Clean up comments

Author: Avery-Dunn

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/AgenticIT.java

@@ -21,8 +21,8 @@
 
 /**
  * Integration tests for agentic (agent identity) scenarios using MSAL Java APIs.
- * Tests FMI credential acquisition via assertion callbacks and cache isolation,
- * plus FIC user_fic flows for the full 3-leg agent identity protocol.
+ * Corresponds to .NET's Agentic.cs — tests the MSAL-level APIs for the agent identity flow
+ * (specifically the FMI portions that are available on this branch, plus FIC user_fic flows).
  *
  * <p>These tests use MSAL token acquisition APIs (unlike AgenticRawHttpIT which uses raw HTTP).
  *
@@ -74,6 +74,42 @@ void init() throws KeyStoreException, NoSuchProviderException,
         assertNotNull(certificate, "Lab certificate not found. Ensure the lab cert is installed.");
     }
 
+    /**
+     * Agent gets an app-only token for Graph using an FMI-sourced client assertion.
+     * This tests Leg 2 of the agent identity flow:
+     * 1. Blueprint CCA acquires FMI credential (fmi_path = agentAppId)
+     * 2. Agent CCA uses that credential as client_assertion to get Graph token
+     *
+     * Corresponds to .NET's AgentGetsAppTokenForGraphTest.
+     */
+    @Test
+    void agentGetsAppToken_UsingFmiAssertion() throws Exception {
+        // The assertion callback simulates what an SDK or middleware would do:
+        // it calls the blueprint app to get an FMI credential for the agent
+        Function<AssertionRequestOptions, String> assertionProvider = options -> {
+            try {
+                return acquireFmiCredentialForAgent(AGENT_APP_ID);
+            } catch (Exception e) {
+                throw new RuntimeException("Failed to acquire FMI credential", e);
+            }
+        };
+
+        IClientCredential credential = ClientCredentialFactory.createFromCallback(assertionProvider);
+
+        ConfidentialClientApplication agentCca = ConfidentialClientApplication.builder(AGENT_APP_ID, credential)
+                .authority(AUTHORITY)
+                .build();
+
+        IAuthenticationResult result = agentCca.acquireToken(ClientCredentialParameters
+                        .builder(Collections.singleton(GRAPH_SCOPE))
+                        .build())
+                .get();
+
+        assertNotNull(result, "Auth result should not be null");
+        assertNotNull(result.accessToken(), "Access token should not be null");
+        assertFalse(result.accessToken().isEmpty(), "Access token should not be empty");
+    }
+
     /**
      * Verifies that the context-aware assertion callback receives the correct fmiPath
      * when the ClientCredentialParameters include an fmiPath.
@@ -263,8 +299,9 @@ void agentCca_AppAndUserTokens_CacheIsolation() throws Exception {
     }
 
     /**
-     * Helper: acquires an FMI credential from the RMA using a certificate.
-     * Uses the FMI-specific exchange scope (api://AzureFMITokenExchange).
+     * Helper: acquires an FMI credential from the RMA (Resource Management Application).
+     * Uses FMI_EXCHANGE_SCOPE, matching FmiIT's Flow3 pattern.
+     * Suitable for use as client_assertion when client_id = "urn:microsoft:identity:fmi".
      */
     private String acquireFmiCredentialFromRma() throws Exception {
         IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/FicIT.java

@@ -21,12 +21,11 @@
 
 /**
  * Integration tests for FIC (Federated Identity Credential) / user_fic grant support.
- * Corresponds to .NET's Agentic.cs UserFIC-related tests.
  *
- * <p>Tests the low-level UserFIC primitive: acquires an FMI-sourced assertion,
+ * <p>Tests the user_fic primitive: acquires an FMI-sourced assertion,
  * then exchanges it for a user-scoped token using the user_fic grant type.
  *
- * <p>Test configuration (same as .NET Agentic.cs):
+ * <p>Test configuration:
  * <ul>
  *   <li>Blueprint app: {@link #BLUEPRINT_CLIENT_ID}</li>
  *   <li>Agent app: {@link #AGENT_APP_ID}</li>
@@ -37,15 +36,15 @@
  * <p>Flows tested:
  * <ul>
  *   <li>Full 3-leg: FMI → assertion → user_fic → user token (UPN-based)</li>
- *   <li>OID-based user_fic (Guid overload)</li>
+ *   <li>OID-based user_fic (UUID overload)</li>
  *   <li>Cache hit: second call returns cached user token</li>
  *   <li>Force refresh: bypasses cache</li>
  * </ul>
  */
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class FicIT {
 
-    // Same config as .NET Agentic.cs
+    // Same config as AgenticIT
     private static final String BLUEPRINT_CLIENT_ID = "aab5089d-e764-47e3-9f28-cc11c2513821";
     private static final String TENANT_ID = "10c419d4-4a50-45b2-aa4e-919fb84df24f";
     private static final String AGENT_APP_ID = "ab18ca07-d139-4840-8b3b-4be9610c6ed5";
@@ -76,7 +75,6 @@ void init() throws KeyStoreException, NoSuchProviderException,
     /**
      * Full 3-leg flow using UPN: FMI credential → assertion → user_fic → user-scoped Graph token.
      * Then verifies the token is cached and can be retrieved silently.
-     * Corresponds to .NET's AgentUserIdentityGetsTokenForGraphTest.
      */
     @Test
     void userFic_FullFlow_WithUpn_GetsUserToken() throws Exception {
@@ -114,7 +112,6 @@ void userFic_FullFlow_WithUpn_GetsUserToken() throws Exception {
 
     /**
      * OID-based user_fic: discovers user's OID via UPN flow, then uses UUID overload.
-     * Corresponds to .NET's UserFic_WithGuidObjectId_Test.
      */
     @Test
     void userFic_WithGuidObjectId_GetsUserToken() throws Exception {
@@ -222,7 +219,6 @@ void userFic_ForceRefresh_BypassesCache() throws Exception {
 
     /**
      * Leg 1: Blueprint CCA acquires FMI credential (T1) for the agent app.
-     * Equivalent to .NET's GetAppCredentialAsync(fmiPath).
      * T1 is used as client_assertion to authenticate the agent CCA.
      */
     private String acquireFmiCredential(String fmiPath) throws Exception {
@@ -272,8 +268,7 @@ private String acquireInstanceToken() throws Exception {
 
     /**
      * Builds an agent CCA whose credential callback produces T1 (FMI credential).
-     * This matches .NET's pattern: the CCA authenticates with T1 as client_assertion.
-     * Equivalent to .NET's WithClientAssertion(_ => GetAppCredentialAsync(AgentIdentity)).
+     * The CCA authenticates with T1 as client_assertion for Leg 2 and Leg 3 requests.
      */
     private ConfidentialClientApplication buildAgentCca() throws Exception {
         Function<AssertionRequestOptions, String> assertionProvider = options -> {

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/UserFederatedIdentityCredentialTest.java

@@ -21,8 +21,6 @@
 
 /**
  * Tests for the User Federated Identity Credential (user_fic) flow.
- * Covers §6 (user_fic grant type), §7 (user_federated_identity_credential body param),
- * §8 (user_id/username body params), and §11 (primitive API) from AgentIDs_ComponentsReference.
  */
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class UserFederatedIdentityCredentialTest {
@@ -59,7 +57,7 @@ private HttpResponse createSuccessResponseWithIdToken() {
     }
 
     // ========================================================================
-    // §6: user_fic grant type
+    // Grant type and body parameters
     // ========================================================================
 
     @Test
@@ -86,7 +84,7 @@ void userFic_SendsCorrectGrantType() throws Exception {
     }
 
     // ========================================================================
-    // §7: user_federated_identity_credential body parameter
+    // user_federated_identity_credential body parameter
     // ========================================================================
 
     @Test
@@ -113,7 +111,7 @@ void userFic_SendsAssertionInBody() throws Exception {
     }
 
     // ========================================================================
-    // §8: user_id / username body parameters — mutual exclusion
+    // user_id / username body parameters — mutual exclusion
     // ========================================================================
 
     @Test
@@ -165,7 +163,7 @@ void userFic_WithOid_SendsUserIdNotUsername() throws Exception {
     }
 
     // ========================================================================
-    // §6+§7+§8 combined: all parameters sent together
+    // All parameters sent together
     // ========================================================================
 
     @Test
@@ -224,7 +222,7 @@ void userFic_ScopeIncludesOidcScopes() throws Exception {
     }
 
     // ========================================================================
-    // §11: Token stored in user cache
+    // Token stored in user cache
     // ========================================================================
 
     @Test
@@ -251,7 +249,7 @@ void userFic_TokenStoredInUserCache() throws Exception {
     }
 
     // ========================================================================
-    // §11: Force refresh bypasses cache
+    // Force refresh bypasses cache
     // ========================================================================
 
     @Test
@@ -285,7 +283,7 @@ void userFic_ForceRefresh_BypassesCache() throws Exception {
     }
 
     // ========================================================================
-    // §11: Cache hit when not force-refreshing
+    // Cache hit when not force-refreshing
     // ========================================================================
 
     @Test
@@ -391,7 +389,7 @@ void userFic_Parameters_OidBuilder_SetsFieldsCorrectly() {
     }
 
     // ========================================================================
-    // Multi-user cache isolation (matches .NET TwoUpns/TwoOids tests)
+    // Multi-user cache isolation
     // ========================================================================
 
     /**
@@ -422,9 +420,8 @@ private HttpResponse createUserResponse(String oid, String preferredUsername, St
     }
 
     /**
-     * Verifies that two different users (by UPN) acquire tokens via UserFIC on the same CCA,
+     * Verifies that two different users (by UPN) acquire tokens via user_fic on the same CCA,
      * and AcquireTokenSilent returns the correct cached token for each user.
-     * Matches .NET's AcquireTokenByUserFic_TwoUpns_SilentReturnsCorrectToken_Async.
      */
     @Test
     void userFic_TwoUpns_SilentReturnsCorrectToken() throws Exception {
@@ -492,9 +489,8 @@ void userFic_TwoUpns_SilentReturnsCorrectToken() throws Exception {
     }
 
     /**
-     * Verifies that two different users (by OID) acquire tokens via UserFIC on the same CCA,
+     * Verifies that two different users (by OID) acquire tokens via user_fic on the same CCA,
      * and AcquireTokenSilent resolves the correct account by OID.
-     * Matches .NET's AcquireTokenByUserFic_TwoOids_SilentReturnsCorrectToken_Async.
      */
     @Test
     void userFic_TwoOids_SilentReturnsCorrectToken() throws Exception {