApi method with a new longRunningProcessSessionKey that does not exist in the token cache or call IConfidentialClientApplication.AcquireTokenInLongRunningProcess method with an already used longRunningProcessSessionKey.";
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/TokenCache.ITokenCacheInternal.cs b/src/client/Microsoft.Identity.Client/TokenCache.ITokenCacheInternal.cs
@@ -434,12 +434,6 @@ async Task<MsalAccessTokenCacheItem> ITokenCacheInternal.FindAccessTokenAsync(
                 throw new MsalClientException(MsalError.OboCacheKeyNotInCacheError, MsalErrorMessage.OboCacheKeyNotInCache);
             }
 
-            if (InitiateLongRunningOboWasCalled(requestParams) && tokenCacheItems.Count > 0)
-            {
-                logger.Error("[FindAccessTokenAsync] InitiateLongRunningProcessInWebApi was called and OBO token was already found in the cache.");
-                throw new MsalClientException(MsalError.OboCacheKeyAlreadyInCacheError, MsalErrorMessage.OboCacheKeyAlreadyInCache);
-            }
-
             // no match
             if (tokenCacheItems.Count == 0)
             {
@@ -717,7 +711,7 @@ internal async Task ExpireAllAccessTokensForTestAsync()
             {
                 accessor.SaveAccessToken(atItem.WithExpiresOn(DateTimeOffset.UtcNow));
             }
-               
+
             if (tokenCacheInternal.IsAppSubscribedToSerializationEvents())
             {
                 var args = new TokenCacheNotificationArgs(
@@ -729,8 +723,8 @@ internal async Task ExpireAllAccessTokensForTestAsync()
                 tokenCacheInternal.HasTokensNoLocks(),
                 default,
                 suggestedCacheKey: null,
-                suggestedCacheExpiry: null); 
-             
+                suggestedCacheExpiry: null);
+
                 await tokenCacheInternal.OnAfterAccessAsync(args).ConfigureAwait(false);
             }
         }
@@ -1208,14 +1202,6 @@ bool ITokenCacheInternal.HasTokensNoLocks()
                 .ForEach(accItem => _accessor.DeleteAccount(accItem));
         }
 
-        // Returns whether InitiateLongRunningProcessInWebAPI was called (user assertion is specified in this case)
-        private bool InitiateLongRunningOboWasCalled(AuthenticationRequestParameters requestParameters)
-        {
-            return requestParameters.ApiId == ApiEvent.ApiIds.AcquireTokenOnBehalfOf &&
-                requestParameters.UserAssertion != null &&
-                !string.IsNullOrEmpty(requestParameters.LongRunningOboCacheKey);
-        }
-
         // Returns whether AcquireTokenInLongRunningProcess was called (user assertion is null in this case)
         private bool AcquireTokenInLongRunningOboWasCalled(AuthenticationRequestParameters requestParameters)
         {

diff --git a/tests/Microsoft.Identity.Test.Unit/RequestsTests/OboRequestTests.cs b/tests/Microsoft.Identity.Test.Unit/RequestsTests/OboRequestTests.cs
@@ -248,21 +248,25 @@ public async Task AcquireTokenByObo_InitiateLongRunningProcessInWebApi_CacheKeyA
                 // Cache is empty or token with the same scopes, OBO cache key, etc. not in cache -> AT and RT are retrieved from IdP and saved
                 Assert.IsNotNull(result);
                 Assert.AreEqual(TestConstants.ATSecret, result.AccessToken);
-                Assert.AreEqual(result.AuthenticationResultMetadata.TokenSource, TokenSource.IdentityProvider);
+                Assert.AreEqual(TokenSource.IdentityProvider, result.AuthenticationResultMetadata.TokenSource);
                 MsalAccessTokenCacheItem cachedAccessToken = cca.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Single();
                 MsalRefreshTokenCacheItem cachedRefreshToken = cca.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Single();
                 Assert.AreEqual(oboCacheKey, cachedAccessToken.OboCacheKey);
                 Assert.AreEqual(oboCacheKey, cachedRefreshToken.OboCacheKey);
                 Assert.AreEqual(TestConstants.RTSecret, cachedRefreshToken.Secret);
                 userCacheAccess.AssertAccessCounts(1, 1);
 
-                // Token with the same scopes, OBO cache key, etc. exists in the cache -> throw error
-                var exception = await AssertException.TaskThrowsAsync<MsalClientException>(
-                    () => cca.InitiateLongRunningProcessInWebApi(TestConstants.s_scope, TestConstants.DefaultAccessToken, ref oboCacheKey)
-                    .ExecuteAsync())
-                    .ConfigureAwait(false);
-
-                Assert.AreEqual(MsalError.OboCacheKeyAlreadyInCacheError, exception.ErrorCode);
+                // Token with the same scopes, OBO cache key, etc. exists in the cache -> AT is retrieved from the cache
+                result = await cca.InitiateLongRunningProcessInWebApi(TestConstants.s_scope, TestConstants.DefaultAccessToken, ref oboCacheKey)
+                    .ExecuteAsync().ConfigureAwait(false);
+                Assert.IsNotNull(result);
+                Assert.AreEqual(TestConstants.ATSecret, result.AccessToken);
+                Assert.AreEqual(TokenSource.Cache, result.AuthenticationResultMetadata.TokenSource);
+                cachedAccessToken = cca.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Single();
+                cachedRefreshToken = cca.UserTokenCacheInternal.Accessor.GetAllRefreshTokens().Single();
+                Assert.AreEqual(oboCacheKey, cachedAccessToken.OboCacheKey);
+                Assert.AreEqual(oboCacheKey, cachedRefreshToken.OboCacheKey);
+                Assert.AreEqual(TestConstants.RTSecret, cachedRefreshToken.Secret);
                 userCacheAccess.AssertAccessCounts(2, 1);
 
                 AddMockHandlerAadSuccess(httpManager,