Merge pull request #221 from AzureAD/dev

SomkaPe · web-flow · commit 7eb3b0ed7fe6 · 2018-05-30T12:55:29.000-07:00
Release 1.6.0
diff --git a/README.md b/README.md
@@ -3,19 +3,29 @@
 # Microsoft Azure Active Directory Authentication Library (ADAL) for Java
 =====================================
 
-## Samples and Documentation
+|[Getting Started](https://github.com/AzureAD/azure-activedirectory-library-for-java/wiki)| [Docs](https://aka.ms/aaddev)| [Samples](https://github.com/azure-samples?query=active-directory)| [Support](README.md#community-help-and-support)
+| --- | --- | --- | --- |
 
-[We provide a full suite of sample applications and documentation on GitHub](https://github.com/Azure-Samples) to help you get started with learning the Azure Identity system. This includes tutorials for native clients such as Windows, Windows Phone, iOS, macOS, Android, and Linux. We also provide full walkthroughs for authentication flows such as OAuth2, OpenID Connect, Graph API, and other awesome features.
+The ADAL for Java library enables Java applications to authenticate with Azure AD and get tokens to access Azure AD protected web resources.
+
+You can learn in detail about ADAL4J functionality and usage documented in the [Wiki](https://github.com/AzureAD/azure-activedirectory-library-for-java/wiki).
 
 ## Versions
-Current version - 1.5.0
+Current version - 1.6.0
 
-Minimum recommended version - 1.5.0
+Minimum recommended version - 1.6.0
 
 From version 1.3.0 support for handling Conditional Access claims challenge was added. You can read about CA [here](https://go.microsoft.com/fwlink/?linkid=855860) and refer this [sample](https://github.com/AzureAD/azure-activedirectory-library-for-java/tree/dev/src/samples/web-app-samples-for-adal4j) to handle it.
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/azure-activedirectory-library-for-java/blob/master/changelog.txt).
 
+## Contribution
+All code is licensed under the MIT License and we triage actively on GitHub. We encourage and welcome contributions to the library. Please read the [contributing guide](./contributing.md) before starting.
+
+## Samples and Documentation
+
+[We provide a full suite of sample applications and documentation on GitHub](https://github.com/Azure-Samples) to help you get started with learning the Azure Identity system. This includes tutorials for native clients such as Windows, Windows Phone, iOS, macOS, Android, and Linux. We also provide full walkthroughs for authentication flows such as OAuth2, OpenID Connect, Graph API, and other awesome features.
+
 ## Logging
 
 ADAL for Java uses the Simple Logging Facade for Java (SLF4J) as a simple facade or abstraction for various logging frameworks.
@@ -42,10 +52,6 @@ We recommend you use the "adal" tag so we can see it! Here is the latest Q&A on
 
 If you find a security issue with our libraries or services please report it to [secure@microsoft.com](mailto:secure@microsoft.com) with as much detail as possible. Your submission may be eligible for a bounty through the [Microsoft Bounty](http://aka.ms/bugbounty) program. Please do not post security issues to GitHub Issues or any other public site. We will contact you shortly upon receiving the information. We encourage you to get notifications of when security incidents occur by visiting [this page](https://technet.microsoft.com/en-us/security/dd252948) and subscribing to Security Advisory Alerts.
 
-## Contributing
-
-All code is licensed under the MIT License and we triage actively on GitHub. We enthusiastically welcome contributions and feedback. You can clone the repo and start contributing now.
-
 ## We Value and Adhere to the Microsoft Open Source Code of Conduct
 
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,8 @@
+Version 1.6.0
+=============
+- added support for certificates in on-behalf-of api
+- added jti (JWT ID) claim to JWT
+
 Version 1.5.0
 =============
 - added device code flow api
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>adal4j</artifactId>
-	<version>1.5.0</version>
+	<version>1.6.0</version>
 	<packaging>jar</packaging>
 	<name>adal4j</name>
 	<description>
diff --git a/src/main/java/com/microsoft/aad/adal4j/AuthenticationContext.java b/src/main/java/com/microsoft/aad/adal4j/AuthenticationContext.java
@@ -242,16 +242,6 @@ public Future<AuthenticationResult> acquireToken(final String resource,
         return this.acquireToken(authGrant, clientAuth, callback);
     }
 
-    private void validateInput(final String resource, final Object credential,
-            final boolean validateResource) {
-        if (validateResource && StringHelper.isBlank(resource)) {
-            throw new IllegalArgumentException("resource is null or empty");
-        }
-        if (credential == null) {
-            throw new IllegalArgumentException("credential is null");
-        }
-    }
-
     /**
      * Acquires an access token from the authority on behalf of a user. It
      * requires using a user token previously received.
@@ -275,25 +265,65 @@ public Future<AuthenticationResult> acquireToken(final String resource,
             final UserAssertion userAssertion, final ClientCredential credential,
             final AuthenticationCallback callback) {
 
-        this.validateInput(resource, credential, true);
+        this.validateOnBehalfOfRequestInput(resource, userAssertion, credential, true);
+        final ClientAuthentication clientAuth = new ClientSecretPost(
+                new ClientID(credential.getClientId()), new Secret(
+                credential.getClientSecret()));
+        return acquireTokenOnBehalfOf(resource, userAssertion, clientAuth, callback);
+    }
+
+    /**
+     * Acquires an access token from the authority on behalf of a user. It
+     * requires using a user token previously received. Uses certificate to
+     * authenticate client.
+     *
+     * @param resource
+     *            Identifier of the target resource that is the recipient of the
+     *            requested token.
+     * @param userAssertion
+     *            userAssertion to use as Authorization grant
+     * @param credential
+     *            The certificate based client credential to use for token acquisition.
+     * @param callback
+     *            optional callback object for non-blocking execution.
+     * @return A {@link Future} object representing the
+     *         {@link AuthenticationResult} of the call. It contains Access
+     *         Token and the Access Token's expiration time. Refresh Token
+     *         property will be null for this overload.
+     * @throws AuthenticationException {@link AuthenticationException}
+     */
+    public Future<AuthenticationResult> acquireToken(final String resource,
+                                                     final UserAssertion userAssertion,
+                                                     final AsymmetricKeyCredential credential,
+                                                     final AuthenticationCallback callback) {
+
+        this.validateOnBehalfOfRequestInput(resource, userAssertion, credential, true);
+        ClientAssertion clientAssertion = JwtHelper
+                .buildJwt(credential, this.authenticationAuthority.getSelfSignedJwtAudience());
+        final ClientAuthentication clientAuth = createClientAuthFromClientAssertion(clientAssertion);
+        return acquireTokenOnBehalfOf(resource, userAssertion, clientAuth, callback);
+    }
+
+    private Future<AuthenticationResult> acquireTokenOnBehalfOf(final String resource,
+                                                     final UserAssertion userAssertion,
+                                                     final ClientAuthentication clientAuthentication,
+                                                     final AuthenticationCallback callback) {
+
         Map<String, String> params = new HashMap<String, String>();
         params.put("resource", resource);
         params.put("requested_token_use", "on_behalf_of");
         try {
             AdalOAuthAuthorizationGrant grant = new AdalOAuthAuthorizationGrant(
-                    new JWTBearerGrant(
-                            SignedJWT.parse(userAssertion.getAssertion())), params);
+            new JWTBearerGrant(SignedJWT.parse(userAssertion.getAssertion())), params);
 
-            final ClientAuthentication clientAuth = new ClientSecretPost(
-                    new ClientID(credential.getClientId()), new Secret(
-                            credential.getClientSecret()));
-            return this.acquireToken(grant, clientAuth, callback);
+            return this.acquireToken(grant, clientAuthentication, callback);
         }
         catch (final Exception e) {
             throw new AuthenticationException(e);
         }
     }
 
+
     /**
      * Acquires security token from the authority.
      *
@@ -829,21 +859,6 @@ private Future<AuthenticationResult> acquireToken(
                 new AcquireTokenCallable(this, authGrant, clientAuth, callback));
     }
 
-    private void validateDeviceCodeRequestInput(String clientId, String resource) {
-        if (StringHelper.isBlank(clientId)) {
-            throw new IllegalArgumentException("clientId is null or empty");
-        }
-
-        if (StringHelper.isBlank(resource)) {
-            throw new IllegalArgumentException("resource is null or empty");
-        }
-
-        if (AuthorityType.ADFS.equals(authenticationAuthority.getAuthorityType())){
-            throw new IllegalArgumentException(
-                    "Invalid authority type. Device Flow is not supported by ADFS authority");
-        }
-    }
-
     /**
      * Acquires a security token from the authority using a Refresh Token
      * previously received. This method is suitable for the daemon OAuth2
@@ -969,21 +984,44 @@ public String getAuthority() {
         return this.authority;
     }
 
+    private void validateInput(final String resource, final Object credential,
+                               final boolean validateResource) {
+        if (validateResource && StringHelper.isBlank(resource)) {
+            throw new IllegalArgumentException("resource is null or empty");
+        }
+        if (credential == null) {
+            throw new IllegalArgumentException("credential is null");
+        }
+    }
+
     private void validateAuthCodeRequestInput(final String authorizationCode,
             final URI redirectUri, final Object clientCredential,
             final String resource) {
         if (StringHelper.isBlank(authorizationCode)) {
             throw new IllegalArgumentException(
                     "authorization code is null or empty");
         }
-
         if (redirectUri == null) {
             throw new IllegalArgumentException("redirect uri is null");
         }
-
         this.validateInput(resource, clientCredential, false);
     }
 
+  private void validateDeviceCodeRequestInput(String clientId, String resource) {
+        if (StringHelper.isBlank(clientId)) {
+            throw new IllegalArgumentException("clientId is null or empty");
+        }
+
+        if (StringHelper.isBlank(resource)) {
+            throw new IllegalArgumentException("resource is null or empty");
+        }
+
+        if (AuthorityType.ADFS.equals(authenticationAuthority.getAuthorityType())){
+            throw new IllegalArgumentException(
+                    "Invalid authority type. Device Flow is not supported by ADFS authority");
+        }
+    }
+
     private void validateDeviceCodeRequestInput(final DeviceCode deviceCode,
                                                 final Object credential,
                                                 final String resource) {
@@ -995,4 +1033,12 @@ private void validateDeviceCodeRequestInput(final DeviceCode deviceCode,
         }
         this.validateInput(resource, credential, true);
     }
+
+    private void validateOnBehalfOfRequestInput(final String resource, final UserAssertion userAssertion,
+                                                final Object clientCredential, final boolean validateResource) {
+        if (userAssertion == null) {
+            throw new IllegalArgumentException("userAssertion is null");
+        }
+        this.validateInput(resource, clientCredential, validateResource);
+    }
 }
diff --git a/src/main/java/com/microsoft/aad/adal4j/JwtHelper.java b/src/main/java/com/microsoft/aad/adal4j/JwtHelper.java
@@ -27,6 +27,7 @@
 import java.util.Collections;
 import java.util.Date;
 import java.util.List;
+import java.util.UUID;
 
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.JWSHeader;
@@ -59,6 +60,7 @@ static ClientAssertion buildJwt(final AsymmetricKeyCredential credential,
         final JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
                 .audience(Collections.singletonList(jwtAudience))
                 .issuer(credential.getClientId())
+                .jwtID(UUID.randomUUID().toString())
                 .notBeforeTime(new Date(time))
                 .expirationTime(new Date(time
                                 + AuthenticationConstants.AAD_JWT_TOKEN_LIFETIME_SECONDS
diff --git a/src/samples/public-client-app-sample/pom.xml b/src/samples/public-client-app-sample/pom.xml
@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>adal4j</artifactId>
-			<version>1.5.0</version>
+			<version>1.6.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>
diff --git a/src/samples/public-client-device-code-sample/pom.xml b/src/samples/public-client-device-code-sample/pom.xml
@@ -19,7 +19,7 @@
         <dependency>
             <groupId>com.microsoft.azure</groupId>
             <artifactId>adal4j</artifactId>
-            <version>1.5.0</version>
+            <version>1.6.0</version>
         </dependency>
         <dependency>
             <groupId>com.nimbusds</groupId>
diff --git a/src/samples/web-app-samples-for-adal4j/pom.xml b/src/samples/web-app-samples-for-adal4j/pom.xml
@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>adal4j</artifactId>
-			<version>1.5.0</version>
+			<version>1.6.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>
diff --git a/src/test/java/com/microsoft/aad/adal4j/OAuthRequestValidationTest.java b/src/test/java/com/microsoft/aad/adal4j/OAuthRequestValidationTest.java
@@ -23,32 +23,43 @@
 
 package com.microsoft.aad.adal4j;
 
+import static org.powermock.api.support.membermodification.MemberMatcher.method;
+import static org.powermock.api.support.membermodification.MemberModifier.replace;
+
+import java.io.FileInputStream;
 import java.io.UnsupportedEncodingException;
+import java.lang.reflect.InvocationHandler;
 import java.lang.reflect.Method;
 import java.net.MalformedURLException;
 import java.net.URLDecoder;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
+import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.UUID;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 
-import com.nimbusds.jose.*;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSSigner;
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jwt.JWTClaimsSet;
 import com.nimbusds.jwt.SignedJWT;
-import static org.powermock.api.support.membermodification.MemberMatcher.method;
-import static org.powermock.api.support.membermodification.MemberModifier.replace;
-
+import org.apache.commons.lang3.StringUtils;
 import org.powermock.core.classloader.annotations.PrepareForTest;
-
-import java.lang.reflect.InvocationHandler;
-
 import org.powermock.modules.testng.PowerMockTestCase;
 import org.testng.Assert;
 import org.testng.annotations.AfterClass;
@@ -67,6 +78,7 @@ public class OAuthRequestValidationTest extends PowerMockTestCase {
 
     private final static String GRANT_TYPE_JWT = "urn:ietf:params:oauth:grant-type:jwt-bearer";
     private final static String CLIENT_ASSERTION_TYPE_JWT = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    private final static String ON_BEHALF_OF_USE_JWT = "on_behalf_of";
 
     private final static String CLIENT_CREDENTIALS_GRANT_TYPE = "client_credentials";
 
@@ -178,6 +190,50 @@ public void oAuthRequest_for_acquireTokenByUserAssertion() throws Exception {
         Assert.assertEquals(RESOURCE, queryParams.get("resource"));
     }
 
+    @Test
+    public void oAuthRequest_for_acquireTokenByAsymmetricKeyCredential() throws Exception {
+        try {
+            final KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
+            keystore.load(
+                    new FileInputStream(this.getClass()
+                            .getResource(TestConfiguration.AAD_CERTIFICATE_PATH)
+                            .getFile()),
+                    TestConfiguration.AAD_CERTIFICATE_PASSWORD.toCharArray());
+            final String alias = keystore.aliases().nextElement();
+            final PrivateKey key = (PrivateKey) keystore.getKey(alias,
+                    TestConfiguration.AAD_CERTIFICATE_PASSWORD.toCharArray());
+            final X509Certificate cert = (X509Certificate) keystore
+                    .getCertificate(alias);
+
+            AsymmetricKeyCredential certCredential = AsymmetricKeyCredential.create(CLIENT_ID, key, cert);
+
+            // Using UserAssertion as Authorization Grants
+            Future<AuthenticationResult> future = context.acquireToken(RESOURCE, new UserAssertion(jwt),
+                    certCredential, null);
+            future.get();
+        }
+        catch (ExecutionException ex){
+            Assert.assertTrue(ex.getCause() instanceof AuthenticationException);
+        }
+
+        Map<String, String> queryParams = splitQuery(query);
+        Assert.assertEquals(7, queryParams.size());
+
+        // validate Authorization Grants query params
+        Assert.assertEquals(GRANT_TYPE_JWT, queryParams.get("grant_type"));
+        Assert.assertEquals(jwt, queryParams.get("assertion"));
+
+        // validate Client Authentication query params
+        Assert.assertFalse(StringUtils.isEmpty(queryParams.get("client_assertion")));
+
+        Assert.assertEquals(OPEN_ID_SCOPE, queryParams.get("scope"));
+
+        Assert.assertEquals(CLIENT_ASSERTION_TYPE_JWT, queryParams.get("client_assertion_type"));
+        Assert.assertEquals(ON_BEHALF_OF_USE_JWT, queryParams.get("requested_token_use"));
+
+        Assert.assertEquals(RESOURCE, queryParams.get("resource"));
+    }
+
     @Test
     public void oAuthRequest_for_acquireTokenByClientAssertion() throws Exception {
         String rsaJwt = getRSAjwt();
