Wire ClientDataInfo through AcquireTokenResult and BaseException

Propagate ClientDataInfo (parsed from the x-ms-clientdata token response
header and the clientdata authorize redirect query parameter) through
AcquireTokenResult on success paths and through BaseException on failure
paths. Includes broker IPC serialization via BrokerResult so the payload
reaches the MSAL caller process for both success and error responses.
Adds a raw field to ClientDataInfo preserving the original pipe-delimited
string for partner teams that want the unparsed payload.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: fadidurah

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Wire ClientDataInfo through AcquireTokenResult, exceptions (#3109)
 - [PATCH] Extend filter-then-clone optimization to load() and getIdTokensForAccountRecord() in MsalOAuth2TokenCache: when ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE flight is enabled, skip clone-all preload and call direct flight-gated overloads that clone only matching credentials; add new getCredentialsFilteredBy overload with kid support (#3100)
 - [PATCH] Move Multiple Listening apps check to the authorization layer (#3070)
 - [PATCH] Edge TB: Fix lookup mode (#3108)

common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerResult.java

@@ -97,6 +97,7 @@ private static class SerializedNames {
         static final String SPE_RING = "spe_ring";
         static final String CLI_TELEM_ERRORCODE = "cli_telem_error_code";
         static final String CLI_TELEM_SUB_ERROR_CODE = "cli_telem_suberror_code";
+        static final String CLIENT_DATA_INFO = "client_data_info";
     }
 
     private static final long serialVersionUID = 8606631820514878489L;
@@ -236,6 +237,13 @@ private static class SerializedNames {
     @SerializedName(SerializedNames.REFRESH_TOKEN_AGE)
     private String mRefreshTokenAge;
 
+    /**
+     * Server client data info from x-ms-clientdata response header (pipe-delimited format).
+     */
+    @Nullable
+    @SerializedName(SerializedNames.CLIENT_DATA_INFO)
+    private String mClientDataInfoRaw;
+
     /**
      * Boolean to indicate if the request succeeded without exceptions.
      */
@@ -347,6 +355,7 @@ private BrokerResult(@NonNull final Builder builder) {
         mCachedAt = builder.mCachedAt;
         mSpeRing = builder.mSpeRing;
         mRefreshTokenAge = builder.mRefreshTokenAge;
+        mClientDataInfoRaw = builder.mClientDataInfoRaw;
         mSuccess = builder.mSuccess;
         mTenantProfileData = builder.mTenantProfileData;
         mServicedFromCache = builder.mServicedFromCache;
@@ -426,6 +435,11 @@ public String getSpeRing() {
         return mSpeRing;
     }
 
+    @Nullable
+    public String getClientDataInfoRaw() {
+        return mClientDataInfoRaw;
+    }
+
     public long getCachedAt() {
         return mCachedAt;
     }
@@ -518,6 +532,7 @@ public static class Builder {
         private long mCachedAt;
         private String mSpeRing;
         private String mRefreshTokenAge;
+        private String mClientDataInfoRaw;
         private boolean mSuccess;
         private String mNegotiatedBrokerProtocolVersion;
         private List<ICacheRecord> mTenantProfileData;
@@ -631,6 +646,11 @@ public Builder refreshTokenAge(final String refreshTokenAge) {
             return this;
         }
 
+        public Builder clientDataInfoRaw(@Nullable final String clientDataInfoRaw) {
+            this.mClientDataInfoRaw = clientDataInfoRaw;
+            return this;
+        }
+
         public Builder success(boolean success) {
             this.mSuccess = success;
             return this;

common/src/main/java/com/microsoft/identity/common/internal/controllers/LocalMSALController.java

@@ -62,6 +62,7 @@
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResponse;
+import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResult;
@@ -168,6 +169,13 @@ public AcquireTokenResult acquireToken(
         );
         acquireTokenResult.setAuthorizationResult(result);
 
+        // Wire ClientDataInfo from the authorization result (authorize endpoint).
+        if (result instanceof MicrosoftStsAuthorizationResult) {
+            acquireTokenResult.setClientDataInfo(
+                    ((MicrosoftStsAuthorizationResult) result).getClientDataInfo()
+            );
+        }
+
         ResultUtil.logResult(TAG, result);
 
         if (result.getAuthorizationStatus().equals(AuthorizationStatus.SUCCESS)) {
@@ -181,6 +189,11 @@ public AcquireTokenResult acquireToken(
 
             acquireTokenResult.setTokenResult(tokenResult);
 
+            // Prefer ClientDataInfo from the token endpoint (later, more authoritative call).
+            if (tokenResult != null && tokenResult.getClientDataInfo() != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
+
             if (tokenResult != null && tokenResult.getSuccess()) {
                 //4) Save tokens in token cache
                 final List<ICacheRecord> records = saveTokens(
@@ -205,6 +218,11 @@ public AcquireTokenResult acquireToken(
                                 false
                         )
                 );
+
+                // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(acquireTokenResult.getClientDataInfo());
             }
         }
 
@@ -742,6 +760,9 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
 
             // Assign token result
             acquireTokenResult.setTokenResult(tokenResult);
+            if (tokenResult != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
 
             // If the token is valid, save it into token cache
             final List<ICacheRecord> records = saveTokens(
@@ -764,6 +785,13 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
                             false
                     )
             );
+
+            // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+            if (tokenResult != null) {
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
         } catch (Exception error) {
             Telemetry.emit(
                     new ApiEndEvent()

common/src/main/java/com/microsoft/identity/common/internal/result/MsalBrokerResultAdapter.java

@@ -98,6 +98,7 @@
 import com.microsoft.identity.common.java.result.GenerateShrResult;
 import com.microsoft.identity.common.java.result.ILocalAuthenticationResult;
 import com.microsoft.identity.common.java.result.LocalAuthenticationResult;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
 import com.microsoft.identity.common.java.ui.PreferredAuthMethod;
 import com.microsoft.identity.common.java.util.BrokerProtocolVersionUtil;
 import com.microsoft.identity.common.java.util.HeaderSerializationUtil;
@@ -284,6 +285,17 @@ public Bundle bundleFromAuthenticationResultForWebApps(@NonNull final ILocalAuth
                 .success(true)
                 .servicedFromCache(authenticationResult.isServicedFromCache());
 
+        // Serialize ClientDataInfo as raw pipe-delimited string for IPC transfer.
+        // The raw field is populated by ClientDataInfo.fromPipeDelimited(), the only
+        // path that populates the parsed fields, so it is safe to ship as-is.
+        if (authenticationResult instanceof LocalAuthenticationResult) {
+            final ClientDataInfo clientDataInfo =
+                    ((LocalAuthenticationResult) authenticationResult).getClientDataInfo();
+            if (clientDataInfo != null) {
+                brokerResultBuilder.clientDataInfoRaw(clientDataInfo.getRaw());
+            }
+        }
+
         if (shouldRemoveRefreshTokenFromResult(authenticationResult, negotiatedBrokerProtocolVersion)){
             brokerResultBuilder.tenantProfileRecords(
                     removeRefreshTokenFromCacheRecords(
@@ -411,6 +423,12 @@ public Bundle bundleFromBaseException(@NonNull final BaseException exception,
                 .speRing(exception.getSpeRing())
                 .refreshTokenAge(exception.getRefreshTokenAge());
 
+        // Serialize ClientDataInfo (server telemetry from x-ms-clientdata) so it
+        // survives the broker IPC boundary on error paths.
+        if (exception.getClientDataInfo() != null) {
+            builder.clientDataInfoRaw(exception.getClientDataInfo().getRaw());
+        }
+
         if (exception instanceof ServiceException) {
             final ServiceException serviceException = (ServiceException) exception;
             builder.subErrorCode(serviceException.getSubErrorCode())
@@ -476,12 +494,21 @@ public ILocalAuthenticationResult authenticationResultFromBundle(@NonNull final
             throw new ClientException(INVALID_BROKER_BUNDLE, "getTenantProfileData is null.");
         }
 
-        return new LocalAuthenticationResult(
+        final LocalAuthenticationResult localAuthResult = new LocalAuthenticationResult(
                 tenantProfileCacheRecords.get(0),
                 tenantProfileCacheRecords,
                 SdkType.MSAL,
                 brokerResult.isServicedFromCache()
         );
+
+        // Deserialize ClientDataInfo from the broker result if available
+        final ClientDataInfo clientDataInfo =
+                ClientDataInfo.fromPipeDelimited(brokerResult.getClientDataInfoRaw());
+        if (clientDataInfo != null) {
+            localAuthResult.setClientDataInfo(clientDataInfo);
+        }
+
+        return localAuthResult;
     }
 
     @NonNull
@@ -516,6 +543,14 @@ public BaseException getBaseExceptionFromBundle(@NonNull final Bundle resultBund
             baseException.setBrokerPerformanceMetrics(metrics);
         }
 
+        // Restore ClientDataInfo (server telemetry) from the broker result so callers
+        // catching the exception can inspect server-side error context.
+        if (!StringUtil.isNullOrEmpty(brokerResult.getClientDataInfoRaw())) {
+            baseException.setClientDataInfo(
+                    ClientDataInfo.fromPipeDelimited(brokerResult.getClientDataInfoRaw())
+            );
+        }
+
         // Set broker app info if available
         if (resultBundle.containsKey(AuthenticationConstants.Broker.BROKER_VERSION)) {
             baseException.setBrokerAppVersion(
@@ -994,7 +1029,16 @@ public AcquireTokenResult getDeviceCodeFlowTokenResultFromResultBundle(@NonNull
 
             if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
                 final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-                acquireTokenResult.setLocalAuthenticationResult(authenticationResultFromBundle(resultBundle));
+                final ILocalAuthenticationResult authResult = authenticationResultFromBundle(resultBundle);
+                acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+                // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+                if (authResult instanceof LocalAuthenticationResult) {
+                    acquireTokenResult.setClientDataInfo(
+                            ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                    );
+                }
+
                 span.setStatus(StatusCode.OK);
                 return acquireTokenResult;
             } else if (brokerResult.getErrorCode().equals(ErrorStrings.DEVICE_CODE_FLOW_AUTHORIZATION_PENDING_ERROR_CODE)) {
@@ -1018,9 +1062,16 @@ AcquireTokenResult getAcquireTokenResultFromResultBundle(@NonNull final Bundle r
         final MsalBrokerResultAdapter resultAdapter = new MsalBrokerResultAdapter();
         if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
             final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-            acquireTokenResult.setLocalAuthenticationResult(
-                    resultAdapter.authenticationResultFromBundle(resultBundle)
-            );
+            final ILocalAuthenticationResult authResult =
+                    resultAdapter.authenticationResultFromBundle(resultBundle);
+            acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+            // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+            if (authResult instanceof LocalAuthenticationResult) {
+                acquireTokenResult.setClientDataInfo(
+                        ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                );
+            }
             // Set broker performance metrics if available
             final BrokerPerformanceMetrics metrics = resultAdapter.getBrokerPerformanceMetricsFromBundle(resultBundle);
             if (metrics != null) {

common/src/test/java/com/microsoft/identity/common/internal/request/MsalBrokerResultAdapterTests.kt

@@ -36,6 +36,7 @@ import com.microsoft.identity.common.java.exception.ClientException
 import com.microsoft.identity.common.java.exception.UiRequiredException
 import com.microsoft.identity.common.java.request.SdkType
 import com.microsoft.identity.common.java.result.LocalAuthenticationResult
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo
 import com.microsoft.identity.common.java.util.SchemaUtil
 import com.microsoft.identity.internal.testutils.MockRecords
 import lombok.SneakyThrows
@@ -658,4 +659,81 @@ class MsalBrokerResultAdapterTests {
             resultString.contains(SchemaUtil.MISSING_FROM_THE_TOKEN_RESPONSE)
         )
     }
+
+    // ==================== ClientDataInfo IPC round-trip tests (PR #3109) ====================
+
+    private val clientDataRaw = "m|AADSTS50058|login_required|us|public"
+
+    private fun newCacheRecord() = CacheRecord.builder()
+        .account(MockRecords.getMockAccountRecord_AAD())
+        .idToken(MockRecords.getMockIdTokenRecord_AAD())
+        .accessToken(MockRecords.getMockAccessTokenRecord_AAD())
+        .refreshToken(MockRecords.getMockRefreshTokenRecord_AAD())
+        .build()
+
+    @Test
+    fun testClientDataInfo_RoundTripsThroughBrokerResult_OnSuccess() {
+        val cacheRecord = newCacheRecord()
+        val cacheRecords: MutableList<ICacheRecord> = arrayListOf(cacheRecord)
+        val authResult = LocalAuthenticationResult(cacheRecord, cacheRecords, SdkType.MSAL, false)
+        authResult.clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataRaw)
+
+        val brokerResult = getInstance().buildBrokerResultFromAuthenticationResult(authResult, "16.0")
+        assertEquals("Raw payload should be serialized into BrokerResult", clientDataRaw, brokerResult.clientDataInfoRaw)
+    }
+
+    @Test
+    fun testClientDataInfo_NullOnLocalAuthResult_ResultsInNullOnBrokerResult() {
+        val cacheRecord = newCacheRecord()
+        val cacheRecords: MutableList<ICacheRecord> = arrayListOf(cacheRecord)
+        val authResult = LocalAuthenticationResult(cacheRecord, cacheRecords, SdkType.MSAL, false)
+        // No ClientDataInfo set
+
+        val brokerResult = getInstance().buildBrokerResultFromAuthenticationResult(authResult, "16.0")
+        assertNull(brokerResult.clientDataInfoRaw)
+    }
+
+    @Test
+    fun testClientDataInfo_RoundTripsThroughBaseExceptionBundle() {
+        val exception = ClientException("invalid_grant", "token failure")
+        exception.clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataRaw)
+
+        val resultAdapter = MsalBrokerResultAdapter()
+        val resultBundle = resultAdapter.bundleFromBaseException(exception, null)
+        val brokerResult = resultAdapter.brokerResultFromBundle(resultBundle)
+        assertEquals(clientDataRaw, brokerResult.clientDataInfoRaw)
+
+        val received = resultAdapter.getBaseExceptionFromBundle(resultBundle)
+        assertNotNull("ClientDataInfo should be reconstructed on the exception", received.clientDataInfo)
+        assertEquals("AADSTS50058", received.clientDataInfo!!.error)
+        assertEquals("login_required", received.clientDataInfo!!.subError)
+        assertEquals(clientDataRaw, received.clientDataInfo!!.raw)
+    }
+
+    @Test
+    fun testClientDataInfo_NullOnException_NotInBundle() {
+        val exception = ClientException("invalid_grant", "token failure")
+        // No ClientDataInfo set
+
+        val resultAdapter = MsalBrokerResultAdapter()
+        val resultBundle = resultAdapter.bundleFromBaseException(exception, null)
+        val received = resultAdapter.getBaseExceptionFromBundle(resultBundle)
+        assertNull(received.clientDataInfo)
+    }
+
+    @Test
+    fun testClientDataInfo_RoundTripsThroughGetAcquireTokenResultFromResultBundle() {
+        val cacheRecord = newCacheRecord()
+        val cacheRecords: MutableList<ICacheRecord> = arrayListOf(cacheRecord)
+        val authResult = LocalAuthenticationResult(cacheRecord, cacheRecords, SdkType.MSAL, false)
+        authResult.clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataRaw)
+
+        val resultAdapter = MsalBrokerResultAdapter()
+        val resultBundle = resultAdapter.bundleFromAuthenticationResult(authResult, "16.0")
+
+        val acquireTokenResult = resultAdapter.getAcquireTokenResultFromResultBundle(resultBundle)
+        assertNotNull("ClientDataInfo should be present on AcquireTokenResult", acquireTokenResult.clientDataInfo)
+        assertEquals("AADSTS50058", acquireTokenResult.clientDataInfo!!.error)
+        assertEquals(clientDataRaw, acquireTokenResult.clientDataInfo!!.raw)
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/controllers/BaseController.java

@@ -219,6 +219,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
         final TokenResult tokenResult = oAuth2Strategy.requestToken(ropcTokenRequest);
 
         acquireTokenResult.setTokenResult(tokenResult);
+        if (tokenResult != null) {
+            acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+        }
 
         @SuppressWarnings(WarningType.rawtype_warning) final OAuth2TokenCache tokenCache = parameters.getOAuth2TokenCache();
 
@@ -251,6 +254,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenResult.setLocalAuthenticationResult(authenticationResult);
         }
@@ -484,6 +490,7 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
         );
 
         acquireTokenSilentResult.setTokenResult(tokenResult);
+        acquireTokenSilentResult.setClientDataInfo(tokenResult.getClientDataInfo());
 
         ResultUtil.logResult(methodTag, tokenResult);
 
@@ -528,6 +535,9 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenSilentResult.setLocalAuthenticationResult(authenticationResult);
         } else {