fix token endpoint parsing

Author: fadidurah

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/AbstractMicrosoftStsTokenResponseHandler.java

@@ -31,6 +31,7 @@
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.flighting.CommonFlight;
 import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
+import com.microsoft.identity.common.java.logging.Logger;
 import com.microsoft.identity.common.java.net.HttpResponse;
 import com.microsoft.identity.common.java.opentelemetry.AttributeName;
 import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
@@ -43,6 +44,7 @@
 import com.microsoft.identity.common.java.util.HeaderSerializationUtil;
 import com.microsoft.identity.common.java.util.ObjectMapper;
 import com.microsoft.identity.common.java.util.ResultUtil;
+import com.microsoft.identity.common.java.util.StringUtil;
 
 import java.net.HttpURLConnection;
 import java.util.HashMap;
@@ -109,11 +111,25 @@ public TokenResult handleTokenResponse(@NonNull final HttpResponse response) thr
             }
 
             final String clientDataHeader = response.getHeaderValue(X_MS_CLIENTDATA, 0);
-            if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_SERVER_CLIENT_DATA_TELEMETRY)) {
-                final ClientDataInfo clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataHeader);
-                if (null != clientDataInfo) {
-                    clientDataInfo.emitToSpan();
-                    result.setClientDataInfo(clientDataInfo);
+            if (!StringUtil.isNullOrEmpty(clientDataHeader)
+                    && CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_SERVER_CLIENT_DATA_TELEMETRY)) {
+                // eSTS URL-encodes the pipe-delimited value in the response header (e.g. "m%7C0x800482A5%7C%7C...").
+                // ClientDataInfo.fromPipeDelimited expects an already-decoded value (its contract matches the
+                // authorize-endpoint path, where UrlUtil#getParameters has already decoded the query param).
+                // Decode here so the token-endpoint header path produces the same shape.
+                String decodedClientDataHeader = null;
+                try {
+                    decodedClientDataHeader = StringUtil.urlFormDecode(clientDataHeader);
+                } catch (final Exception e) {
+                    // Malformed percent-encoding shouldn't break token parsing; swallow and fall through.
+                    Logger.warn(methodTag, "Failed to URL-decode x-ms-clientdata header: " + e.getMessage());
+                }
+                if (decodedClientDataHeader != null) {
+                    final ClientDataInfo clientDataInfo = ClientDataInfo.fromPipeDelimited(decodedClientDataHeader);
+                    if (null != clientDataInfo) {
+                        clientDataInfo.emitToSpan();
+                        result.setClientDataInfo(clientDataInfo);
+                    }
                 }
             }
 

common4j/src/test/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/MicrosoftStsTokenResponseHandlerTest.java

@@ -139,6 +139,59 @@ public void testHandleTokenResponse_withClientDataHeader_attributesEmitted() {
         }
     }
 
+    @SneakyThrows
+    @Test
+    public void testHandleTokenResponse_withUrlEncodedClientDataHeader_attributesEmitted() {
+        // eSTS URL-encodes pipe separators in the response header (e.g. "%7C" for "|").
+        // Real-world example: x-ms-clientdata=[m%7C0x800482A5%7C%7Cmicrosoftonline.com%7Cnone]
+        final String encodedClientDataHeader = "m%7C0x800482A5%7C%7Cmicrosoftonline.com%7Cnone";
+
+        final HashMap<String, List<String>> headers = new HashMap<>();
+        headers.put("Content-Type", Collections.singletonList("application/json; charset=utf-8"));
+        headers.put(HttpConstants.HeaderField.X_MS_CLIENTDATA,
+                Collections.singletonList(encodedClientDataHeader));
+
+        final HttpResponse response = new HttpResponse(200, MOCK_TOKEN_SUCCESS_RESPONSE, headers);
+        final MicrosoftStsTokenResponseHandler handler = new MicrosoftStsTokenResponseHandler();
+
+        final Span mockSpan = mock(Span.class);
+        when(mockSpan.setAttribute(Mockito.anyString(), Mockito.anyString())).thenReturn(mockSpan);
+
+        try (MockedStatic<SpanExtension> mockedExtension = Mockito.mockStatic(SpanExtension.class)) {
+            mockedExtension.when(SpanExtension::current).thenReturn(mockSpan);
+
+            final TokenResult tokenResult = handler.handleTokenResponse(response);
+
+            Assert.assertNotNull(tokenResult);
+            Assert.assertTrue(tokenResult.getSuccess());
+            Assert.assertNotNull(tokenResult.getClientDataInfo());
+            verify(mockSpan).setAttribute(AttributeName.server_error.name(), "0x800482A5");
+            verify(mockSpan).setAttribute(AttributeName.account_type.name(), "MSA");
+        }
+    }
+
+    @SneakyThrows
+    @Test
+    public void testHandleTokenResponse_withMalformedPercentEncoding_doesNotCrash() {
+        // Lone '%' is invalid percent-encoding; decode should fail gracefully and skip ClientDataInfo.
+        final String malformedHeader = "e|AADSTS50058|%ZZ|us|public";
+
+        final HashMap<String, List<String>> headers = new HashMap<>();
+        headers.put("Content-Type", Collections.singletonList("application/json; charset=utf-8"));
+        headers.put(HttpConstants.HeaderField.X_MS_CLIENTDATA,
+                Collections.singletonList(malformedHeader));
+
+        final HttpResponse response = new HttpResponse(200, MOCK_TOKEN_SUCCESS_RESPONSE, headers);
+        final MicrosoftStsTokenResponseHandler handler = new MicrosoftStsTokenResponseHandler();
+
+        final TokenResult tokenResult = handler.handleTokenResponse(response);
+
+        Assert.assertNotNull(tokenResult);
+        Assert.assertTrue(tokenResult.getSuccess());
+        // Malformed encoding => null ClientDataInfo, but token result still valid.
+        Assert.assertNull(tokenResult.getClientDataInfo());
+    }
+
     @SneakyThrows
     @Test
     public void testHandleTokenResponse_noClientDataHeader_doesNotCrash() {