Fixes AB#3588022 Optimize load() and getIdTokensForAccountRecord() with filter-then-clone (#3100)

Fixes
[AB#3588022](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3588022)
Apply filter-then-clone optimization to MsalOAuth2TokenCache.load() and
getIdTokensForAccountRecord() methods behind the existing
ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE flight.

When the flight is enabled, these methods now call the direct
(non-input-list) getCredentialsFilteredBy overloads which filter on
uncloned in-memory references first, then clone only the matching
credentials. This avoids cloning all cached credentials on every
AcquireTokenSilent cache-hit path.

Changes:
- Add new getCredentialsFilteredBy overload with kid parameter to
IAccountCredentialCache, SharedPreferencesAccountCredentialCache, and
SharedPreferencesAccountCredentialCacheWithMemoryCache
- Gate load() to skip preload pattern and use direct filtered lookups
when flight is enabled
- Gate getIdTokensForAccountRecord() with same optimization pattern
- Add tests for new kid overload (flight enabled/disabled)
- Add MsalOAuth2TokenCache-level tests for flight-gated load() and
getIdTokensForAccountRecord() paths

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: siddhijain <30181294+siddhijain@users.noreply.github.com>

Author: 3 people

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Extend filter-then-clone optimization to load() and getIdTokensForAccountRecord() in MsalOAuth2TokenCache: when ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE flight is enabled, skip clone-all preload and call direct flight-gated overloads that clone only matching credentials; add new getCredentialsFilteredBy overload with kid support (#3100)
 - [PATCH] Move Multiple Listening apps check to the authorization layer (#3070)
 
 Version 24.2.0

common/src/test/java/com/microsoft/identity/common/MsalOAuth2TokenCacheTest.java

@@ -29,6 +29,7 @@
 
 import com.microsoft.identity.common.components.AndroidPlatformComponentsFactory;
 import com.microsoft.identity.common.components.MockPlatformComponentsFactory;
+import com.microsoft.identity.common.internal.mocks.MockCommonFlightsManager;
 import com.microsoft.identity.common.internal.platform.AndroidPlatformUtil;
 import com.microsoft.identity.common.java.interfaces.IPlatformComponents;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsOAuth2Strategy;
@@ -40,13 +41,17 @@
 import com.microsoft.identity.common.java.cache.ICacheRecord;
 import com.microsoft.identity.common.java.cache.MsalOAuth2TokenCache;
 import com.microsoft.identity.common.java.cache.SharedPreferencesAccountCredentialCache;
+import com.microsoft.identity.common.java.cache.SharedPreferencesAccountCredentialCacheWithMemoryCache;
 import com.microsoft.identity.common.java.dto.AccessTokenRecord;
 import com.microsoft.identity.common.java.dto.AccountRecord;
 import com.microsoft.identity.common.java.dto.Credential;
 import com.microsoft.identity.common.java.dto.CredentialType;
 import com.microsoft.identity.common.java.dto.IdTokenRecord;
 import com.microsoft.identity.common.java.dto.PrimaryRefreshTokenRecord;
 import com.microsoft.identity.common.java.dto.RefreshTokenRecord;
+import com.microsoft.identity.common.java.flighting.CommonFlight;
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
+import com.microsoft.identity.common.java.flighting.IFlightsProvider;
 import com.microsoft.identity.common.java.interfaces.INameValueStorage;
 import com.microsoft.identity.common.java.providers.microsoft.MicrosoftAccount;
 import com.microsoft.identity.common.java.providers.microsoft.MicrosoftRefreshToken;
@@ -59,6 +64,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.Mockito;
 import org.powermock.api.mockito.PowerMockito;
 import org.robolectric.RobolectricTestRunner;
 import org.robolectric.annotation.Config;
@@ -1607,4 +1613,155 @@ public void testGetFamilyRefreshTokenForHomeAccountIdNoAccountWithHomeAccountId(
                 getFamilyRefreshTokenForHomeAccountId("26685724-1f8e-4b97-a0ca-1863e33b9fb1"); // different home account id
         assertNull(refreshTokenRecord);
     }
+
+    // =====================================================================
+    // Flight-gated tests for filter-then-clone optimization in load() and getIdTokensForAccountRecord()
+    // =====================================================================
+
+    private MsalOAuth2TokenCache<MicrosoftStsOAuth2Strategy, MicrosoftStsAuthorizationRequest,
+            MicrosoftStsTokenResponse, MicrosoftAccount, MicrosoftRefreshToken>
+            createCacheWithMemoryCache(final IPlatformComponents components) {
+        final ICacheKeyValueDelegate keyValueDelegate = new CacheKeyValueDelegate();
+        final INameValueStorage<String> storage = components.getStorageSupplier().getEncryptedNameValueStore(
+                "test_prefs_memory_cache",
+                String.class
+        );
+        final IAccountCredentialCache memoryCache = new SharedPreferencesAccountCredentialCacheWithMemoryCache(
+                keyValueDelegate,
+                storage
+        );
+        return new MsalOAuth2TokenCache<>(
+                components,
+                memoryCache,
+                mockCredentialAdapter
+        );
+    }
+
+    private void enableFilterThenCloneFlight() {
+        CommonFlightsManager.INSTANCE.resetFlightsManager();
+        final IFlightsProvider mockFlightsProvider = Mockito.mock(IFlightsProvider.class);
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE))
+                .thenReturn(true);
+        final MockCommonFlightsManager mockFlightsManager = new MockCommonFlightsManager();
+        mockFlightsManager.setMockCommonFlightsProvider(mockFlightsProvider);
+        CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(mockFlightsManager);
+    }
+
+    private void resetFlight() {
+        CommonFlightsManager.INSTANCE.resetFlightsManager();
+    }
+
+    @Test
+    public void loadTokens_flightEnabled_returnsCorrectCacheRecord() throws ClientException {
+        enableFilterThenCloneFlight();
+        try {
+            final IPlatformComponents components = MockPlatformComponentsFactory.getNonFunctionalBuilder().build();
+            final MsalOAuth2TokenCache<MicrosoftStsOAuth2Strategy, MicrosoftStsAuthorizationRequest,
+                    MicrosoftStsTokenResponse, MicrosoftAccount, MicrosoftRefreshToken>
+                    memoryCacheTokenCache = createCacheWithMemoryCache(components);
+
+            configureMocksForTestBundle(defaultTestBundleV2);
+            final ICacheRecord result = memoryCacheTokenCache.save(
+                    mockStrategy,
+                    mockRequest,
+                    mockResponse
+            );
+
+            final ICacheRecord secondaryLoad = memoryCacheTokenCache.load(
+                    CLIENT_ID,
+                    APPLICATION_IDENTIFIER_SHA512,
+                    MAM_ENROLLMENT_IDENTIFIER,
+                    TARGET,
+                    defaultTestBundleV2.mGeneratedAccount,
+                    BEARER_AUTHENTICATION_SCHEME
+            );
+
+            assertEquals(result.getAccount(), secondaryLoad.getAccount());
+            assertEquals(result.getAccessToken(), secondaryLoad.getAccessToken());
+            assertEquals(result.getRefreshToken(), secondaryLoad.getRefreshToken());
+            assertEquals(result.getIdToken(), secondaryLoad.getIdToken());
+        } finally {
+            resetFlight();
+        }
+    }
+
+    @Test
+    public void loadTokensV1Compat_flightEnabled_returnsCorrectCacheRecord() throws ClientException {
+        enableFilterThenCloneFlight();
+        try {
+            final IPlatformComponents components = MockPlatformComponentsFactory.getNonFunctionalBuilder().build();
+            final MsalOAuth2TokenCache<MicrosoftStsOAuth2Strategy, MicrosoftStsAuthorizationRequest,
+                    MicrosoftStsTokenResponse, MicrosoftAccount, MicrosoftRefreshToken>
+                    memoryCacheTokenCache = createCacheWithMemoryCache(components);
+
+            configureMocksForTestBundle(defaultTestBundleV1);
+            final ICacheRecord result = memoryCacheTokenCache.save(
+                    mockStrategy,
+                    mockRequest,
+                    mockResponse
+            );
+
+            final ICacheRecord secondaryLoad = memoryCacheTokenCache.load(
+                    CLIENT_ID,
+                    APPLICATION_IDENTIFIER_SHA512,
+                    MAM_ENROLLMENT_IDENTIFIER,
+                    TARGET,
+                    defaultTestBundleV1.mGeneratedAccount,
+                    BEARER_AUTHENTICATION_SCHEME
+            );
+
+            assertEquals(result.getAccount(), secondaryLoad.getAccount());
+            assertEquals(result.getAccessToken(), secondaryLoad.getAccessToken());
+            assertEquals(result.getRefreshToken(), secondaryLoad.getRefreshToken());
+            assertEquals(result.getV1IdToken(), secondaryLoad.getV1IdToken());
+        } finally {
+            resetFlight();
+        }
+    }
+
+    @Test
+    public void getIdTokensForAccountRecord_flightEnabled_returnsCorrectIdTokens() throws ClientException {
+        enableFilterThenCloneFlight();
+        try {
+            final IPlatformComponents components = MockPlatformComponentsFactory.getNonFunctionalBuilder().build();
+            final MsalOAuth2TokenCache<MicrosoftStsOAuth2Strategy, MicrosoftStsAuthorizationRequest,
+                    MicrosoftStsTokenResponse, MicrosoftAccount, MicrosoftRefreshToken>
+                    memoryCacheTokenCache = createCacheWithMemoryCache(components);
+
+            configureMocksForTestBundle(defaultTestBundleV2);
+            memoryCacheTokenCache.save(
+                    mockStrategy,
+                    mockRequest,
+                    mockResponse
+            );
+
+            final List<IdTokenRecord> idTokens = memoryCacheTokenCache.getIdTokensForAccountRecord(
+                    CLIENT_ID,
+                    defaultTestBundleV2.mGeneratedAccount
+            );
+
+            assertEquals(1, idTokens.size());
+            assertEquals(defaultTestBundleV2.mGeneratedIdToken, idTokens.get(0));
+        } finally {
+            resetFlight();
+        }
+    }
+
+    @Test
+    public void getIdTokensForAccountRecord_flightDisabled_returnsCorrectIdTokens() throws ClientException {
+        // Ensure the existing non-flighted path works unchanged
+        final ICacheRecord result = mOauth2TokenCache.save(
+                mockStrategy,
+                mockRequest,
+                mockResponse
+        );
+
+        final List<IdTokenRecord> idTokens = mOauth2TokenCache.getIdTokensForAccountRecord(
+                CLIENT_ID,
+                defaultTestBundleV2.mGeneratedAccount
+        );
+
+        assertEquals(1, idTokens.size());
+        assertEquals(defaultTestBundleV2.mGeneratedIdToken, idTokens.get(0));
+    }
 }

common/src/test/java/com/microsoft/identity/common/SharedPreferencesAccountCredentialCacheWithMemoryCacheTest.java

@@ -2843,4 +2843,125 @@ public void removeCredential_doesNotCallKeySetOrGetAll() throws Exception {
         assertEquals("removeCredential() must not call keySet()", 0, trackingStorage.getKeySetCallCount());
         assertEquals("removeCredential() must not call getAll()", 0, trackingStorage.getAllCallCount());
     }
+
+    // =====================================================================
+    // Tests for new getCredentialsFilteredBy overload with kid (no input list)
+    // =====================================================================
+
+    @Test
+    public void getCredentialsFilteredByWithKid_flightDisabled_returnsClonesFromAllCredentials() {
+        // Save an access token with kid = "kid1"
+        final AccessTokenRecord at = new AccessTokenRecord();
+        at.setCredentialType(CredentialType.AccessToken.name());
+        at.setHomeAccountId(HOME_ACCOUNT_ID);
+        at.setEnvironment(ENVIRONMENT);
+        at.setClientId(CLIENT_ID);
+        at.setRealm(REALM);
+        at.setTarget(TARGET);
+        at.setCachedAt(CACHED_AT);
+        at.setExpiresOn(EXPIRES_ON);
+        at.setSecret(SECRET);
+        at.setKid("kid1");
+        mSharedPreferencesAccountCredentialCache.saveCredential(at);
+
+        // Also save a non-matching credential type
+        final RefreshTokenRecord rt = buildDefaultRefreshToken();
+        mSharedPreferencesAccountCredentialCache.saveCredential(rt);
+
+        // Matching kid = "kid1" should return the AT
+        final List<Credential> matchingKid = mSharedPreferencesAccountCredentialCache
+                .getCredentialsFilteredBy(
+                        HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                        CLIENT_ID, null, null, REALM, TARGET,
+                        null, null, "kid1");
+        assertEquals(1, matchingKid.size());
+        assertEquals(CredentialType.AccessToken.name(), matchingKid.get(0).getCredentialType());
+
+        // Non-matching kid = "kid2" should return nothing
+        final List<Credential> nonMatchingKid = mSharedPreferencesAccountCredentialCache
+                .getCredentialsFilteredBy(
+                        HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                        CLIENT_ID, null, null, REALM, TARGET,
+                        null, null, "kid2");
+        assertEquals(0, nonMatchingKid.size());
+
+        // kid = null should return the AT (no kid filter applied)
+        final List<Credential> nullKid = mSharedPreferencesAccountCredentialCache
+                .getCredentialsFilteredBy(
+                        HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                        CLIENT_ID, null, null, REALM, TARGET,
+                        null, null, (String) null);
+        assertEquals(1, nullKid.size());
+        assertEquals(CredentialType.AccessToken.name(), nullKid.get(0).getCredentialType());
+
+        // Returned objects should be clones — mutating should not affect cache
+        matchingKid.get(0).setCachedAt("mutated");
+        final List<Credential> afterMutation = mSharedPreferencesAccountCredentialCache
+                .getCredentialsFilteredBy(
+                        HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                        CLIENT_ID, null, null, REALM, TARGET,
+                        null, null, "kid1");
+        assertNotEquals("mutated", afterMutation.get(0).getCachedAt());
+    }
+
+    @Test
+    public void getCredentialsFilteredByWithKid_flightEnabled_returnsClonedMatchesOnly() {
+        enableFilterThenCloneFlight();
+        try {
+            // Save an access token with kid = "kid1"
+            final AccessTokenRecord at = new AccessTokenRecord();
+            at.setCredentialType(CredentialType.AccessToken.name());
+            at.setHomeAccountId(HOME_ACCOUNT_ID);
+            at.setEnvironment(ENVIRONMENT);
+            at.setClientId(CLIENT_ID);
+            at.setRealm(REALM);
+            at.setTarget(TARGET);
+            at.setCachedAt(CACHED_AT);
+            at.setExpiresOn(EXPIRES_ON);
+            at.setSecret(SECRET);
+            at.setKid("kid1");
+            mSharedPreferencesAccountCredentialCache.saveCredential(at);
+
+            // Also save a non-matching credential type
+            final RefreshTokenRecord rt = buildDefaultRefreshToken();
+            mSharedPreferencesAccountCredentialCache.saveCredential(rt);
+
+            // Matching kid = "kid1" should return the AT
+            final List<Credential> matchingKid = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                            CLIENT_ID, null, null, REALM, TARGET,
+                            null, null, "kid1");
+            assertEquals(1, matchingKid.size());
+            assertEquals(CredentialType.AccessToken.name(), matchingKid.get(0).getCredentialType());
+
+            // Non-matching kid = "kid2" should return nothing
+            final List<Credential> nonMatchingKid = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                            CLIENT_ID, null, null, REALM, TARGET,
+                            null, null, "kid2");
+            assertEquals(0, nonMatchingKid.size());
+
+            // kid = null should return the AT (no kid filter applied)
+            final List<Credential> nullKid = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                            CLIENT_ID, null, null, REALM, TARGET,
+                            null, null, (String) null);
+            assertEquals(1, nullKid.size());
+            assertEquals(CredentialType.AccessToken.name(), nullKid.get(0).getCredentialType());
+
+            // Returned objects should be clones — mutating should not affect cache
+            matchingKid.get(0).setCachedAt("mutated");
+            final List<Credential> afterMutation = mSharedPreferencesAccountCredentialCache
+                    .getCredentialsFilteredBy(
+                            HOME_ACCOUNT_ID, ENVIRONMENT, CredentialType.AccessToken,
+                            CLIENT_ID, null, null, REALM, TARGET,
+                            null, null, "kid1");
+            assertNotEquals("mutated", afterMutation.get(0).getCachedAt());
+        } finally {
+            resetFlight();
+        }
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/cache/IAccountCredentialCache.java

@@ -290,6 +290,38 @@ List<Credential> getCredentialsFilteredBy(
             final String kid
     );
 
+    /**
+     * Returns all of the Credentials matching the supplied criteria, including kid filtering.
+     * Unlike the input-list overload, this method reads directly from the cache and
+     * benefits from filter-then-clone optimization when the corresponding flight is enabled.
+     *
+     * @param homeAccountId   The homeAccountId used to match Credential cache keys.
+     * @param environment     The environment used to match Credential cache keys.
+     * @param credentialType  The sought CredentialType.
+     * @param clientId        The clientId used to match Credential cache keys.
+     * @param applicationIdentifier The physical identifier of the application (Android: packageName/signature)
+     * @param mamEnrollmentIdentifier The Mobile Application Management or Intune App Protection enrollment identifier (Android Only)
+     * @param realm           The realm used to match Credential cache keys.
+     * @param target          The target used to match Credential cache keys.
+     * @param authScheme      The auth scheme used to match Credential cache keys.
+     * @param requestedClaims The requested claims used to match Credential cache keys.
+     * @param kid             Kid value used to match access token record.
+     * @return A mutable List of Credentials matching the supplied criteria.
+     */
+    List<Credential> getCredentialsFilteredBy(
+            final String homeAccountId,
+            final String environment,
+            final CredentialType credentialType,
+            final String clientId,
+            final String applicationIdentifier,
+            final String mamEnrollmentIdentifier,
+            final String realm,
+            final String target,
+            final String authScheme,
+            final String requestedClaims,
+            final String kid
+    );
+
     /**
      * Removes the supplied Account from the cache.
      *