Remove tests that rely on agent identity flow behavior

Avery-Dunn · Avery-Dunn · commit 4bf9dff2349d · 2026-05-06T10:13:51.000-07:00
diff --git a/msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/AgenticIT.java b/msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/AgenticIT.java
@@ -20,36 +20,31 @@
 
 /**
  * Integration tests for agentic (agent identity) scenarios using MSAL Java APIs.
- * Tests the MSAL-level APIs for the agent identity flow
- * (specifically the FMI portions that are available on this branch).
+ * Tests FMI credential acquisition via assertion callbacks and cache isolation.
  *
  * <p>These tests use MSAL token acquisition APIs (unlike AgenticRawHttpIT which uses raw HTTP).
  *
  * <p>Test configuration:
  * <ul>
- *   <li>Blueprint app: {@link #BLUEPRINT_CLIENT_ID}</li>
+ *   <li>RMA app: {@link #RMA_CLIENT_ID}</li>
  *   <li>Agent app: {@link #AGENT_APP_ID}</li>
  *   <li>Tenant: {@link #TENANT_ID}</li>
  * </ul>
  *
  * <p>Flows tested (FMI-only, no FIC/user_fic on this branch):
  * <ul>
- *   <li>Agent gets app token using FMI-sourced assertion (Leg 2 of agent identity)</li>
  *   <li>Assertion callback receives correct context (AssertionRequestOptions)</li>
- *   <li>Cache isolation between different assertion-based flows</li>
+ *   <li>Cache isolation between different fmi_path values</li>
  * </ul>
  */
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class AgenticIT {
 
     // Lab test configuration
-    private static final String BLUEPRINT_CLIENT_ID = "aab5089d-e764-47e3-9f28-cc11c2513821";
     private static final String RMA_CLIENT_ID = "3bf56293-fbb5-42bd-a407-248ba7431a8c";
     private static final String TENANT_ID = "10c419d4-4a50-45b2-aa4e-919fb84df24f";
     private static final String AGENT_APP_ID = "ab18ca07-d139-4840-8b3b-4be9610c6ed5";
-    private static final String TOKEN_EXCHANGE_SCOPE = "api://AzureADTokenExchange/.default";
     private static final String FMI_EXCHANGE_SCOPE = "api://AzureFMITokenExchange/.default";
-    private static final String GRAPH_SCOPE = "https://graph.microsoft.com/.default";
     private static final String AZURE_REGION = "westus3";
 
     private static final String AUTHORITY = "https://login.microsoftonline.com/" + TENANT_ID + "/";
@@ -71,40 +66,6 @@ void init() throws KeyStoreException, NoSuchProviderException,
         assertNotNull(certificate, "Lab certificate not found. Ensure the lab cert is installed.");
     }
 
-    /**
-     * Agent gets an app-only token for Graph using an FMI-sourced client assertion.
-     * This tests Leg 2 of the agent identity flow:
-     * 1. Blueprint CCA acquires FMI credential (fmi_path = agentAppId)
-     * 2. Agent CCA uses that credential as client_assertion to get Graph token
-     */
-    @Test
-    void agentGetsAppToken_UsingFmiAssertion() throws Exception {
-        // The assertion callback simulates what an SDK or middleware would do:
-        // it calls the blueprint app to get an FMI credential for the agent
-        Function<AssertionRequestOptions, String> assertionProvider = options -> {
-            try {
-                return acquireFmiCredentialForAgent(AGENT_APP_ID);
-            } catch (Exception e) {
-                throw new RuntimeException("Failed to acquire FMI credential", e);
-            }
-        };
-
-        IClientCredential credential = ClientCredentialFactory.createFromCallback(assertionProvider);
-
-        ConfidentialClientApplication agentCca = ConfidentialClientApplication.builder(AGENT_APP_ID, credential)
-                .authority(AUTHORITY)
-                .build();
-
-        IAuthenticationResult result = agentCca.acquireToken(ClientCredentialParameters
-                        .builder(Collections.singleton(GRAPH_SCOPE))
-                        .build())
-                .get();
-
-        assertNotNull(result, "Auth result should not be null");
-        assertNotNull(result.accessToken(), "Access token should not be null");
-        assertFalse(result.accessToken().isEmpty(), "Access token should not be empty");
-    }
-
     /**
      * Verifies that the context-aware assertion callback receives the correct fmiPath
      * when the ClientCredentialParameters include an fmiPath.
@@ -154,40 +115,6 @@ void assertionCallback_ReceivesFmiPathContext() throws Exception {
         assertNotNull(result.accessToken(), "Access token should not be null");
     }
 
-    /**
-     * Verifies that the agent CCA can acquire a token and it gets cached,
-     * then the second request is a cache hit.
-     */
-    @Test
-    void agentAppToken_CacheHit() throws Exception {
-        Function<AssertionRequestOptions, String> assertionProvider = options -> {
-            try {
-                return acquireFmiCredentialForAgent(AGENT_APP_ID);
-            } catch (Exception e) {
-                throw new RuntimeException("Failed to acquire FMI credential", e);
-            }
-        };
-
-        IClientCredential credential = ClientCredentialFactory.createFromCallback(assertionProvider);
-
-        ConfidentialClientApplication agentCca = ConfidentialClientApplication.builder(AGENT_APP_ID, credential)
-                .authority(AUTHORITY)
-                .build();
-
-        ClientCredentialParameters params = ClientCredentialParameters
-                .builder(Collections.singleton(GRAPH_SCOPE))
-                .build();
-
-        IAuthenticationResult result1 = agentCca.acquireToken(params).get();
-        IAuthenticationResult result2 = agentCca.acquireToken(params).get();
-
-        // Second call should be a cache hit
-        assertEquals(result1.accessToken(), result2.accessToken(),
-                "Second request should be a cache hit returning the same token");
-        assertEquals(1, agentCca.tokenCache.accessTokens.size(),
-                "Should have only one cache entry");
-    }
-
     /**
      * Verifies that tokens acquired with different fmi_paths are isolated in cache
      * even when using the same agent CCA.
@@ -231,29 +158,6 @@ void agentFmiToken_CacheIsolation_DifferentFmiPaths() throws Exception {
                 "Tokens for different fmi_paths should be different");
     }
 
-    /**
-     * Helper: acquires an FMI credential from the blueprint app for the given agent app ID.
-     * Uses the agent token exchange scope (api://AzureADTokenExchange).
-     */
-    private String acquireFmiCredentialForAgent(String agentAppId) throws Exception {
-        IClientCertificate clientCert = ClientCredentialFactory.createFromCertificate(privateKey, certificate);
-
-        ConfidentialClientApplication blueprintCca = ConfidentialClientApplication.builder(
-                        BLUEPRINT_CLIENT_ID, clientCert)
-                .authority(AUTHORITY)
-                .sendX5c(true)
-                .azureRegion(AZURE_REGION)
-                .build();
-
-        ClientCredentialParameters params = ClientCredentialParameters
-                .builder(Collections.singleton(TOKEN_EXCHANGE_SCOPE))
-                .fmiPath(agentAppId)
-                .build();
-
-        IAuthenticationResult result = blueprintCca.acquireToken(params).get();
-        return result.accessToken();
-    }
-
     /**
      * Helper: acquires an FMI credential from the RMA using a certificate.
      * Uses the FMI-specific exchange scope (api://AzureFMITokenExchange).
