Wire ClientDataInfo through AcquireTokenResult and BaseException

Propagate ClientDataInfo (parsed from the x-ms-clientdata token response
header and the clientdata authorize redirect query parameter) through
AcquireTokenResult on success paths and through BaseException on failure
paths. Includes broker IPC serialization via BrokerResult so the payload
reaches the MSAL caller process for both success and error responses.
Adds a raw field to ClientDataInfo preserving the original pipe-delimited
string for partner teams that want the unparsed payload.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: fadidurah

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Wire ClientDataInfo (server telemetry from x-ms-clientdata response header and clientdata authorize parameter) through AcquireTokenResult on success and through BaseException on failure (including across the broker IPC boundary), and preserve the original raw pipe-delimited payload on ClientDataInfo for partner teams (#3109)
 - [PATCH] Extend filter-then-clone optimization to load() and getIdTokensForAccountRecord() in MsalOAuth2TokenCache: when ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE flight is enabled, skip clone-all preload and call direct flight-gated overloads that clone only matching credentials; add new getCredentialsFilteredBy overload with kid support (#3100)
 - [PATCH] Move Multiple Listening apps check to the authorization layer (#3070)
 - [PATCH] Edge TB: Fix lookup mode (#3108)

common/src/main/java/com/microsoft/identity/common/internal/broker/BrokerResult.java

@@ -97,6 +97,7 @@ private static class SerializedNames {
         static final String SPE_RING = "spe_ring";
         static final String CLI_TELEM_ERRORCODE = "cli_telem_error_code";
         static final String CLI_TELEM_SUB_ERROR_CODE = "cli_telem_suberror_code";
+        static final String CLIENT_DATA_INFO = "client_data_info";
     }
 
     private static final long serialVersionUID = 8606631820514878489L;
@@ -236,6 +237,13 @@ private static class SerializedNames {
     @SerializedName(SerializedNames.REFRESH_TOKEN_AGE)
     private String mRefreshTokenAge;
 
+    /**
+     * Server client data info from x-ms-clientdata response header (pipe-delimited format).
+     */
+    @Nullable
+    @SerializedName(SerializedNames.CLIENT_DATA_INFO)
+    private String mClientDataInfoRaw;
+
     /**
      * Boolean to indicate if the request succeeded without exceptions.
      */
@@ -347,6 +355,7 @@ private BrokerResult(@NonNull final Builder builder) {
         mCachedAt = builder.mCachedAt;
         mSpeRing = builder.mSpeRing;
         mRefreshTokenAge = builder.mRefreshTokenAge;
+        mClientDataInfoRaw = builder.mClientDataInfoRaw;
         mSuccess = builder.mSuccess;
         mTenantProfileData = builder.mTenantProfileData;
         mServicedFromCache = builder.mServicedFromCache;
@@ -426,6 +435,11 @@ public String getSpeRing() {
         return mSpeRing;
     }
 
+    @Nullable
+    public String getClientDataInfoRaw() {
+        return mClientDataInfoRaw;
+    }
+
     public long getCachedAt() {
         return mCachedAt;
     }
@@ -518,6 +532,7 @@ public static class Builder {
         private long mCachedAt;
         private String mSpeRing;
         private String mRefreshTokenAge;
+        private String mClientDataInfoRaw;
         private boolean mSuccess;
         private String mNegotiatedBrokerProtocolVersion;
         private List<ICacheRecord> mTenantProfileData;
@@ -631,6 +646,11 @@ public Builder refreshTokenAge(final String refreshTokenAge) {
             return this;
         }
 
+        public Builder clientDataInfoRaw(@Nullable final String clientDataInfoRaw) {
+            this.mClientDataInfoRaw = clientDataInfoRaw;
+            return this;
+        }
+
         public Builder success(boolean success) {
             this.mSuccess = success;
             return this;

common/src/main/java/com/microsoft/identity/common/internal/controllers/LocalMSALController.java

@@ -62,6 +62,7 @@
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResponse;
+import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResult;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResult;
@@ -168,6 +169,13 @@ public AcquireTokenResult acquireToken(
         );
         acquireTokenResult.setAuthorizationResult(result);
 
+        // Wire ClientDataInfo from the authorization result (authorize endpoint).
+        if (result instanceof MicrosoftStsAuthorizationResult) {
+            acquireTokenResult.setClientDataInfo(
+                    ((MicrosoftStsAuthorizationResult) result).getClientDataInfo()
+            );
+        }
+
         ResultUtil.logResult(TAG, result);
 
         if (result.getAuthorizationStatus().equals(AuthorizationStatus.SUCCESS)) {
@@ -181,6 +189,11 @@ public AcquireTokenResult acquireToken(
 
             acquireTokenResult.setTokenResult(tokenResult);
 
+            // Prefer ClientDataInfo from the token endpoint (later, more authoritative call).
+            if (tokenResult != null && tokenResult.getClientDataInfo() != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
+
             if (tokenResult != null && tokenResult.getSuccess()) {
                 //4) Save tokens in token cache
                 final List<ICacheRecord> records = saveTokens(
@@ -205,6 +218,11 @@ public AcquireTokenResult acquireToken(
                                 false
                         )
                 );
+
+                // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(acquireTokenResult.getClientDataInfo());
             }
         }
 
@@ -742,6 +760,9 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
 
             // Assign token result
             acquireTokenResult.setTokenResult(tokenResult);
+            if (tokenResult != null) {
+                acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
 
             // If the token is valid, save it into token cache
             final List<ICacheRecord> records = saveTokens(
@@ -764,6 +785,13 @@ public AcquireTokenResult acquireDeviceCodeFlowToken(
                             false
                     )
             );
+
+            // Set ClientDataInfo on the LocalAuthenticationResult for IPC propagation
+            if (tokenResult != null) {
+                final LocalAuthenticationResult localResult =
+                        (LocalAuthenticationResult) acquireTokenResult.getLocalAuthenticationResult();
+                localResult.setClientDataInfo(tokenResult.getClientDataInfo());
+            }
         } catch (Exception error) {
             Telemetry.emit(
                     new ApiEndEvent()

common/src/main/java/com/microsoft/identity/common/internal/result/MsalBrokerResultAdapter.java

@@ -98,6 +98,7 @@
 import com.microsoft.identity.common.java.result.GenerateShrResult;
 import com.microsoft.identity.common.java.result.ILocalAuthenticationResult;
 import com.microsoft.identity.common.java.result.LocalAuthenticationResult;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
 import com.microsoft.identity.common.java.ui.PreferredAuthMethod;
 import com.microsoft.identity.common.java.util.BrokerProtocolVersionUtil;
 import com.microsoft.identity.common.java.util.HeaderSerializationUtil;
@@ -284,6 +285,17 @@ public Bundle bundleFromAuthenticationResultForWebApps(@NonNull final ILocalAuth
                 .success(true)
                 .servicedFromCache(authenticationResult.isServicedFromCache());
 
+        // Serialize ClientDataInfo as raw pipe-delimited string for IPC transfer.
+        // The raw field is populated by ClientDataInfo.fromPipeDelimited(), the only
+        // path that populates the parsed fields, so it is safe to ship as-is.
+        if (authenticationResult instanceof LocalAuthenticationResult) {
+            final ClientDataInfo clientDataInfo =
+                    ((LocalAuthenticationResult) authenticationResult).getClientDataInfo();
+            if (clientDataInfo != null) {
+                brokerResultBuilder.clientDataInfoRaw(clientDataInfo.getRaw());
+            }
+        }
+
         if (shouldRemoveRefreshTokenFromResult(authenticationResult, negotiatedBrokerProtocolVersion)){
             brokerResultBuilder.tenantProfileRecords(
                     removeRefreshTokenFromCacheRecords(
@@ -411,6 +423,12 @@ public Bundle bundleFromBaseException(@NonNull final BaseException exception,
                 .speRing(exception.getSpeRing())
                 .refreshTokenAge(exception.getRefreshTokenAge());
 
+        // Serialize ClientDataInfo (server telemetry from x-ms-clientdata) so it
+        // survives the broker IPC boundary on error paths.
+        if (exception.getClientDataInfo() != null) {
+            builder.clientDataInfoRaw(exception.getClientDataInfo().getRaw());
+        }
+
         if (exception instanceof ServiceException) {
             final ServiceException serviceException = (ServiceException) exception;
             builder.subErrorCode(serviceException.getSubErrorCode())
@@ -476,12 +494,21 @@ public ILocalAuthenticationResult authenticationResultFromBundle(@NonNull final
             throw new ClientException(INVALID_BROKER_BUNDLE, "getTenantProfileData is null.");
         }
 
-        return new LocalAuthenticationResult(
+        final LocalAuthenticationResult localAuthResult = new LocalAuthenticationResult(
                 tenantProfileCacheRecords.get(0),
                 tenantProfileCacheRecords,
                 SdkType.MSAL,
                 brokerResult.isServicedFromCache()
         );
+
+        // Deserialize ClientDataInfo from the broker result if available
+        final ClientDataInfo clientDataInfo =
+                ClientDataInfo.fromPipeDelimited(brokerResult.getClientDataInfoRaw());
+        if (clientDataInfo != null) {
+            localAuthResult.setClientDataInfo(clientDataInfo);
+        }
+
+        return localAuthResult;
     }
 
     @NonNull
@@ -516,6 +543,14 @@ public BaseException getBaseExceptionFromBundle(@NonNull final Bundle resultBund
             baseException.setBrokerPerformanceMetrics(metrics);
         }
 
+        // Restore ClientDataInfo (server telemetry) from the broker result so callers
+        // catching the exception can inspect server-side error context.
+        if (!StringUtil.isNullOrEmpty(brokerResult.getClientDataInfoRaw())) {
+            baseException.setClientDataInfo(
+                    ClientDataInfo.fromPipeDelimited(brokerResult.getClientDataInfoRaw())
+            );
+        }
+
         // Set broker app info if available
         if (resultBundle.containsKey(AuthenticationConstants.Broker.BROKER_VERSION)) {
             baseException.setBrokerAppVersion(
@@ -994,7 +1029,16 @@ public AcquireTokenResult getDeviceCodeFlowTokenResultFromResultBundle(@NonNull
 
             if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
                 final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-                acquireTokenResult.setLocalAuthenticationResult(authenticationResultFromBundle(resultBundle));
+                final ILocalAuthenticationResult authResult = authenticationResultFromBundle(resultBundle);
+                acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+                // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+                if (authResult instanceof LocalAuthenticationResult) {
+                    acquireTokenResult.setClientDataInfo(
+                            ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                    );
+                }
+
                 span.setStatus(StatusCode.OK);
                 return acquireTokenResult;
             } else if (brokerResult.getErrorCode().equals(ErrorStrings.DEVICE_CODE_FLOW_AUTHORIZATION_PENDING_ERROR_CODE)) {
@@ -1018,9 +1062,16 @@ AcquireTokenResult getAcquireTokenResultFromResultBundle(@NonNull final Bundle r
         final MsalBrokerResultAdapter resultAdapter = new MsalBrokerResultAdapter();
         if (resultBundle.getBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS)) {
             final AcquireTokenResult acquireTokenResult = new AcquireTokenResult();
-            acquireTokenResult.setLocalAuthenticationResult(
-                    resultAdapter.authenticationResultFromBundle(resultBundle)
-            );
+            final ILocalAuthenticationResult authResult =
+                    resultAdapter.authenticationResultFromBundle(resultBundle);
+            acquireTokenResult.setLocalAuthenticationResult(authResult);
+
+            // Propagate ClientDataInfo from LocalAuthenticationResult to AcquireTokenResult
+            if (authResult instanceof LocalAuthenticationResult) {
+                acquireTokenResult.setClientDataInfo(
+                        ((LocalAuthenticationResult) authResult).getClientDataInfo()
+                );
+            }
             // Set broker performance metrics if available
             final BrokerPerformanceMetrics metrics = resultAdapter.getBrokerPerformanceMetricsFromBundle(resultBundle);
             if (metrics != null) {

common4j/src/main/com/microsoft/identity/common/java/controllers/BaseController.java

@@ -219,6 +219,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
         final TokenResult tokenResult = oAuth2Strategy.requestToken(ropcTokenRequest);
 
         acquireTokenResult.setTokenResult(tokenResult);
+        if (tokenResult != null) {
+            acquireTokenResult.setClientDataInfo(tokenResult.getClientDataInfo());
+        }
 
         @SuppressWarnings(WarningType.rawtype_warning) final OAuth2TokenCache tokenCache = parameters.getOAuth2TokenCache();
 
@@ -251,6 +254,9 @@ public AcquireTokenResult acquireTokenWithPassword(@NonNull final RopcTokenComma
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenResult.setLocalAuthenticationResult(authenticationResult);
         }
@@ -484,6 +490,7 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
         );
 
         acquireTokenSilentResult.setTokenResult(tokenResult);
+        acquireTokenSilentResult.setClientDataInfo(tokenResult.getClientDataInfo());
 
         ResultUtil.logResult(methodTag, tokenResult);
 
@@ -528,6 +535,9 @@ protected void renewAccessToken(@NonNull final SilentTokenCommandParameters para
                 Telemetry.emit(new CacheEndEvent());
             }
 
+            // Set server client data info on the authentication result for IPC propagation
+            authenticationResult.setClientDataInfo(tokenResult.getClientDataInfo());
+
             // Set the AuthenticationResult on the final result object
             acquireTokenSilentResult.setLocalAuthenticationResult(authenticationResult);
         } else {

common4j/src/main/com/microsoft/identity/common/java/controllers/ExceptionAdapter.java

@@ -44,6 +44,7 @@
 import com.microsoft.identity.common.java.opentelemetry.AttributeName;
 import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
 import com.microsoft.identity.common.java.providers.microsoft.MicrosoftAuthorizationErrorResponse;
+import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationResult;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationErrorResponse;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResult;
 import com.microsoft.identity.common.java.providers.oauth2.TokenErrorResponse;
@@ -84,7 +85,15 @@ public static BaseException exceptionFromAcquireTokenResult(final AcquireTokenRe
 
         if (null != authorizationResult) {
             if (!authorizationResult.getSuccess()) {
-                return exceptionFromAuthorizationResult(authorizationResult, commandParameters);
+                final BaseException authException = exceptionFromAuthorizationResult(authorizationResult, commandParameters);
+                // Attach ClientDataInfo from the authorize redirect (clientdata query param)
+                // so callers can inspect server-side error context on auth failures.
+                if (authorizationResult instanceof MicrosoftStsAuthorizationResult) {
+                    authException.setClientDataInfo(
+                            ((MicrosoftStsAuthorizationResult) authorizationResult).getClientDataInfo()
+                    );
+                }
+                return authException;
             }
         } else {
             Logger.warn(
@@ -183,6 +192,7 @@ public static ServiceException exceptionFromTokenResult(final TokenResult tokenR
 
             outErr = getExceptionFromTokenErrorResponse(commandParameters, tokenResult.getErrorResponse());
             applyCliTelemInfo(tokenResult.getCliTelemInfo(), outErr);
+            outErr.setClientDataInfo(tokenResult.getClientDataInfo());
         } else {
             Logger.warn(
                     TAG + methodName,

common4j/src/main/com/microsoft/identity/common/java/exception/BaseException.java

@@ -23,6 +23,7 @@
 package com.microsoft.identity.common.java.exception;
 
 import com.microsoft.identity.common.java.broker.IBrokerInfoProvider;
+import com.microsoft.identity.common.java.telemetry.ClientDataInfo;
 import com.microsoft.identity.common.java.telemetry.ITelemetryAccessor;
 import com.microsoft.identity.common.java.telemetry.Telemetry;
 import com.microsoft.identity.common.java.telemetry.events.ErrorEvent;
@@ -70,6 +71,14 @@ public class BaseException extends Exception implements IErrorInformation, ITele
     @Nullable
     private String mCliTelemSubErrorCode;
 
+    /**
+     * Server-side telemetry from the x-ms-clientdata response header (/token error responses)
+     * or the clientdata query parameter (/authorize error redirects). Useful for diagnosing
+     * server-driven failures (account_type, error, sub_error, caller_data_boundary, cloud_instance).
+     */
+    @Nullable
+    private ClientDataInfo mClientDataInfo;
+
     private String mErrorCode;
 
     private String mSubErrorCode;
@@ -213,6 +222,15 @@ public void setCliTelemSubErrorCode(@Nullable final String cliTelemSubErrorCode)
         this.mCliTelemSubErrorCode = cliTelemSubErrorCode;
     }
 
+    @Nullable
+    public ClientDataInfo getClientDataInfo() {
+        return mClientDataInfo;
+    }
+
+    public void setClientDataInfo(@Nullable final ClientDataInfo clientDataInfo) {
+        this.mClientDataInfo = clientDataInfo;
+    }
+
     @Nullable
     public String getCorrelationId() {
         return mCorrelationId;

common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/AbstractMicrosoftStsTokenResponseHandler.java

@@ -113,6 +113,7 @@ public TokenResult handleTokenResponse(@NonNull final HttpResponse response) thr
                 final ClientDataInfo clientDataInfo = ClientDataInfo.fromPipeDelimited(clientDataHeader);
                 if (null != clientDataInfo) {
                     clientDataInfo.emitToSpan();
+                    result.setClientDataInfo(clientDataInfo);
                 }
             }