Wire ClientDataInfo through AcquireTokenResult

Propagate the parsed x-ms-clientdata (token endpoint) and clientdata
query parameter (authorize endpoint) data from the response handlers
through TokenResult, MicrosoftStsAuthorizationResult, and ultimately
onto AcquireTokenResult so callers can access server-side telemetry
(error, sub-error, account type, cloud instance, data boundary).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: fadidurah

common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerResult.java

@@ -97,6 +97,7 @@ private static class SerializedNames {
         static final String SPE_RING = "spe_ring";
         static final String CLI_TELEM_ERRORCODE = "cli_telem_error_code";
         static final String CLI_TELEM_SUB_ERROR_CODE = "cli_telem_suberror_code";
+        static final String CLIENT_DATA_INFO = "client_data_info";
     }
 
     private static final long serialVersionUID = 8606631820514878489L;
@@ -236,6 +237,13 @@ private static class SerializedNames {
     @SerializedName(SerializedNames.REFRESH_TOKEN_AGE)
     private String mRefreshTokenAge;
 
+    /**
+     * Server client data info from x-ms-clientdata response header (pipe-delimited format).
+     */
+    @Nullable
+    @SerializedName(SerializedNames.CLIENT_DATA_INFO)
+    private String mClientDataInfoRaw;
+
     /**
      * Boolean to indicate if the request succeeded without exceptions.
      */
@@ -347,6 +355,7 @@ private BrokerResult(@NonNull final Builder builder) {
         mCachedAt = builder.mCachedAt;
         mSpeRing = builder.mSpeRing;
         mRefreshTokenAge = builder.mRefreshTokenAge;
+        mClientDataInfoRaw = builder.mClientDataInfoRaw;
         mSuccess = builder.mSuccess;
         mTenantProfileData = builder.mTenantProfileData;
         mServicedFromCache = builder.mServicedFromCache;
@@ -426,6 +435,11 @@ public String getSpeRing() {
         return mSpeRing;
     }
 
+    @Nullable
+    public String getClientDataInfoRaw() {
+        return mClientDataInfoRaw;
+    }
+
     public long getCachedAt() {
         return mCachedAt;
     }
@@ -518,6 +532,7 @@ public static class Builder {
         private long mCachedAt;
         private String mSpeRing;
         private String mRefreshTokenAge;
+        private String mClientDataInfoRaw;
         private boolean mSuccess;
         private String mNegotiatedBrokerProtocolVersion;
         private List<ICacheRecord> mTenantProfileData;
@@ -631,6 +646,11 @@ public Builder refreshTokenAge(final String refreshTokenAge) {
             return this;
         }
 
+        public Builder clientDataInfoRaw(@Nullable final String clientDataInfoRaw) {
+            this.mClientDataInfoRaw = clientDataInfoRaw;
+            return this;
+        }
+
         public Builder success(boolean success) {
             this.mSuccess = success;
             return this;

common/src/main/java/com/microsoft/identity/common/internal/controllers/LocalMSALController.java

@@ -62,6 +62,7 @@
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResponse;
+import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResult;
@@ -168,6 +169,13 @@ public AcquireTokenResult acquireToken(
         );
         acquireTokenResult.setAuthorizationResult(result);
 
+        // Wire ClientDataInfo from the authorization result (authorize endpoint).
+        if (result instanceof MicrosoftStsAuthorizationResult) {
+            acquireTokenResult.setClientDataInfo(
+                    ((MicrosoftStsAuthorizationResult) result).getClientDataInfo()
+            );
+        }
+
         ResultUtil.logResult(TAG, result);
 
         if (result.getAuthorizationStatus().equals(AuthorizationStatus.SUCCESS)) {
@@ -181,6 +189,11 @@ public AcquireTokenResult acquireToken(
 
             acquireTokenResult.setTokenResult(tokenResult);
 
+            // Prefer ClientDataInfo from the token endpoint (later, more authoritative call).
+            if (tokenResult != null && tokenResult.getClientDataInfo() != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
+
             if (tokenResult != null && tokenResult.getSuccess()) {
                 //4) Save tokens in token cache
                 final List<ICacheRecord> records = saveTokens(
@@ -205,6 +218,11 @@ public AcquireTokenResult acquireToken(
                                 false
                         )
                 );
+
+                // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(acquireTokenResult.getClientDataInfo());
             }
         }
 
@@ -742,6 +760,9 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
 
             // Assign token result
             acquireTokenResult.setTokenResult(tokenResult);
+            if (tokenResult != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
 
             // If the token is valid, save it into token cache
             final List<ICacheRecord> records = saveTokens(
@@ -764,6 +785,13 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
                             false
                     )
             );
+
+            // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+            if (tokenResult != null) {
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
         } catch (Exception error) {
             Telemetry.emit(
                     new ApiEndEvent()

common/src/main/java/com/microsoft/identity/common/internal/result/MsalBrokerResultAdapter.java

@@ -98,6 +98,7 @@
 import com.microsoft.identity.common.java.result.GenerateShrResult;
 import com.microsoft.identity.common.java.result.ILocalAuthenticationResult;
 import com.microsoft.identity.common.java.result.LocalAuthenticationResult;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
 import com.microsoft.identity.common.java.ui.PreferredAuthMethod;
 import com.microsoft.identity.common.java.util.BrokerProtocolVersionUtil;
 import com.microsoft.identity.common.java.util.HeaderSerializationUtil;
@@ -284,6 +285,17 @@ public Bundle bundleFromAuthenticationResultForWebApps(@NonNull final ILocalAuth
                 .success(true)
                 .servicedFromCache(authenticationResult.isServicedFromCache());
 
+        // Serialize ClientDataInfo as raw pipe-delimited string for IPC transfer.
+        // The raw field is populated by ClientDataInfo.fromPipeDelimited(), the only
+        // path that populates the parsed fields, so it is safe to ship as-is.
+        if (authenticationResult instanceof LocalAuthenticationResult) {
+            final ClientDataInfo clientDataInfo =
+                    ((LocalAuthenticationResult) authenticationResult).getClientDataInfo();
+            if (clientDataInfo != null) {
+                brokerResultBuilder.clientDataInfoRaw(clientDataInfo.getRaw());
+            }
+        }
+
         if (shouldRemoveRefreshTokenFromResult(authenticationResult, negotiatedBrokerProtocolVersion)){
             brokerResultBuilder.tenantProfileRecords(
                     removeRefreshTokenFromCacheRecords(
@@ -476,12 +488,21 @@ public ILocalAuthenticationResult authenticationResultFromBundle(@NonNull final
             throw new ClientException(INVALID_BROKER_BUNDLE, "getTenantProfileData is null.");
         }
 
-        return new LocalAuthenticationResult(
+        final LocalAuthenticationResult localAuthResult = new LocalAuthenticationResult(
                 tenantProfileCacheRecords.get(0),
                 tenantProfileCacheRecords,
                 SdkType.MSAL,
                 brokerResult.isServicedFromCache()
         );
+
+        // Deserialize ClientDataInfo from the broker result if available
+        final ClientDataInfo clientDataInfo =
+                ClientDataInfo.fromPipeDelimited(brokerResult.getClientDataInfoRaw());
+        if (clientDataInfo != null) {
+            localAuthResult.setClientDataInfo(clientDataInfo);
+        }
+
+        return localAuthResult;
     }
 
     @NonNull
@@ -994,7 +1015,16 @@ public AcquireTokenResult getDeviceCodeFlowTokenResultFromResultBundle(@NonNull
 
             if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
                 final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-                acquireTokenResult.setLocalAuthenticationResult(authenticationResultFromBundle(resultBundle));
+                final ILocalAuthenticationResult authResult = authenticationResultFromBundle(resultBundle);
+                acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+                // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+                if (authResult instanceof LocalAuthenticationResult) {
+                    acquireTokenResult.setClientDataInfo(
+                            ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                    );
+                }
+
                 span.setStatus(StatusCode.OK);
                 return acquireTokenResult;
             } else if (brokerResult.getErrorCode().equals(ErrorStrings.DEVICE_CODE_FLOW_AUTHORIZATION_PENDING_ERROR_CODE)) {
@@ -1018,9 +1048,16 @@ AcquireTokenResult getAcquireTokenResultFromResultBundle(@NonNull final Bundle r
         final MsalBrokerResultAdapter resultAdapter = new MsalBrokerResultAdapter();
         if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
             final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-            acquireTokenResult.setLocalAuthenticationResult(
-                    resultAdapter.authenticationResultFromBundle(resultBundle)
-            );
+            final ILocalAuthenticationResult authResult =
+                    resultAdapter.authenticationResultFromBundle(resultBundle);
+            acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+            // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+            if (authResult instanceof LocalAuthenticationResult) {
+                acquireTokenResult.setClientDataInfo(
+                        ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                );
+            }
             // Set broker performance metrics if available
             final BrokerPerformanceMetrics metrics = resultAdapter.getBrokerPerformanceMetricsFromBundle(resultBundle);
             if (metrics != null) {

common4j/src/main/com/microsoft/identity/common/java/controllers/BaseController.java

@@ -219,6 +219,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
         final TokenResult tokenResult = oAuth2Strategy.requestToken(ropcTokenRequest);
 
         acquireTokenResult.setTokenResult(tokenResult);
+        if (tokenResult != null) {
+            acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+        }
 
         @SuppressWarnings(WarningType.rawtype_warning) final OAuth2TokenCache tokenCache = parameters.getOAuth2TokenCache();
 
@@ -251,6 +254,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenResult.setLocalAuthenticationResult(authenticationResult);
         }
@@ -484,6 +490,7 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
         );
 
         acquireTokenSilentResult.setTokenResult(tokenResult);
+        acquireTokenSilentResult.setClientDataInfo(tokenResult.getClientDataInfo());
 
         ResultUtil.logResult(methodTag, tokenResult);
 
@@ -528,6 +535,9 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenSilentResult.setLocalAuthenticationResult(authenticationResult);
         } else {

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/AbstractMicrosoftStsTokenResponseHandler.java

@@ -113,6 +113,7 @@ public TokenResult handleTokenResponse(@NonNull final HttpResponse response) thr
                 final ClientDataInfo clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataHeader);
                 if (null != clientDataInfo) {
                     clientDataInfo.emitToSpan();
+                    result.setClientDataInfo(clientDataInfo);
                 }
             }
 

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/MicrosoftStsAuthorizationResult.java

@@ -26,6 +26,9 @@
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationErrorResponse;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResponse;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationStatus;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
+
+import javax.annotation.Nullable;
 
 /**
  * Sub class of {@link MicrosoftAuthorizationResult}.
@@ -34,6 +37,9 @@
 public class MicrosoftStsAuthorizationResult
         extends MicrosoftAuthorizationResult<MicrosoftStsAuthorizationResponse, MicrosoftStsAuthorizationErrorResponse> {
 
+    @Nullable
+    private ClientDataInfo mClientDataInfo;
+
     /**
      * Constructor of {@link MicrosoftStsAuthorizationResult}.
      *
@@ -54,4 +60,22 @@ public MicrosoftStsAuthorizationResult(final AuthorizationStatus authStatus, fin
         super(authStatus, errorResponse);
     }
 
+    /**
+     * Gets the {@link ClientDataInfo} parsed from the clientdata redirect query parameter.
+     *
+     * @return The ClientDataInfo, or null if the parameter was absent or unparseable.
+     */
+    @Nullable
+    public ClientDataInfo getClientDataInfo() {
+        return mClientDataInfo;
+    }
+
+    /**
+     * Sets the {@link ClientDataInfo} parsed from the clientdata redirect query parameter.
+     *
+     * @param clientDataInfo The ClientDataInfo to set.
+     */
+    public void setClientDataInfo(@Nullable final ClientDataInfo clientDataInfo) {
+        mClientDataInfo = clientDataInfo;
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/MicrosoftStsAuthorizationResultFactory.java

@@ -75,8 +75,9 @@ protected MicrosoftStsAuthorizationResult parseRedirectUriAndCreateAuthorization
 
         final Map<String, String> urlParameters = UrlUtil.getParameters(redirectUri);
 
+        ClientDataInfo clientDataInfo = null;
         if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_SERVER_CLIENT_DATA_TELEMETRY)) {
-            final ClientDataInfo clientDataInfo = ClientDataInfo.fromPipeDelimited(urlParameters.get(ClientDataInfo.CLIENTDATA_QUERY_PARAMETER));
+            clientDataInfo = ClientDataInfo.fromPipeDelimited(urlParameters.get(ClientDataInfo.CLIENTDATA_QUERY_PARAMETER));
             if (null != clientDataInfo) {
                 clientDataInfo.emitToSpan();
             }
@@ -107,6 +108,8 @@ protected MicrosoftStsAuthorizationResult parseRedirectUriAndCreateAuthorization
             );
         }
 
+        result.setClientDataInfo(clientDataInfo);
+
         return result;
     }
 

common4j/src/main/com/microsoft/identity/common/java/providers/oauth2/TokenResult.java

@@ -23,6 +23,9 @@
 package com.microsoft.identity.common.java.providers.oauth2;
 
 import com.microsoft.identity.common.java.telemetry.CliTelemInfo;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
+
+import javax.annotation.Nullable;
 
 /**
  * Holds the request of a token request.  The request will either contain the success result or the error result.
@@ -32,6 +35,8 @@ public class TokenResult implements IResult {
     private TokenResponse mTokenResponse;
     private TokenErrorResponse mTokenErrorResponse;
     private CliTelemInfo mCliTelemInfo;
+    @Nullable
+    private ClientDataInfo mClientDataInfo;
     private boolean mSuccess = false;
 
     public TokenResult() {
@@ -110,6 +115,25 @@ public void setCliTelemInfo(final CliTelemInfo cliTelemInfo) {
         mCliTelemInfo = cliTelemInfo;
     }
 
+    /**
+     * Gets the {@link ClientDataInfo} parsed from the x-ms-clientdata response header.
+     *
+     * @return The ClientDataInfo, or null if the header was absent or unparseable.
+     */
+    @Nullable
+    public ClientDataInfo getClientDataInfo() {
+        return mClientDataInfo;
+    }
+
+    /**
+     * Sets the {@link ClientDataInfo} parsed from the x-ms-clientdata response header.
+     *
+     * @param clientDataInfo The ClientDataInfo to set.
+     */
+    public void setClientDataInfo(@Nullable final ClientDataInfo clientDataInfo) {
+        mClientDataInfo = clientDataInfo;
+    }
+
     /**
      * Returns whether the token request was successful or not.
      *