Migrate OBO tests from AppWebApi/client secret to AppOBOService/certificate

- Replace APP_WEBAPI with APP_OBO_SERVICE (MSAL-APP-TodoListService-JSON) for the CCA
- Replace APP_WEBAPI PCA with APP_OBO_CLIENT (MSAL-APP-TodoListClient-JSON)
- Switch from client secret credential to LabAuth certificate
- Add defaultScopes field to AppConfig for OBO scope resolution
- Add APP_OBO_SERVICE and APP_OBO_CLIENT constants to KeyVaultSecrets

This mirrors the migration done in MSAL.NET PR #6021, moving from
old lab4 apps to ID4SLAB1 tenant apps with certificate-based auth.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: RyAuld

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/OnBehalfOfIT.java

@@ -5,6 +5,7 @@
 
 import com.microsoft.aad.msal4j.labapi.*;
 import static com.microsoft.aad.msal4j.labapi.KeyVaultSecrets.*;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -16,16 +17,21 @@
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
 class OnBehalfOfIT {
 
+    private IClientCertificate certificate;
+
+    @BeforeAll
+    void init() throws Exception {
+        certificate = CertificateHelper.getClientCertificate();
+    }
+
     @Test
     void acquireTokenWithOBO_Managed() throws Exception {
         String accessToken = this.getAccessToken();
-        AppConfig app = LabResponseHelper.getAppConfig(APP_WEBAPI);
+        AppConfig oboService = LabResponseHelper.getAppConfig(APP_OBO_SERVICE);
         UserConfig user = LabResponseHelper.getUserConfig(USER_PUBLIC_CLOUD);
 
-        String password = KeyVaultRegistry.getMsalTeamProvider().getSecretByName(app.getClientSecret()).getValue();
-
         ConfidentialClientApplication cca =
-                ConfidentialClientApplication.builder(app.getAppId(), ClientCredentialFactory.createFromSecret(password)).
+                ConfidentialClientApplication.builder(oboService.getAppId(), certificate).
                         authority(TestConstants.MICROSOFT_AUTHORITY_HOST + user.getTenantId()).
                         build();
 
@@ -42,13 +48,11 @@ void acquireTokenWithOBO_Managed() throws Exception {
     void acquireTokenWithOBO_testCache() throws Exception {
         String accessToken = this.getAccessToken();
 
-        AppConfig app = LabResponseHelper.getAppConfig(APP_WEBAPI);
+        AppConfig oboService = LabResponseHelper.getAppConfig(APP_OBO_SERVICE);
         UserConfig user = LabResponseHelper.getUserConfig(USER_PUBLIC_CLOUD);
 
-        String password = KeyVaultRegistry.getMsalTeamProvider().getSecretByName(app.getClientSecret()).getValue();
-
         ConfidentialClientApplication cca =
-                ConfidentialClientApplication.builder(app.getAppId(), ClientCredentialFactory.createFromSecret(password)).
+                ConfidentialClientApplication.builder(oboService.getAppId(), certificate).
                         authority(TestConstants.MICROSOFT_AUTHORITY_HOST + user.getTenantId()).
                         build();
 
@@ -125,13 +129,15 @@ private void assertResultNotNull(IAuthenticationResult result) {
     }
 
     private String getAccessToken() throws Exception {
-
-        AppConfig app = LabResponseHelper.getAppConfig(APP_WEBAPI);
+        AppConfig oboService = LabResponseHelper.getAppConfig(APP_OBO_SERVICE);
+        AppConfig oboClient = LabResponseHelper.getAppConfig(APP_OBO_CLIENT);
         UserConfig user = LabResponseHelper.getUserConfig(USER_PUBLIC_CLOUD);
 
-        String apiReadScope = "api://" + app.getAppId() + "/access_as_user";
+        String apiReadScope = oboService.getDefaultScopes() != null
+                ? oboService.getDefaultScopes()
+                : "api://" + oboService.getAppId() + "/access_as_user";
 
-        PublicClientApplication pca = PublicClientApplication.builder(app.getAppId()).
+        PublicClientApplication pca = PublicClientApplication.builder(oboClient.getAppId()).
                 authority("https://login.microsoftonline.com/organizations").
                 build();
 

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/labapi/AppConfig.java

@@ -23,6 +23,7 @@ public class AppConfig implements JsonSerializable<AppConfig> {
     private String labName;
     private String clientSecret;
     private String secretName;
+    private String defaultScopes;
 
     static AppConfig fromJson(JsonReader jsonReader) throws IOException {
         AppConfig app = new AppConfig();
@@ -57,6 +58,10 @@ static AppConfig fromJson(JsonReader jsonReader) throws IOException {
                     case "secretName":
                         app.secretName = reader.getString();
                         break;
+                    case "defaultscopes":
+                    case "defaultScopes":
+                        app.defaultScopes = reader.getString();
+                        break;
                     default:
                         reader.skipChildren();
                         break;
@@ -98,4 +103,8 @@ public String getClientSecret() {
     public String getSecretName() {
         return secretName;
     }
+
+    public String getDefaultScopes() {
+        return defaultScopes;
+    }
 }

msal4j-sdk/src/integrationtest/java/com/microsoft/aad/msal4j/labapi/KeyVaultSecrets.java

@@ -26,6 +26,10 @@ private KeyVaultSecrets() {
     public static final String APP_WEBAPI = "App-WebAPI-Config";
     public static final String APP_S2S = "App-S2S-Config";
 
+    // OBO App Configuration Secrets (ID4SLAB1 tenant, certificate-based auth)
+    public static final String APP_OBO_SERVICE = "MSAL-APP-TodoListService-JSON";
+    public static final String APP_OBO_CLIENT = "MSAL-APP-TodoListClient-JSON";
+
     // TODO: Consolidate with others or following naming convention in key vault
     public static final String APP_B2C = "MSAL-App-B2C-JSON";
     public static final String APP_ARLINGTON = "MSAL-App-Arlington-JSON";