Caching behavior fixes and improved test coverage

Author: Avery-Dunn

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/AgenticIT.java

@@ -298,6 +298,203 @@ void agentCca_AppAndUserTokens_CacheIsolation() throws Exception {
                 "Cache should have at least 2 entries (app + user)");
     }
 
+    // ========================================================================
+    // High-level AcquireTokenForAgent tests (composite API)
+    // ========================================================================
+
+    /**
+     * Tests the high-level acquireTokenForAgent API with a UPN-based AgentIdentity.
+     * Exercises the full 3-leg flow orchestrated internally by AcquireTokenForAgentSupplier.
+     */
+    @Test
+    void acquireTokenForAgent_withUpn_fullFlow() throws Exception {
+        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
+
+        ConfidentialClientApplication blueprintCca = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        AgentIdentity agentId = AgentIdentity.withUsername(AGENT_APP_ID, USER_UPN);
+
+        IAuthenticationResult result = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+
+        assertNotNull(result, "Result should not be null");
+        assertNotNull(result.accessToken(), "Access token should not be null");
+        assertFalse(result.accessToken().isEmpty(), "Access token should not be empty");
+        assertNotNull(result.account(), "Account should not be null for user token");
+    }
+
+    /**
+     * Tests the high-level acquireTokenForAgent API for app-only (no user) scenarios.
+     * Only Legs 1-2 are performed.
+     */
+    @Test
+    void acquireTokenForAgent_appOnly() throws Exception {
+        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
+
+        ConfidentialClientApplication blueprintCca = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        AgentIdentity agentId = AgentIdentity.appOnly(AGENT_APP_ID);
+
+        IAuthenticationResult result = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+
+        assertNotNull(result, "Result should not be null");
+        assertNotNull(result.accessToken(), "Access token should not be null");
+        assertFalse(result.accessToken().isEmpty(), "Access token should not be empty");
+    }
+
+    /**
+     * Tests the high-level acquireTokenForAgent API with ForceRefresh.
+     * First call populates cache, second call (forceRefresh) bypasses it.
+     */
+    @Test
+    void acquireTokenForAgent_forceRefresh() throws Exception {
+        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
+
+        ConfidentialClientApplication blueprintCca = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        AgentIdentity agentId = AgentIdentity.withUsername(AGENT_APP_ID, USER_UPN);
+
+        // First call — populates cache
+        IAuthenticationResult result1 = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+        assertNotNull(result1.accessToken());
+
+        // Second call without forceRefresh — should return cached token
+        IAuthenticationResult result2 = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+        assertEquals(result1.accessToken(), result2.accessToken(),
+                "Second call should return cached token");
+
+        // Third call with forceRefresh — should get a fresh token
+        IAuthenticationResult result3 = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId)
+                        .forceRefresh(true).build()
+        ).get();
+        assertNotNull(result3.accessToken());
+        // The fresh token may be the same string (if not expired) but the flow exercised network
+    }
+
+    /**
+     * Tests cache isolation between two blueprint CCA instances.
+     * Each blueprint should have its own agent CCA cache.
+     */
+    @Test
+    void acquireTokenForAgent_cacheIsolation_twoBlueprintCcas() throws Exception {
+        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
+
+        ConfidentialClientApplication blueprint1 = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        ConfidentialClientApplication blueprint2 = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        AgentIdentity agentId = AgentIdentity.withUsername(AGENT_APP_ID, USER_UPN);
+
+        // Acquire via blueprint1
+        IAuthenticationResult result1 = blueprint1.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+        assertNotNull(result1.accessToken());
+
+        // Blueprint1 should have agent CCA cached, blueprint2 should not
+        assertEquals(1, blueprint1.agentCcaCache.size(),
+                "Blueprint1 should have one cached agent CCA");
+        assertTrue(blueprint2.agentCcaCache.isEmpty(),
+                "Blueprint2 should have no cached agent CCAs (no bleed)");
+
+        // Acquire via blueprint2
+        IAuthenticationResult result2 = blueprint2.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), agentId).build()
+        ).get();
+        assertNotNull(result2.accessToken());
+
+        // Both should now have their own cache entries
+        assertEquals(1, blueprint1.agentCcaCache.size());
+        assertEquals(1, blueprint2.agentCcaCache.size());
+    }
+
+    /**
+     * Tests that a UPN-based token can be found by OID lookup on the same blueprint.
+     * Discovers the OID via the UPN flow, then verifies OID-based call returns cached token.
+     */
+    @Test
+    void acquireTokenForAgent_upnThenOid_sharesCache() throws Exception {
+        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
+
+        ConfidentialClientApplication blueprintCca = ConfidentialClientApplication.builder(
+                        BLUEPRINT_CLIENT_ID, clientCert)
+                .authority(AUTHORITY)
+                .sendX5c(true)
+                .azureRegion(AZURE_REGION)
+                .build();
+
+        // Step 1: Acquire via UPN
+        AgentIdentity upnIdentity = AgentIdentity.withUsername(AGENT_APP_ID, USER_UPN);
+        IAuthenticationResult upnResult = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), upnIdentity).build()
+        ).get();
+        assertNotNull(upnResult.account(), "Account should not be null");
+
+        // Extract OID from account's homeAccountId (format: oid.tid)
+        String homeAccountId = upnResult.account().homeAccountId();
+        assertNotNull(homeAccountId);
+        String oidString = homeAccountId.contains(".")
+                ? homeAccountId.substring(0, homeAccountId.indexOf('.'))
+                : homeAccountId;
+        java.util.UUID userOid = java.util.UUID.fromString(oidString);
+
+        // Step 2: Acquire via OID — should come from cache
+        AgentIdentity oidIdentity = new AgentIdentity(AGENT_APP_ID, userOid);
+        IAuthenticationResult oidResult = blueprintCca.acquireTokenForAgent(
+                AcquireTokenForAgentParameters.builder(
+                        Collections.singleton(GRAPH_SCOPE), oidIdentity).build()
+        ).get();
+
+        // Should return the same cached token
+        assertEquals(upnResult.accessToken(), oidResult.accessToken(),
+                "OID-based call should return the same cached token as UPN-based call");
+    }
+
+    // ========================================================================
+    // Helpers
+    // ========================================================================
+
     /**
      * Helper: acquires an FMI credential from the RMA (Resource Management Application).
      * Uses FMI_EXCHANGE_SCOPE, matching FmiIT's Flow3 pattern.

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByClientCredentialSupplier.java

@@ -40,7 +40,7 @@ AuthenticationResult execute() throws Exception {
                         context,
                         null);
 
-                // Propagate ext_cache_key_hash for fmi_path-based cache isolation
+                // Propagate ext_cache_key_hash for fmi_path/credential_fmi_path-based cache isolation
                 String extCacheKeyHash = this.clientCredentialRequest.parameters.computeFmiCacheKeyHash();
                 if (!StringHelper.isBlank(extCacheKeyHash)) {
                     silentRequest.extCacheKeyHash(extCacheKeyHash);

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenForAgentSupplier.java

@@ -8,6 +8,7 @@
 
 import java.net.MalformedURLException;
 import java.util.Collections;
+import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
@@ -69,7 +70,8 @@ AuthenticationResult execute() throws Exception {
             LOG.debug("App-only agent flow for agent app ID: {}", agentAppId);
             return (AuthenticationResult) joinAndUnwrap(
                     agentCca.acquireToken(
-                            ClientCredentialParameters.builder(callerScopes).build()));
+                            propagateToClientCredentialParams(
+                                    ClientCredentialParameters.builder(callerScopes)).build()));
         }
 
         // --- User identity flow ---
@@ -92,7 +94,9 @@ AuthenticationResult execute() throws Exception {
         LOG.debug("Executing Leg 2 (assertion token) for agent app ID: {}", agentAppId);
         IAuthenticationResult assertionResult = joinAndUnwrap(
                 agentCca.acquireToken(
-                        ClientCredentialParameters.builder(TOKEN_EXCHANGE_SCOPE).build()));
+                        propagateToClientCredentialParams(
+                                ClientCredentialParameters.builder(TOKEN_EXCHANGE_SCOPE)
+                                        .credentialFmiPath(agentAppId)).build()));
 
         String assertion = assertionResult.accessToken();
 
@@ -101,14 +105,16 @@ AuthenticationResult execute() throws Exception {
         LOG.debug("Executing Leg 3 (user FIC token) for agent app ID: {}", agentAppId);
         UserFederatedIdentityCredentialParameters ficParams;
         if (agentIdentity.userObjectId() != null) {
-            ficParams = UserFederatedIdentityCredentialParameters
-                    .builder(callerScopes, agentIdentity.userObjectId(), assertion)
-                    .forceRefresh(true) // always fetch from network (we already checked the cache above)
+            ficParams = propagateToUserFicParams(
+                    UserFederatedIdentityCredentialParameters
+                            .builder(callerScopes, agentIdentity.userObjectId(), assertion)
+                            .forceRefresh(true)) // always fetch from network (we already checked the cache above)
                     .build();
         } else {
-            ficParams = UserFederatedIdentityCredentialParameters
-                    .builder(callerScopes, agentIdentity.username(), assertion)
-                    .forceRefresh(true)
+            ficParams = propagateToUserFicParams(
+                    UserFederatedIdentityCredentialParameters
+                            .builder(callerScopes, agentIdentity.username(), assertion)
+                            .forceRefresh(true))
                     .build();
         }
 
@@ -131,12 +137,14 @@ private AuthenticationResult tryAcquireTokenSilent(
                 return null;
             }
 
-            SilentParameters silentParams = SilentParameters
-                    .builder(scopes, matchedAccount)
-                    .build();
+            SilentParameters.SilentParametersBuilder silentBuilder = SilentParameters
+                    .builder(scopes, matchedAccount);
+
+            // Propagate outer request parameters so that claims challenges cause cache bypass
+            propagateToSilentParams(silentBuilder);
 
             return (AuthenticationResult) joinAndUnwrap(
-                    agentCca.acquireTokenSilently(silentParams));
+                    agentCca.acquireTokenSilently(silentBuilder.build()));
         } catch (Exception ex) {
             // Token expired or requires interaction — fall through to full Leg 2 + Leg 3 flow
             LOG.debug("Silent token acquisition failed for agent: {}", ex.getMessage());
@@ -173,6 +181,81 @@ private static String extractOid(String homeAccountId) {
         return dotIndex >= 0 ? homeAccountId.substring(0, dotIndex) : homeAccountId;
     }
 
+    // ========================================================================
+    // Outer Request Parameter Propagation
+    // ========================================================================
+
+    /**
+     * Propagates per-request parameters from the outer AcquireTokenForAgent call to a
+     * ClientCredentialParameters builder (used for Legs 1-2 and app-only).
+     * This ensures caller-specified claims, tenant overrides, extra query parameters,
+     * and extra HTTP headers flow through to inner network calls.
+     */
+    private ClientCredentialParameters.ClientCredentialParametersBuilder propagateToClientCredentialParams(
+            ClientCredentialParameters.ClientCredentialParametersBuilder builder) {
+        AcquireTokenForAgentParameters outerParams = agentRequest.parameters;
+
+        if (outerParams.claims() != null) {
+            builder.claims(outerParams.claims());
+        }
+        if (!StringHelper.isBlank(outerParams.tenant())) {
+            builder.tenant(outerParams.tenant());
+        }
+        if (outerParams.extraQueryParameters() != null && !outerParams.extraQueryParameters().isEmpty()) {
+            builder.extraQueryParameters(outerParams.extraQueryParameters());
+        }
+        if (outerParams.extraHttpHeaders() != null && !outerParams.extraHttpHeaders().isEmpty()) {
+            builder.extraHttpHeaders(outerParams.extraHttpHeaders());
+        }
+        return builder;
+    }
+
+    /**
+     * Propagates per-request parameters from the outer AcquireTokenForAgent call to a
+     * UserFederatedIdentityCredentialParameters builder (used for Leg 3).
+     */
+    private UserFederatedIdentityCredentialParameters.UserFederatedIdentityCredentialParametersBuilder propagateToUserFicParams(
+            UserFederatedIdentityCredentialParameters.UserFederatedIdentityCredentialParametersBuilder builder) {
+        AcquireTokenForAgentParameters outerParams = agentRequest.parameters;
+
+        if (outerParams.claims() != null) {
+            builder.claims(outerParams.claims());
+        }
+        if (!StringHelper.isBlank(outerParams.tenant())) {
+            builder.tenant(outerParams.tenant());
+        }
+        if (outerParams.extraQueryParameters() != null && !outerParams.extraQueryParameters().isEmpty()) {
+            builder.extraQueryParameters(outerParams.extraQueryParameters());
+        }
+        if (outerParams.extraHttpHeaders() != null && !outerParams.extraHttpHeaders().isEmpty()) {
+            builder.extraHttpHeaders(outerParams.extraHttpHeaders());
+        }
+        return builder;
+    }
+
+    /**
+     * Propagates per-request parameters from the outer AcquireTokenForAgent call to a
+     * SilentParameters builder (used for the cache-first silent check).
+     * Claims propagation is important here: if a claims challenge is present, the silent
+     * check should recognize the cached token as insufficient and force a refresh.
+     */
+    private void propagateToSilentParams(SilentParameters.SilentParametersBuilder builder) {
+        AcquireTokenForAgentParameters outerParams = agentRequest.parameters;
+
+        if (outerParams.claims() != null) {
+            builder.claims(outerParams.claims());
+        }
+        if (!StringHelper.isBlank(outerParams.tenant())) {
+            builder.tenant(outerParams.tenant());
+        }
+        if (outerParams.extraQueryParameters() != null && !outerParams.extraQueryParameters().isEmpty()) {
+            builder.extraQueryParameters(outerParams.extraQueryParameters());
+        }
+        if (outerParams.extraHttpHeaders() != null && !outerParams.extraHttpHeaders().isEmpty()) {
+            builder.extraHttpHeaders(outerParams.extraHttpHeaders());
+        }
+    }
+
     // ========================================================================
     // Agent CCA Construction and Configuration
     // ========================================================================