Make extra cache key hash more generic

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByClientCredentialSupplier.java

@@ -40,8 +40,8 @@ AuthenticationResult execute() throws Exception {
                         context,
                         null);
 
-                // Propagate ext_cache_key_hash for fmi_path-based cache isolation
-                String extCacheKeyHash = this.clientCredentialRequest.parameters.computeFmiCacheKeyHash();
+                // Propagate ext_cache_key_hash for cache isolation (e.g., fmi_path, credential_fmi_path)
+                String extCacheKeyHash = this.clientCredentialRequest.parameters.computeExtCacheKeyHash();
                 if (!StringHelper.isBlank(extCacheKeyHash)) {
                     silentRequest.extCacheKeyHash(extCacheKeyHash);
                 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ClientCredentialParameters.java

@@ -5,6 +5,7 @@
 
 import java.util.Map;
 import java.util.Set;
+import java.util.SortedMap;
 import java.util.TreeMap;
 
 import static com.microsoft.aad.msal4j.ParameterValidationUtils.validateNotNull;
@@ -31,6 +32,15 @@ public class ClientCredentialParameters implements IAcquireTokenParameters {
 
     private String fmiPath;
 
+    // Generic extended cache key components. Any parameter that should influence token cache
+    // isolation adds an entry here (e.g., fmi_path, credential_fmi_path). The hash of these
+    // components is used as part of the cache key for AccessToken_Extended entries.
+    // Matches MSAL .NET's AdditionalCacheKeyComponents / CacheKeyComponents pattern.
+    private SortedMap<String, String> cacheKeyComponents;
+
+    // Memoized hash of cacheKeyComponents (computed once since parameters are immutable).
+    private String extCacheKeyHashCache;
+
     private ClientCredentialParameters(Set<String> scopes, Boolean skipCache, ClaimsRequest claims, Map<String, String> extraHttpHeaders, Map<String, String> extraQueryParameters, String tenant, IClientCredential clientCredential, String fmiPath) {
         this.scopes = scopes;
         this.skipCache = skipCache;
@@ -40,6 +50,9 @@ private ClientCredentialParameters(Set<String> scopes, Boolean skipCache, Claims
         this.tenant = tenant;
         this.clientCredential = clientCredential;
         this.fmiPath = fmiPath;
+
+        // Build cache key components from any parameters that require cache isolation.
+        this.cacheKeyComponents = buildCacheKeyComponents();
     }
 
     private static ClientCredentialParametersBuilder builder() {
@@ -103,26 +116,43 @@ public String fmiPath() {
     }
 
     /**
-     * Computes the extended cache key hash for this request's fmi_path, if set.
-     * Returns an empty string if fmiPath is not set.
-     * This is the single source of truth for the fmi_path cache key hash computation,
-     * used by both cache writes (TokenCache) and cache reads (silent lookup).
-     * The result is memoized since ClientCredentialParameters is immutable after construction.
+     * Builds the sorted map of cache key components from the parameters that require
+     * cache isolation. Returns null if no components are present.
+     * <p>
+     * This is the single place where parameters contribute to the extended cache key.
+     * To add a new cache key component, add an entry here — the hash computation and
+     * cache read/write logic are fully generic and require no changes.
      */
-    private String fmiCacheKeyHashCache;
-
-    String computeFmiCacheKeyHash() {
-        if (fmiCacheKeyHashCache != null) {
-            return fmiCacheKeyHashCache;
-        }
+    private SortedMap<String, String> buildCacheKeyComponents() {
+        TreeMap<String, String> components = null;
         if (!StringHelper.isBlank(fmiPath)) {
-            TreeMap<String, String> components = new TreeMap<>();
+            components = new TreeMap<>();
             components.put("fmi_path", fmiPath);
-            fmiCacheKeyHashCache = StringHelper.computeExtCacheKeyHash(components);
-        } else {
-            fmiCacheKeyHashCache = "";
         }
-        return fmiCacheKeyHashCache;
+        return components;
+    }
+
+    /**
+     * Returns the extended cache key components for this request, if any.
+     * Used by {@link TokenCache} for both cache writes and reads.
+     */
+    SortedMap<String, String> cacheKeyComponents() {
+        return this.cacheKeyComponents;
+    }
+
+    /**
+     * Computes the extended cache key hash from all cache key components.
+     * Returns an empty string if no components are present.
+     * <p>
+     * The result is memoized since ClientCredentialParameters is immutable after construction.
+     * Used by both cache writes ({@link TokenCache}) and cache reads (silent lookup).
+     */
+    String computeExtCacheKeyHash() {
+        if (extCacheKeyHashCache != null) {
+            return extCacheKeyHashCache;
+        }
+        extCacheKeyHashCache = StringHelper.computeExtCacheKeyHash(cacheKeyComponents);
+        return extCacheKeyHashCache;
     }
 
     public static class ClientCredentialParametersBuilder {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenCache.java

@@ -339,12 +339,12 @@ private static AccessTokenCacheEntity createAccessTokenCacheEntity(TokenRequestE
 
     /**
      * Computes the extended cache key hash for a request, if applicable.
-     * Currently, this is used for client credential requests with an fmi_path parameter.
+     * Delegates to the generic cache key components on the parameters object.
      * The algorithm uses sorted key-value concatenation → SHA-256 → Base64URL (cross-SDK compatible).
      */
     private static String computeExtCacheKeyHashForRequest(MsalRequest msalRequest) {
         if (msalRequest instanceof ClientCredentialRequest) {
-            return ((ClientCredentialRequest) msalRequest).parameters.computeFmiCacheKeyHash();
+            return ((ClientCredentialRequest) msalRequest).parameters.computeExtCacheKeyHash();
         }
         return "";
     }