Added support for ActiveDirectoryInteractive authentication

src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java

@@ -109,7 +109,9 @@ final class TDS {
     static final byte ADALWORKFLOW_ACTIVEDIRECTORYPASSWORD = 0x01;
     static final byte ADALWORKFLOW_ACTIVEDIRECTORYINTEGRATED = 0x02;
     static final byte ADALWORKFLOW_ACTIVEDIRECTORYMSI = 0x03;
-    static final byte ADALWORKFLOW_ACTIVEDIRECTORYSERVICEPRINCIPAL = 0x01; // Using the Password byte as that is the closest we have.
+    static final byte ADALWORKFLOW_ACTIVEDIRECTORYINTERACTIVE = 0x03;
+    static final byte ADALWORKFLOW_ACTIVEDIRECTORYSERVICEPRINCIPAL = 0x01; // Using the Password byte as that is the
+                                                                           // closest we have.
     static final byte FEDAUTH_INFO_ID_STSURL = 0x01; // FedAuthInfoData is token endpoint URL from which to acquire fed
                                                      // auth token
     static final byte FEDAUTH_INFO_ID_SPN = 0x02; // FedAuthInfoData is the SPN to use for acquiring fed auth token
@@ -2052,7 +2054,13 @@ else if (null != (trustStoreFileName = System.getProperty("javax.net.ssl.trustSt
 
     final int read(byte[] data, int offset, int length) throws SQLServerException {
         try {
+            // System.out.println("socket timeout:"+ tcpSocket.getSoTimeout());
+            // tcpSocket.setSoTimeout(10000);
+
             return inputStream.read(data, offset, length);
+        } catch (SocketException e) {
+            System.out.println("SocketTimeoutException:" + e.getMessage());
+            return 0; // Keep the compiler happy.
         } catch (IOException e) {
             if (logger.isLoggable(Level.FINE))
                 logger.fine(toString() + " read failed:" + e.getMessage());

src/main/java/com/microsoft/sqlserver/jdbc/PersistentTokenCacheAccessAspect.java

@@ -0,0 +1,58 @@
+/*
+ * Microsoft JDBC Driver for SQL Server Copyright(c) Microsoft Corporation All rights reserved. This program is made
+ * available under the terms of the MIT License. See the LICENSE file in the project root for more information.
+ */
+
+package com.microsoft.sqlserver.jdbc;
+
+import com.microsoft.aad.msal4j.ITokenCacheAccessAspect;
+import com.microsoft.aad.msal4j.ITokenCacheAccessContext;
+
+
+/**
+ * Access aspect for accessing the token cache.
+ * 
+ * MSAL token cache does not persist beyond lifetime of the application. This class implements the
+ * ITokenCacheAccessAspect interface to persist the token cache between application instances so subsequent
+ * authentications can use silent authentication if the user account is in the token cache.
+ * 
+ * @see <a href="https://aka.ms/msal4j-token-cache">https://aka.ms/msal4j-token-cache</a>
+ */
+public class PersistentTokenCacheAccessAspect implements ITokenCacheAccessAspect {
+    private static PersistentTokenCacheAccessAspect instance = new PersistentTokenCacheAccessAspect();
+
+    private PersistentTokenCacheAccessAspect() {};
+
+    static PersistentTokenCacheAccessAspect getInstance() {
+        return instance;
+    }
+
+    /**
+     * Token cache in JSON format
+     */
+    private String cache = null;
+
+    @Override
+    public synchronized void beforeCacheAccess(ITokenCacheAccessContext iTokenCacheAccessContext) {
+        if (null != cache && null != iTokenCacheAccessContext && null != iTokenCacheAccessContext.tokenCache()) {
+            iTokenCacheAccessContext.tokenCache().deserialize(cache);
+        }
+    }
+
+    @Override
+    public synchronized void afterCacheAccess(ITokenCacheAccessContext iTokenCacheAccessContext) {
+        if (null != iTokenCacheAccessContext && iTokenCacheAccessContext.hasCacheChanged()
+                && null != iTokenCacheAccessContext.tokenCache())
+            cache = iTokenCacheAccessContext.tokenCache().serialize();
+    }
+
+    /**
+     * Clears User token cache. This will clear all account info so interactive login will be required on the next
+     * request to acquire an access token.
+     */
+    static void clearUserTokenCache() {
+        if (null != instance.cache && !instance.cache.isEmpty()) {
+            instance.cache = null;
+        }
+    }
+}

src/main/java/com/microsoft/sqlserver/jdbc/SQLServerConnection.java

@@ -409,6 +409,9 @@ class FederatedAuthenticationFeatureExtensionData implements Serializable {
                 case "ACTIVEDIRECTORYSERVICEPRINCIPAL":
                     this.authentication = SqlAuthentication.ActiveDirectoryServicePrincipal;
                     break;
+                case "ACTIVEDIRECTORYINTERACTIVE":
+                    this.authentication = SqlAuthentication.ActiveDirectoryInteractive;
+                    break;
                 default:
                     assert (false);
                     MessageFormat form = new MessageFormat(
@@ -949,6 +952,14 @@ static synchronized List<String> getColumnEncryptionTrustedMasterKeyPaths(String
         }
     }
 
+    /**
+     * Clears User token cache. This will clear all account info so interactive login will be required on the next
+     * request to acquire an access token.
+     */
+    public static synchronized void clearUserTokenCache() {
+        PersistentTokenCacheAccessAspect.clearUserTokenCache();
+    }
+
     Properties activeConnectionProperties; // the active set of connection properties
     private boolean integratedSecurity = SQLServerDriverBooleanProperty.INTEGRATED_SECURITY.getDefaultValue();
     private boolean ntlmAuthentication = false;
@@ -3909,6 +3920,9 @@ int writeFedAuthFeatureRequest(boolean write, /* if false just calculates the le
                         case ActiveDirectoryMSI:
                             workflow = TDS.ADALWORKFLOW_ACTIVEDIRECTORYMSI;
                             break;
+                        case ActiveDirectoryInteractive:
+                            workflow = TDS.ADALWORKFLOW_ACTIVEDIRECTORYINTERACTIVE;
+                            break;
                         case ActiveDirectoryServicePrincipal:
                             workflow = TDS.ADALWORKFLOW_ACTIVEDIRECTORYSERVICEPRINCIPAL;
                             break;
@@ -4016,7 +4030,9 @@ private void logon(LogonCommand command) throws SQLServerException {
                 || ((authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryIntegrated.toString())
                         || authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryMSI.toString())
                         || authenticationString
-                                .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryServicePrincipal.toString()))
+                                .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryServicePrincipal.toString())
+                        || authenticationString
+                                .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryInteractive.toString()))
                         && fedAuthRequiredPreLoginResponse)) {
             federatedAuthenticationInfoRequested = true;
             fedAuthFeatureExtensionData = new FederatedAuthenticationFeatureExtensionData(TDS.TDS_FEDAUTH_LIBRARY_ADAL,
@@ -4455,6 +4471,8 @@ void onFedAuthInfo(SqlFedAuthInfo fedAuthInfo, TDSTokenHandler tdsTokenHandler)
                 && null != activeConnectionProperties.getProperty(SQLServerDriverStringProperty.PASSWORD.toString()))
                 || (authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryIntegrated.toString())
                         || authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryMSI.toString())
+                        || authenticationString
+                                .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryInteractive.toString())
                                 && fedAuthRequiredPreLoginResponse);
 
         assert null != fedAuthInfo;
@@ -4507,7 +4525,6 @@ private SqlFedAuthToken getFedAuthToken(SqlFedAuthInfo fedAuthInfo) throws SQLSe
                 // Break out of the retry loop in successful case.
                 break;
             } else if (authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryIntegrated.toString())) {
-
                 // If operating system is windows and mssql-jdbc_auth is loaded then choose the DLL authentication.
                 if (System.getProperty("os.name").toLowerCase(Locale.ENGLISH).startsWith("windows")
                         && AuthenticationJNI.isDllLoaded()) {
@@ -4590,6 +4607,17 @@ private SqlFedAuthToken getFedAuthToken(SqlFedAuthInfo fedAuthInfo) throws SQLSe
                 }
                 // Break out of the retry loop in successful case.
                 break;
+            } else if (authenticationString.equalsIgnoreCase(SqlAuthentication.ActiveDirectoryInteractive.toString())) {
+                if (!msalContextExists()) {
+                    MessageFormat form = new MessageFormat(SQLServerException.getErrString("R_MSALMissing"));
+                    throw new SQLServerException(form.format(new Object[] {authenticationString}), null, 0, null);
+                }
+                // interactive flow
+                fedAuthToken = SQLServerMSAL4JUtils.getSqlFedAuthTokenInteractive(fedAuthInfo, user,
+                        authenticationString);
+
+                // Break out of the retry loop in successful case.
+                break;
             }
         }
 

src/main/java/com/microsoft/sqlserver/jdbc/SQLServerDriver.java

@@ -66,7 +66,8 @@ enum SqlAuthentication {
     ActiveDirectoryPassword,
     ActiveDirectoryIntegrated,
     ActiveDirectoryMSI,
-    ActiveDirectoryServicePrincipal;
+    ActiveDirectoryServicePrincipal,
+    ActiveDirectoryInteractive;
 
     static SqlAuthentication valueOfString(String value) throws SQLServerException {
         SqlAuthentication method = null;
@@ -86,6 +87,9 @@ static SqlAuthentication valueOfString(String value) throws SQLServerException {
         } else if (value.toLowerCase(Locale.US)
                 .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryServicePrincipal.toString())) {
             method = SqlAuthentication.ActiveDirectoryServicePrincipal;
+        } else if (value.toLowerCase(Locale.US)
+                .equalsIgnoreCase(SqlAuthentication.ActiveDirectoryInteractive.toString())) {
+            method = SqlAuthentication.ActiveDirectoryInteractive;
         } else {
             MessageFormat form = new MessageFormat(SQLServerException.getErrString("R_InvalidConnectionSetting"));
             Object[] msgArgs = {"authentication", value};
@@ -589,8 +593,9 @@ public final class SQLServerDriver implements java.sql.Driver {
                             SqlAuthentication.ActiveDirectoryPassword.toString(),
                             SqlAuthentication.ActiveDirectoryIntegrated.toString(),
                             SqlAuthentication.ActiveDirectoryMSI.toString(),
-                            SqlAuthentication.ActiveDirectoryServicePrincipal
-                                    .toString()}),
+                            SqlAuthentication.ActiveDirectoryServicePrincipal.toString(),
+                            SqlAuthentication.ActiveDirectoryInteractive.toString()}),
+
             new SQLServerDriverPropertyInfo(SQLServerDriverIntProperty.SOCKET_TIMEOUT.toString(),
                     Integer.toString(SQLServerDriverIntProperty.SOCKET_TIMEOUT.getDefaultValue()), false, null),
             new SQLServerDriverPropertyInfo(SQLServerDriverBooleanProperty.FIPS.toString(),

src/main/java/com/microsoft/sqlserver/jdbc/SQLServerMSAL4JUtils.java

@@ -7,6 +7,8 @@
 
 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URI;
+import java.net.URISyntaxException;
 import java.text.MessageFormat;
 import java.util.Collections;
 import java.util.HashSet;
@@ -16,37 +18,43 @@
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.logging.Level;
-
 import javax.security.auth.kerberos.KerberosPrincipal;
-
+import com.microsoft.aad.msal4j.IAccount;
 import com.microsoft.aad.msal4j.ClientCredentialFactory;
 import com.microsoft.aad.msal4j.ClientCredentialParameters;
 import com.microsoft.aad.msal4j.ConfidentialClientApplication;
 import com.microsoft.aad.msal4j.IAuthenticationResult;
 import com.microsoft.aad.msal4j.IClientCredential;
 import com.microsoft.aad.msal4j.IntegratedWindowsAuthenticationParameters;
+import com.microsoft.aad.msal4j.InteractiveRequestParameters;
+import com.microsoft.aad.msal4j.MsalInteractionRequiredException;
 import com.microsoft.aad.msal4j.PublicClientApplication;
+import com.microsoft.aad.msal4j.SilentParameters;
+import com.microsoft.aad.msal4j.SystemBrowserOptions;
 import com.microsoft.aad.msal4j.UserNamePasswordParameters;
 import com.microsoft.sqlserver.jdbc.SQLServerConnection.ActiveDirectoryAuthentication;
+
 import com.microsoft.sqlserver.jdbc.SQLServerConnection.SqlFedAuthInfo;
 
 
 class SQLServerMSAL4JUtils {
 
+    static final String REDIRECTURI = "http://localhost";
+
     static final private java.util.logging.Logger logger = java.util.logging.Logger
             .getLogger("com.microsoft.sqlserver.jdbc.SQLServerMSAL4JUtils");
 
     static SqlFedAuthToken getSqlFedAuthToken(SqlFedAuthInfo fedAuthInfo, String user, String password,
             String authenticationString) throws SQLServerException {
-        ExecutorService executorService = Executors.newFixedThreadPool(1);
+        ExecutorService executorService = Executors.newSingleThreadExecutor();
+
         try {
-            final PublicClientApplication clientApplication = PublicClientApplication
+            final PublicClientApplication pca = PublicClientApplication
                     .builder(ActiveDirectoryAuthentication.JDBC_FEDAUTH_CLIENT_ID).executorService(executorService)
                     .authority(fedAuthInfo.stsurl).build();
-            final CompletableFuture<IAuthenticationResult> future = clientApplication
-                    .acquireToken(UserNamePasswordParameters
-                            .builder(Collections.singleton(fedAuthInfo.spn + "/.default"), user, password.toCharArray())
-                            .build());
+            final CompletableFuture<IAuthenticationResult> future = pca.acquireToken(UserNamePasswordParameters
+                    .builder(Collections.singleton(fedAuthInfo.spn + "/.default"), user, password.toCharArray())
+                    .build());
 
             final IAuthenticationResult authenticationResult = future.get();
             return new SqlFedAuthToken(authenticationResult.accessToken(), authenticationResult.expiresOnDate());
@@ -61,7 +69,7 @@ static SqlFedAuthToken getSqlFedAuthToken(SqlFedAuthInfo fedAuthInfo, String use
 
     static SqlFedAuthToken getSqlFedAuthTokenPrincipal(SqlFedAuthInfo fedAuthInfo, String aadPrincipalID,
             String aadPrincipalSecret, String authenticationString) throws SQLServerException {
-        ExecutorService executorService = Executors.newFixedThreadPool(1);
+        ExecutorService executorService = Executors.newSingleThreadExecutor();
         try {
             String defaultScopeSuffix = "/.default";
             String scope = fedAuthInfo.spn.endsWith(defaultScopeSuffix) ? fedAuthInfo.spn
@@ -87,7 +95,7 @@ static SqlFedAuthToken getSqlFedAuthTokenPrincipal(SqlFedAuthInfo fedAuthInfo, S
 
     static SqlFedAuthToken getSqlFedAuthTokenIntegrated(SqlFedAuthInfo fedAuthInfo,
             String authenticationString) throws SQLServerException {
-        ExecutorService executorService = Executors.newFixedThreadPool(1);
+        ExecutorService executorService = Executors.newSingleThreadExecutor();
 
         try {
             /*
@@ -101,10 +109,10 @@ static SqlFedAuthToken getSqlFedAuthTokenIntegrated(SqlFedAuthInfo fedAuthInfo,
                 logger.fine(logger.toString() + " realm name is:" + kerberosPrincipal.getRealm());
             }
 
-            final PublicClientApplication clientApplication = PublicClientApplication
+            final PublicClientApplication pca = PublicClientApplication
                     .builder(ActiveDirectoryAuthentication.JDBC_FEDAUTH_CLIENT_ID).executorService(executorService)
                     .authority(fedAuthInfo.stsurl).build();
-            final CompletableFuture<IAuthenticationResult> future = clientApplication
+            final CompletableFuture<IAuthenticationResult> future = pca
                     .acquireToken(IntegratedWindowsAuthenticationParameters
                             .builder(Collections.singleton(fedAuthInfo.spn + "/.default"), user).build());
 
@@ -119,6 +127,76 @@ static SqlFedAuthToken getSqlFedAuthTokenIntegrated(SqlFedAuthInfo fedAuthInfo,
         }
     }
 
+    static SqlFedAuthToken getSqlFedAuthTokenInteractive(SqlFedAuthInfo fedAuthInfo, String user,
+            String authenticationString) throws SQLServerException {
+        ExecutorService executorService = Executors.newSingleThreadExecutor();
+
+        try {
+            PublicClientApplication pca = PublicClientApplication
+                    .builder(ActiveDirectoryAuthentication.JDBC_FEDAUTH_CLIENT_ID).executorService(executorService)
+                    .setTokenCacheAccessAspect(PersistentTokenCacheAccessAspect.getInstance())
+                    .authority(fedAuthInfo.stsurl).logPii((logger.isLoggable(Level.FINE)) ? true : false).build();
+
+            CompletableFuture<IAuthenticationResult> future = null;
+            IAuthenticationResult authenticationResult = null;
+
+            // try to acquire token silently if user account found in cache
+            try {
+                Set<IAccount> accountsInCache = pca.getAccounts().join();
+                if (null != accountsInCache && !accountsInCache.isEmpty() && null != user && !user.isEmpty()) {
+                    IAccount account = getAccountByUsername(accountsInCache, user);
+                    if (null != account) {
+                        if (logger.isLoggable(Level.FINE)) {
+                            logger.fine(logger.toString() + "Silent authentication for user:" + user);
+                        }
+                        SilentParameters silentParameters = SilentParameters
+                                .builder(Collections.singleton(fedAuthInfo.spn + "/.default"), account).build();
+
+                        future = pca.acquireTokenSilently(silentParameters);
+                    }
+                }
+            } catch (MsalInteractionRequiredException e) {
+                // not an error, need to get token interactively
+            }
+
+            if (null != future) {
+                authenticationResult = future.get();
+            } else {
+                // acquire token interactively with system browser
+                if (logger.isLoggable(Level.FINE)) {
+                    logger.fine(logger.toString() + "Interactive authentication");
+                }
+                InteractiveRequestParameters parameters = InteractiveRequestParameters.builder(new URI(REDIRECTURI))
+                        .systemBrowserOptions(SystemBrowserOptions.builder()
+                                .htmlMessageSuccess(SQLServerResource.getResource("R_MSALAuthComplete")).build())
+                        .loginHint(user).scopes(Collections.singleton(fedAuthInfo.spn + "/.default")).build();
+
+                future = pca.acquireToken(parameters);
+                authenticationResult = future.get();
+            }
+
+            return new SqlFedAuthToken(authenticationResult.accessToken(), authenticationResult.expiresOnDate());
+        } catch (MalformedURLException | InterruptedException | URISyntaxException e) {
+            throw new SQLServerException(e.getMessage(), e);
+        } catch (ExecutionException e) {
+            throw getCorrectedException(e, user, authenticationString);
+        } finally {
+            executorService.shutdown();
+        }
+    }
+
+    // Helper function to return account containing user name from set of accounts, or null if no match
+    private static IAccount getAccountByUsername(Set<IAccount> accounts, String username) {
+        if (!accounts.isEmpty()) {
+            for (IAccount account : accounts) {
+                if (account.username().equals(username)) {
+                    return account;
+                }
+            }
+        }
+        return null;
+    }
+
     private static SQLServerException getCorrectedException(ExecutionException e, String user,
             String authenticationString) {
         if (logger.isLoggable(Level.SEVERE)) {