1.8.1 release (#327)

* Exception Improvements (#254) * Add null checks for MsalException error code references * Better exception handling for invalid tokens * Better exception handling for invalid tokens * Sync with changes to Azure-Samples/ms-identity-java-desktop (#259) * extra scopes for consent during authorizaion * typo * minor * HTTPClient default timeouts (#264) * Add default timeouts for DefaultHttpClient * Handle 'stay signed in' confirmation page in DeviceCodeIT tests * Small best-practices changes * append extra scopes as suffix * 1.6.2 release (#268) * fixing integ test * Tenant Profiles (#263) * Classes for tenant profile functionality * Implement tenant profile feature * Tests for tenant profile feature * Simplify tenant profile class structure * 1.6.2 release * Classes for tenant profile redesign * Tests for tenant profile redesign * Adjust sample cached ID tokens to have realistic headers * Redesign how Tenant Pofiles are added to Accounts * New error code for JWT parse exceptions * Add claims and tenant profiles fields to Account * Remove annotation excluding realm field from comparisons * Use more generic token * Remove ID token claims field from Account * Minor changes for clarity * Adjust tests for tenant profile design refactor * Refactor tenant profile structure * Minor fixes * Minor fixes * Minor fixes * Simplify tenant profile class Co-authored-by: SomkaPe <pesomka@microsoft.com> * Improve HTTP client timeouts (#275) * 1.6.2 release (#269) * 1.6.2 release * Make DefaultHttpClient timeouts settable * Refactor timeout names Co-authored-by: SomkaPe <pesomka@microsoft.com> * Bewaters certchain (#276) * Support for certificate chain * 1.7.0 release (#277) * Update DefaultHttpClient.java * Fixed parsing ClientInfo: on some accounts, the server response contained characters that are incorrect for Base64 encoding, but acceptable for Base64URL (#282) * sendX5c api (#285) * refactoring (#287) * refactoring * refactoring * refactoring * Add AcquireTokenSilent tests for B2C and ADFS2019, refactor duplicate code in tests (#293) * Add public constants for cloud endpoints (#298) * Add public constants for cloud endpoints * Add license header * Added javadocs * Removed unneeded test * Make IAccount serializable (#297) * Make IAccount objects serializable * Make AuthenticationResult objects not serializable * Add tenant profile/id claims to auth result (#300) * Add tenant profile/id claims to auth result * Minor fix * treat null password as default one - empty string (#304) * treat null password as default one - empty string * Support for refresh_in (#305) * Support for refresh_in * Tests for refresh_in * Add extra null check * Add test for refreshOn cache persistence * refresh on is optional field (#312) * refresh on optional field * 1.8.0 Release (#313) 1.8.0 release * Fix spelling mistake in Prompt.java * Remove use of Nimbus Oauth2 SDK's CommonContentTypes (#322) * Remove use of Nimbus Oauth2 SDK's CommonContentTypes * Add enum for HTTP content-type constants * Remove use of javax.mail.internet.ContentType * Support for claims request parameter (#315) * ClaimsRequest classes * Support for claims request parameter * Tests for claims request * Use Jackson library for JSON processing * Change access level of userinfo and access_token claims * Better merge tests * Remove ability to set claims in userinfo field * Refactor claims field naming * 1.8.1 release (#326) * Version number updates for 1.8.1 release * Minor rewording Co-authored-by: SomkaPe <pesomka@microsoft.com> Co-authored-by: Roman Nosachev <walther.landmine@gmail.com> Co-authored-by: Santiago Gonzalez <sagonzal@microsoft.com> Co-authored-by: Santiago Gonzalez <35743865+sangonzal@users.noreply.github.com>
AzureAD · Dec 11, 2020 · e34e382 · e34e382
1 parent cacad3d
commit e34e382
Show file tree

Hide file tree

Showing 43 changed files with 385 additions and 51 deletions.
diff --git a/README.md b/README.md
@@ -16,7 +16,7 @@ Quick links:
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.8.0
+Current version - 1.8.1
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,13 +28,13 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.8.0</version>
+    <version>1.8.1</version>
 </dependency>
 ```
 ### Gradle
 
 ```
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.8.0'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.8.1'
 ```
 
 ## Usage

diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,8 @@
+Version 1.8.1
+=============
+- New ClaimsRequest class to allow ID token claims to be requested as part of any token request
+- Remove use of nimbusds.oauth2.sdk CommonContentTypes
+
 Version 1.8.0
 =============
 - ITenantProfile added to IAuthenticationResult for easier access to ID token claims

diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.8.0</version>
+	<version>1.8.1</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>

diff --git a/src/main/java/com/microsoft/aad/msal4j/AbstractMsalAuthorizationGrant.java b/src/main/java/com/microsoft/aad/msal4j/AbstractMsalAuthorizationGrant.java
@@ -34,4 +34,10 @@ abstract class AbstractMsalAuthorizationGrant {
     String getScopes() {
         return scopes;
     }
+
+    ClaimsRequest claims;
+
+    ClaimsRequest getClaims() {
+        return claims;
+    }
 }
diff --git a/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByAuthorizationGrantSupplier.java b/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByAuthorizationGrantSupplier.java
@@ -48,7 +48,7 @@ AuthenticationResult execute() throws Exception {
                     (IntegratedWindowsAuthorizationGrant) authGrant;
             msalRequest.msalAuthorizationGrant =
                     new OAuthAuthorizationGrant(getAuthorizationGrantIntegrated(
-                            integratedAuthGrant.getUserName()), integratedAuthGrant.getScopes());
+                            integratedAuthGrant.getUserName()), integratedAuthGrant.getScopes(), integratedAuthGrant.getClaims());
         }
 
         if (requestAuthority == null) {

diff --git a/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByInteractiveFlowSupplier.java b/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByInteractiveFlowSupplier.java
@@ -149,6 +149,7 @@ private AuthenticationResult acquireTokenWithAuthorizationCode(AuthorizationResu
                 .builder(authorizationResult.code(), interactiveRequest.interactiveRequestParameters().redirectUri())
                 .scopes(interactiveRequest.interactiveRequestParameters().scopes())
                 .codeVerifier(interactiveRequest.verifier())
+                .claims(interactiveRequest.interactiveRequestParameters().claims())
                 .build();
 
         AuthorizationCodeRequest authCodeRequest = new AuthorizationCodeRequest(

diff --git a/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeParameters.java b/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeParameters.java
@@ -41,6 +41,11 @@ public class AuthorizationCodeParameters implements IApiParameters {
      */
     private Set<String> scopes;
 
+    /**
+     * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
+     */
+    private ClaimsRequest claims;
+
     /**
      * Code verifier used for PKCE. For more details, see https://tools.ietf.org/html/rfc7636
      */

diff --git a/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeRequest.java b/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeRequest.java
@@ -30,6 +30,6 @@ private static AbstractMsalAuthorizationGrant createMsalGrant(AuthorizationCodeP
                     new AuthorizationCode(parameters.authorizationCode()),parameters.redirectUri());
         }
 
-        return new OAuthAuthorizationGrant(authorizationGrant, parameters.scopes());
+        return new OAuthAuthorizationGrant(authorizationGrant, parameters.scopes(), parameters.claims());
     }
 }
diff --git a/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java b/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
@@ -81,6 +81,15 @@ private AuthorizationRequestUrlParameters(Builder builder){
             requestParameters.put("claims", Collections.singletonList(builder.claimsChallenge));
         }
 
+        if(builder.claimsRequest != null){
+            String claimsRequest = builder.claimsRequest.formatAsJSONString();
+            //If there are other claims (such as part of a claims challenge), merge them with this claims request.
+            if (requestParameters.get("claims") != null) {
+                claimsRequest = JsonHelper.mergeJSONString(claimsRequest, requestParameters.get("claims").get(0));
+            }
+            requestParameters.put("claims", Collections.singletonList(claimsRequest));
+        }
+
         if(builder.codeChallenge != null){
             this.codeChallenge = builder.codeChallenge;
             requestParameters.put("code_challenge", Collections.singletonList(builder.codeChallenge));
@@ -154,6 +163,7 @@ public static class Builder {
         private Set<String> extraScopesToConsent;
         private Set<String> claims;
         private String claimsChallenge;
+        private ClaimsRequest claimsRequest;
         private String codeChallenge;
         private String codeChallengeMethod;
         private String state;
@@ -202,22 +212,17 @@ public Builder extraScopesToConsent(Set<String> val){
          * In cases where Azure AD tenant admin has enabled conditional access policies, and the
          * policy has not been met,{@link MsalServiceException} will contain claims that need be
          * consented to.
-         *
-         * Deprecated in favor of {@link #claimsChallenge(String)}
          */
-        @Deprecated
-        public Builder claims(Set<String> val){
-            this.claims = val;
+        public Builder claimsChallenge(String val){
+            this.claimsChallenge = val;
             return self();
         }
 
         /**
-         * In cases where Azure AD tenant admin has enabled conditional access policies, and the
-         * policy has not been met,{@link MsalServiceException} will contain claims that need be
-         * consented to.
+         * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
          */
-        public Builder claimsChallenge(String val){
-            this.claimsChallenge = val;
+        public Builder claims(ClaimsRequest val){
+            this.claimsRequest = val;
             return self();
         }
 

diff --git a/src/main/java/com/microsoft/aad/msal4j/ClaimsRequest.java b/src/main/java/com/microsoft/aad/msal4j/ClaimsRequest.java
@@ -0,0 +1,78 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import lombok.Getter;
+import lombok.Setter;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Represents the claims request parameter as an object
+ *
+ * @see <a href="https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter">https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter</a>
+ */
+public class ClaimsRequest {
+
+    @Getter
+    @Setter
+    List<RequestedClaim> idTokenRequestedClaims = new ArrayList<>();
+
+    List<RequestedClaim> userInfoRequestedClaims = new ArrayList<>();
+    List<RequestedClaim> accessTokenRequestedClaims = new ArrayList<>();
+
+    /**
+     * Inserts a claim into the list of claims to be added to the "id_token" section of an OIDC claims request
+     *
+     * @param claim the name of the claim to be requested
+     * @param requestedClaimAdditionalInfo additional information about the claim being requested
+     */
+    public void requestClaimInIdToken(String claim, RequestedClaimAdditionalInfo requestedClaimAdditionalInfo) {
+        idTokenRequestedClaims.add(new RequestedClaim(claim, requestedClaimAdditionalInfo));
+    }
+
+    /**
+     * Inserts a claim into the list of claims to be added to the "access_token" section of an OIDC claims request
+     *
+     * @param claim the name of the claim to be requested
+     * @param requestedClaimAdditionalInfo additional information about the claim being requested
+     */
+    protected void requestClaimInAccessToken(String claim, RequestedClaimAdditionalInfo requestedClaimAdditionalInfo) {
+        accessTokenRequestedClaims.add(new RequestedClaim(claim, requestedClaimAdditionalInfo));
+    }
+
+    /**
+     * Converts the ClaimsRequest object to a JSON-formatted String which follows the specification for the OIDC claims request parameter
+     *
+     * @return a String following JSON formatting
+     */
+    public String formatAsJSONString() {
+        ObjectMapper mapper = new ObjectMapper();
+        ObjectNode rootNode = mapper.createObjectNode();
+
+        if (!idTokenRequestedClaims.isEmpty()) {
+            rootNode.set("id_token", convertClaimsToObjectNode(idTokenRequestedClaims));
+        }
+        if (!userInfoRequestedClaims.isEmpty()) {
+            rootNode.set("userinfo", convertClaimsToObjectNode(userInfoRequestedClaims));
+        }
+        if (!accessTokenRequestedClaims.isEmpty()) {
+            rootNode.set("access_token", convertClaimsToObjectNode(accessTokenRequestedClaims));
+        }
+
+        return mapper.valueToTree(rootNode).toString();
+    }
+
+    private ObjectNode convertClaimsToObjectNode(List<RequestedClaim> claims) {
+        ObjectMapper mapper = new ObjectMapper();
+        ObjectNode claimsNode = mapper.createObjectNode();
+
+        for (RequestedClaim claim: claims) {
+            claimsNode.setAll((ObjectNode) mapper.valueToTree(claim));
+        }
+        return claimsNode;
+    }
+}
diff --git a/src/main/java/com/microsoft/aad/msal4j/ClientAuthenticationPost.java b/src/main/java/com/microsoft/aad/msal4j/ClientAuthenticationPost.java
@@ -8,12 +8,9 @@
 import java.util.List;
 import java.util.Map;
 
-import javax.mail.internet.ContentType;
-
 import com.nimbusds.oauth2.sdk.SerializeException;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
-import com.nimbusds.oauth2.sdk.http.CommonContentTypes;
 import com.nimbusds.oauth2.sdk.http.HTTPRequest;
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.util.URLUtils;
@@ -40,15 +37,15 @@ public void applyTo(HTTPRequest httpRequest) throws SerializeException {
         if (httpRequest.getMethod() != HTTPRequest.Method.POST)
             throw new SerializeException("The HTTP request method must be POST");
 
-        ContentType ct = httpRequest.getContentType();
+        String ct = String.valueOf(httpRequest.getEntityContentType());
 
         if (ct == null)
             throw new SerializeException("Missing HTTP Content-Type header");
 
-        if (!ct.match(CommonContentTypes.APPLICATION_URLENCODED))
+        if (!ct.equals(HTTPContentType.ApplicationURLEncoded.contentType))
             throw new SerializeException(
                     "The HTTP Content-Type header must be "
-                            + CommonContentTypes.APPLICATION_URLENCODED);
+                    + HTTPContentType.ApplicationURLEncoded.contentType);
 
         Map<String, List<String>> params = httpRequest.getQueryParameters();
 

diff --git a/src/main/java/com/microsoft/aad/msal4j/ClientCredentialParameters.java b/src/main/java/com/microsoft/aad/msal4j/ClientCredentialParameters.java
@@ -26,6 +26,11 @@ public class ClientCredentialParameters implements IApiParameters {
     @NonNull
     private Set<String> scopes;
 
+    /**
+     * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
+     */
+    private ClaimsRequest claims;
+
     private static ClientCredentialParametersBuilder builder() {
 
         return new ClientCredentialParametersBuilder();

diff --git a/src/main/java/com/microsoft/aad/msal4j/ClientCredentialRequest.java b/src/main/java/com/microsoft/aad/msal4j/ClientCredentialRequest.java
@@ -5,8 +5,6 @@
 
 import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
 
-import java.util.Set;
-
 class ClientCredentialRequest extends MsalRequest{
 
     ClientCredentialRequest(ClientCredentialParameters parameters,
@@ -17,6 +15,6 @@ class ClientCredentialRequest extends MsalRequest{
 
     private static OAuthAuthorizationGrant createMsalGrant(ClientCredentialParameters parameters){
 
-        return new OAuthAuthorizationGrant(new ClientCredentialsGrant(), parameters.scopes());
+        return new OAuthAuthorizationGrant(new ClientCredentialsGrant(), parameters.scopes(), parameters.claims());
     }
 }
diff --git a/src/main/java/com/microsoft/aad/msal4j/DeviceCodeAuthorizationGrant.java b/src/main/java/com/microsoft/aad/msal4j/DeviceCodeAuthorizationGrant.java
@@ -23,10 +23,11 @@ class DeviceCodeAuthorizationGrant extends AbstractMsalAuthorizationGrant {
      *
      * @param scopes    The resource for which the device code was acquired.
      */
-    DeviceCodeAuthorizationGrant(DeviceCode deviceCode, final String scopes) {
+    DeviceCodeAuthorizationGrant(DeviceCode deviceCode, final String scopes, ClaimsRequest claims) {
         this.deviceCode = deviceCode;
         this.correlationId = deviceCode.correlationId();
         this.scopes = scopes;
+        this.claims = claims;
     }
 
     /**
@@ -41,6 +42,9 @@ public Map<String, List<String>> toParameters() {
         outParams.put("grant_type", Collections.singletonList(GRANT_TYPE));
         outParams.put("device_code", Collections.singletonList(deviceCode.deviceCode()));
         outParams.put("client_info", Collections.singletonList("1"));
+        if (claims != null) {
+            outParams.put("claims", Collections.singletonList(claims.formatAsJSONString()));
+        }
 
         return outParams;
     }

diff --git a/src/main/java/com/microsoft/aad/msal4j/DeviceCodeFlowParameters.java b/src/main/java/com/microsoft/aad/msal4j/DeviceCodeFlowParameters.java
@@ -28,6 +28,11 @@ public class DeviceCodeFlowParameters implements IApiParameters {
     @NonNull
     private Set<String> scopes;
 
+    /**
+     * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
+     */
+    private ClaimsRequest claims;
+
     /**
      * Receives the device code returned from the first step of Oauth2.0 device code flow. The
      * {@link DeviceCode#verificationUri} and the {@link DeviceCode#userCode} should be shown

diff --git a/src/main/java/com/microsoft/aad/msal4j/DeviceCodeFlowRequest.java b/src/main/java/com/microsoft/aad/msal4j/DeviceCodeFlowRequest.java
@@ -55,7 +55,7 @@ DeviceCode acquireDeviceCode(String url,
     }
 
     void createAuthenticationGrant(DeviceCode deviceCode) {
-        msalAuthorizationGrant = new DeviceCodeAuthorizationGrant(deviceCode, deviceCode.scopes());
+        msalAuthorizationGrant = new DeviceCodeAuthorizationGrant(deviceCode, deviceCode.scopes(), parameters.claims());
     }
 
     private String createQueryParams(String clientId) {

diff --git a/src/main/java/com/microsoft/aad/msal4j/HTTPContentType.java b/src/main/java/com/microsoft/aad/msal4j/HTTPContentType.java
@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+/**
+ * Enum containing HTTP Content-Type header values
+ */
+enum HTTPContentType {
+
+    ApplicationURLEncoded("application/x-www-form-urlencoded; charset=UTF-8"),
+    ApplicationJSON("application/json; charset=UTF-8");
+
+    public final String contentType;
+
+    HTTPContentType(String contentType) {
+        this.contentType = contentType;
+    }
+}
diff --git a/src/main/java/com/microsoft/aad/msal4j/IApiParameters.java b/src/main/java/com/microsoft/aad/msal4j/IApiParameters.java
@@ -7,4 +7,6 @@
 
 interface IApiParameters {
     Set<String> scopes();
+
+    ClaimsRequest claims();
 }
diff --git a/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthenticationParameters.java b/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthenticationParameters.java
@@ -29,6 +29,11 @@ public class IntegratedWindowsAuthenticationParameters implements IApiParameters
     @NonNull
     private Set<String> scopes;
 
+    /**
+     * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
+     */
+    private ClaimsRequest claims;
+
     /**
      * Identifier of user account for which to acquire tokens for
      */

diff --git a/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthenticationRequest.java b/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthenticationRequest.java
@@ -14,6 +14,6 @@ class IntegratedWindowsAuthenticationRequest extends MsalRequest{
     private static AbstractMsalAuthorizationGrant createAuthenticationGrant
             (IntegratedWindowsAuthenticationParameters parameters){
 
-        return new IntegratedWindowsAuthorizationGrant(parameters.scopes(), parameters.username());
+        return new IntegratedWindowsAuthorizationGrant(parameters.scopes(), parameters.username(), parameters.claims());
     }
 }
diff --git a/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthorizationGrant.java b/src/main/java/com/microsoft/aad/msal4j/IntegratedWindowsAuthorizationGrant.java
@@ -11,9 +11,10 @@ class IntegratedWindowsAuthorizationGrant extends AbstractMsalAuthorizationGrant
 
     private final String userName;
 
-    IntegratedWindowsAuthorizationGrant(Set<String> scopes, String userName) {
+    IntegratedWindowsAuthorizationGrant(Set<String> scopes, String userName, ClaimsRequest claims) {
         this.userName = userName;
         this.scopes = String.join(" ", scopes);
+        this.claims = claims;
     }
 
     @Override

diff --git a/src/main/java/com/microsoft/aad/msal4j/InteractiveRequestParameters.java b/src/main/java/com/microsoft/aad/msal4j/InteractiveRequestParameters.java
@@ -38,6 +38,11 @@ public class InteractiveRequestParameters implements IApiParameters {
     @NonNull
     private URI redirectUri;
 
+    /**
+     * Claims to be requested through the OIDC claims request parameter, allowing requests for standard and custom claims
+     */
+    private ClaimsRequest claims;
+
     /**
      * Scopes that the application is requesting access to and the user will consent to.
      */