Fixes AB#3590267 Extend filter-then-clone optimization to deleteAccessTokensWithInters… (#3114)

siddhijain · Copilot · web-flow · commit 3e6df21e5a09 · 2026-05-15T17:51:29.000-05:00
Fixes [AB#3590267](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3590267) This PR extends use-filter-then-clone flight to one more method and add some telemetry attributes to check if the latency of ATS can be correlated to the number of accounts and credentials in memory. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: siddhijain <30181294+siddhijain@users.noreply.github.com>
diff --git a/changelog.txt b/changelog.txt
@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Extend filter-then-clone optimization to deleteAccessTokensWithIntersectingScopes and add telemetry attributes (#3114)
 - [PATCH] Wire ClientDataInfo through AcquireTokenResult, exceptions (#3109)
 - [PATCH] Handle app_link Intent redirection by validating broker install links and rejecting unsupported redirect URIs with appropriate error responses (#3102)
 - [MINOR] Add onboarding telemetry blob fields to BrokerRequest/BrokerResult and command parameters for client↔broker IPC transport (#3111)
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/BrokerOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/BrokerOAuth2TokenCache.java
@@ -1648,7 +1648,6 @@ public static IAccountCredentialCache getCacheToBeUsed(@NonNull final IPlatformC
         final boolean isFlightEnabled = CommonFlightsManager.INSTANCE
                 .getFlightsProvider()
                 .isFlightEnabled(CommonFlight.USE_IN_MEMORY_CACHE_FOR_ACCOUNTS_AND_CREDENTIALS);
-        SpanExtension.current().setAttribute(AttributeName.in_memory_cache_used_for_accounts_and_credentials.name(), isFlightEnabled);
         if (isFlightEnabled) {
             return inMemoryCacheMapByStorage.computeIfAbsent(storeName, s ->
                     new SharedPreferencesAccountCredentialCacheWithMemoryCache(
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
@@ -1803,20 +1803,44 @@ private void deleteAccessTokensWithIntersectingScopes(
         final String methodName = "deleteAccessTokensWithIntersectingScopes";
         final long startTimeNanos = System.nanoTime();
 
-        final List<Credential> accessTokens = mAccountCredentialCache.getCredentialsFilteredBy(
-                referenceToken.getHomeAccountId(),
-                referenceToken.getEnvironment(),
-                CredentialType.fromString(referenceToken.getCredentialType()),
-                referenceToken.getClientId(),
-                referenceToken.getApplicationIdentifier(),
-                referenceToken.getMamEnrollmentIdentifier(),
-                referenceToken.getRealm(),
-                null, // Wildcard (*)
-                referenceToken.getAccessTokenType(),
-                referenceToken.getRequestedClaims(),
-                mustMatchExactClaims,
-                mAccountCredentialCache.getCredentials()
-        );
+        final boolean useFilterThenClone = CommonFlightsManager.INSTANCE
+                .getFlightsProvider()
+                .isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE);
+
+        final List<Credential> accessTokens;
+
+        if (useFilterThenClone) {
+            // Filter-then-clone: use the direct overload that reads from cache
+            // and clones only matching credentials.
+            accessTokens = mAccountCredentialCache.getCredentialsFilteredBy(
+                    referenceToken.getHomeAccountId(),
+                    referenceToken.getEnvironment(),
+                    CredentialType.fromString(referenceToken.getCredentialType()),
+                    referenceToken.getClientId(),
+                    referenceToken.getApplicationIdentifier(),
+                    referenceToken.getMamEnrollmentIdentifier(),
+                    referenceToken.getRealm(),
+                    null, // Wildcard (*)
+                    referenceToken.getAccessTokenType(),
+                    referenceToken.getRequestedClaims()
+            );
+        } else {
+            // Legacy path: clone all credentials, then filter.
+            accessTokens = mAccountCredentialCache.getCredentialsFilteredBy(
+                    referenceToken.getHomeAccountId(),
+                    referenceToken.getEnvironment(),
+                    CredentialType.fromString(referenceToken.getCredentialType()),
+                    referenceToken.getClientId(),
+                    referenceToken.getApplicationIdentifier(),
+                    referenceToken.getMamEnrollmentIdentifier(),
+                    referenceToken.getRealm(),
+                    null, // Wildcard (*)
+                    referenceToken.getAccessTokenType(),
+                    referenceToken.getRequestedClaims(),
+                    mustMatchExactClaims,
+                    mAccountCredentialCache.getCredentials()
+            );
+        }
 
         Logger.verbose(
                 TAG + ":" + methodName,
diff --git a/common4j/src/main/com/microsoft/identity/common/java/cache/SharedPreferencesAccountCredentialCacheWithMemoryCache.java b/common4j/src/main/com/microsoft/identity/common/java/cache/SharedPreferencesAccountCredentialCacheWithMemoryCache.java
@@ -301,6 +301,12 @@ public List<AccountRecord> getAccounts() {
 
         synchronized (mCacheLock) {
             waitForInitialLoad();
+            SpanExtension.current().setAttribute(
+                    AttributeName.number_of_accounts_in_cache.name(),
+                    mCachedAccountRecordsWithKeys.size());
+            SpanExtension.current().setAttribute(
+                    AttributeName.number_of_credentials_in_cache.name(),
+                    mCachedCredentialsWithKeys.size());
             final List<AccountRecord> accounts = cloneItems(mCachedAccountRecordsWithKeys.values(), methodTag);
             Logger.info(methodTag, "Found [" + accounts.size() + "] Accounts...");
             return accounts;
diff --git a/common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java b/common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java
@@ -265,6 +265,16 @@ public enum AttributeName {
      */
     elapsed_time_cache_get_all_client_ids,
 
+    /**
+     * The total number of account records in the in-memory cache at the time of the request.
+     */
+    number_of_accounts_in_cache,
+
+    /**
+     * The total number of credential records in the in-memory cache at the time of the request.
+     */
+    number_of_credentials_in_cache,
+
     /**
      * The time (in milliseconds) spent on network when acquiring PRT.
      */
@@ -509,11 +519,6 @@ public enum AttributeName {
      */
     is_in_web_cp_flow,
 
-    /**
-     * Indicates whether or not in memory cache is used for accounts and credentials.
-     */
-    in_memory_cache_used_for_accounts_and_credentials,
-
     /**
      * Indicates whether the filter-then-clone optimization is enabled for in-memory cache
      * getCredentialsFilteredBy()/getAccountsFilteredBy() operations.
