Minor cleanup

Avery-Dunn · Avery-Dunn · commit b0db0ee1f1f3 · 2026-05-08T12:14:44.000-07:00
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenForAgentSupplier.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenForAgentSupplier.java
@@ -103,20 +103,8 @@ AuthenticationResult execute() throws Exception {
         // Leg 3: Exchange the assertion for a user-scoped token via UserFIC.
         // The result is written to the Agent CCA's user token cache for future silent retrieval.
         LOG.debug("Executing Leg 3 (user FIC token) for agent app ID: {}", agentAppId);
-        UserFederatedIdentityCredentialParameters ficParams;
-        if (agentIdentity.userObjectId() != null) {
-            ficParams = propagateToUserFicParams(
-                    UserFederatedIdentityCredentialParameters
-                            .builder(callerScopes, agentIdentity.userObjectId(), assertion)
-                            .forceRefresh(true)) // always fetch from network (we already checked the cache above)
-                    .build();
-        } else {
-            ficParams = propagateToUserFicParams(
-                    UserFederatedIdentityCredentialParameters
-                            .builder(callerScopes, agentIdentity.username(), assertion)
-                            .forceRefresh(true))
-                    .build();
-        }
+        UserFederatedIdentityCredentialParameters ficParams = buildLeg3FicParams(
+                callerScopes, agentIdentity, assertion);
 
         return (AuthenticationResult) joinAndUnwrap(agentCca.acquireToken(ficParams));
     }
@@ -181,6 +169,27 @@ private static String extractOid(String homeAccountId) {
         return dotIndex >= 0 ? homeAccountId.substring(0, dotIndex) : homeAccountId;
     }
 
+    /**
+     * Builds the Leg 3 (UserFIC) parameters, selecting the OID or UPN overload as
+     * appropriate. ForceRefresh is always set because the caller-level silent check
+     * (tryAcquireTokenSilent) has already run; if we reach Leg 3 the token must be
+     * fetched from the network.
+     */
+    private UserFederatedIdentityCredentialParameters buildLeg3FicParams(
+            Set<String> callerScopes,
+            AgentIdentity agentIdentity,
+            String assertion) {
+        UserFederatedIdentityCredentialParameters.UserFederatedIdentityCredentialParametersBuilder builder;
+        if (agentIdentity.userObjectId() != null) {
+            builder = UserFederatedIdentityCredentialParameters
+                    .builder(callerScopes, agentIdentity.userObjectId(), assertion);
+        } else {
+            builder = UserFederatedIdentityCredentialParameters
+                    .builder(callerScopes, agentIdentity.username(), assertion);
+        }
+        return propagateToUserFicParams(builder.forceRefresh(true)).build();
+    }
+
     // ========================================================================
     // Outer Request Parameter Propagation
     // ========================================================================
diff --git a/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AcquireTokenForAgentTest.java b/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AcquireTokenForAgentTest.java
@@ -267,7 +267,7 @@ void acquireTokenForAgent_withOid_acquiresUserToken() throws Exception {
     // ========================================================================
 
     @Test
-    void acquireTokenForAgent_samAgentId_reusesCca() throws Exception {
+    void acquireTokenForAgent_sameAgentId_reusesCca() throws Exception {
         // Arrange
         DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
 
@@ -827,165 +827,4 @@ void acquireTokenForAgent_leg2CacheIsolation_credentialFmiPathPreventsCollision(
         assertEquals(3, agentCca.tokenCache.accessTokens.size(),
                 "Agent CCA should have 3 tokens: 1 Leg 2 assertion + 2 user tokens");
     }
-
-    // ========================================================================
-    // Scope collision test: caller uses api://AzureADTokenExchange/.default
-    // which is the same scope used internally for Leg 2 assertion tokens.
-    // This probes whether the flat cache can distinguish between an app-level
-    // assertion token and a user-level FIC token when both share the same scope.
-    // ========================================================================
-
-    @Test
-    void acquireTokenForAgent_callerScopeMatchesInternalAssertionScope_noCollision() throws Exception {
-        // The internal Leg 2 uses api://AzureADTokenExchange/.default for the assertion token.
-        // If an external caller also requests that scope for a user token, the agent CCA's
-        // flat cache will contain both an app token and a user token with the same scope.
-        Set<String> tokenExchangeScope = Collections.singleton("api://AzureADTokenExchange/.default");
-
-        String user3Upn = "charlie@contoso.com";
-        String user3Oid = "33333333-3333-3333-3333-333333333333";
-
-        DefaultHttpClient httpClientMock = mock(DefaultHttpClient.class);
-
-        when(httpClientMock.send(any(HttpRequest.class)))
-                .thenReturn(
-                        // --- Alice: normal scopes (Legs 1+2+3 = 3 HTTP calls) ---
-                        createAppTokenResponse("fmi-credential-token"),
-                        createAppTokenResponse("assertion-token-leg2"),
-                        createUserTokenResponse("alice-graph-token", USER1_UPN, USER1_OID),
-
-                        // --- Bob: api://AzureADTokenExchange scope (Leg 3 only = 1 HTTP call) ---
-                        // Legs 1+2 are cached from Alice's flow.
-                        // Leg 3 creates a USER token with the same scope as the Leg 2 app token.
-                        createUserTokenResponse("bob-exchange-token", USER2_UPN, USER2_OID),
-
-                        // --- Charlie: non-agent client_credentials with same exchange scope ---
-                        // This goes through the BLUEPRINT CCA (not the agent CCA).
-                        createAppTokenResponse("charlie-exchange-app-token"));
-
-        ConfidentialClientApplication blueprintCca = createBlueprintCca(httpClientMock);
-
-        AgentIdentity aliceAgent = AgentIdentity.withUsername(AGENT_APP_ID, USER1_UPN);
-        AgentIdentity bobAgent = AgentIdentity.withUsername(AGENT_APP_ID, USER2_UPN);
-
-        // ---- Step 1: Alice with normal Graph scopes ----
-        IAuthenticationResult aliceResult = blueprintCca.acquireTokenForAgent(
-                AcquireTokenForAgentParameters.builder(CALLER_SCOPES, aliceAgent).build()
-        ).get();
-
-        assertEquals("alice-graph-token", aliceResult.accessToken());
-        verify(httpClientMock, times(3)).send(any(HttpRequest.class));
-
-        // ---- Step 2: Bob with api://AzureADTokenExchange/.default ----
-        // This is the dangerous scenario: the agent CCA already has an app token
-        // (assertion-token-leg2) for this exact scope from Leg 2. Now we're asking
-        // for a USER token with the same scope. If the cache lookup for Leg 2 on
-        // future calls uses findAny() without filtering by homeAccountId, it could
-        // return Bob's user token instead of the assertion token.
-        IAuthenticationResult bobResult = blueprintCca.acquireTokenForAgent(
-                AcquireTokenForAgentParameters.builder(tokenExchangeScope, bobAgent).build()
-        ).get();
-
-        assertEquals("bob-exchange-token", bobResult.accessToken());
-        verify(httpClientMock, times(4)).send(any(HttpRequest.class)); // +1 for Bob's Leg 3
-
-        // ---- Step 3: Verify agent CCA cache state ----
-        ConfidentialClientApplication agentCca =
-                blueprintCca.agentCcaCache.get("agent_" + AGENT_APP_ID);
-        assertNotNull(agentCca);
-
-        // Agent CCA should have:
-        //   - 1 Leg 2 assertion token (app token, scope=api://AzureADTokenExchange/.default, homeAccountId="")
-        //   - 1 Alice user token (scope=graph.microsoft.com/.default, homeAccountId=alice-oid.tenant)
-        //   - 1 Bob user token (scope=api://AzureADTokenExchange/.default, homeAccountId=bob-oid.tenant)
-        assertEquals(3, agentCca.tokenCache.accessTokens.size(),
-                "Agent CCA cache should have 3 tokens (1 assertion + 2 user)");
-
-        // Count how many tokens have api://AzureADTokenExchange scope in the agent CCA.
-        // There should be 2: the Leg 2 assertion token (app) and Bob's user token.
-        long exchangeScopeTokenCount = agentCca.tokenCache.accessTokens.values().stream()
-                .filter(at -> at.target() != null &&
-                        at.target().toLowerCase().contains("azureadtokenexchange"))
-                .count();
-        assertEquals(2, exchangeScopeTokenCount,
-                "Agent CCA should have 2 tokens with the exchange scope (1 app + 1 user)");
-
-        // ---- Step 4: Alice again — should still return from cache (no collision) ----
-        IAuthenticationResult aliceAgain = blueprintCca.acquireTokenForAgent(
-                AcquireTokenForAgentParameters.builder(CALLER_SCOPES, aliceAgent).build()
-        ).get();
-
-        assertEquals("alice-graph-token", aliceAgain.accessToken());
-        verify(httpClientMock, times(4)).send(any(HttpRequest.class)); // still 4
-
-        // ---- Step 5: Bob again — this is the critical test ----
-        // When we request Bob's token again, the silent lookup should find Bob's
-        // USER token (not the Leg 2 assertion token) even though both share the same scope.
-        IAuthenticationResult bobAgain = blueprintCca.acquireTokenForAgent(
-                AcquireTokenForAgentParameters.builder(tokenExchangeScope, bobAgent).build()
-        ).get();
-
-        assertEquals("bob-exchange-token", bobAgain.accessToken(),
-                "Bob's silent retrieval should return the user token, not the assertion token");
-        verify(httpClientMock, times(4)).send(any(HttpRequest.class)); // still 4
-
-        // ---- Step 6: Now trigger a NEW agent flow for a different user ----
-        // This is where the Leg 2 collision matters most. A new user triggers Leg 2
-        // (acquireToken(ClientCredentialParameters)) which uses getApplicationAccessTokenCacheEntity.
-        // If that lookup returns Bob's USER token instead of the app assertion token,
-        // Leg 3 will use the wrong assertion and fail or return incorrect results.
-        //
-        // We queue a Leg 3 response for a hypothetical third user to test this.
-        // If Leg 2 correctly returns the cached assertion token, only 1 HTTP call (Leg 3) fires.
-        // If Leg 2 gets a collision and returns Bob's user token as the assertion, the behavior
-        // will be unpredictable (wrong assertion value, possibly an error, or 2+ HTTP calls).
-
-        String user3_upn = "charlie@contoso.com";
-        String user3_oid = "33333333-3333-3333-3333-333333333333";
-
-        // Clear invocation history so we can count only Charlie's HTTP calls
-        clearInvocations(httpClientMock);
-
-        // Reset mock for the next sequence: only Leg 3 should fire (1 call).
-        // If Leg 2 has a cache collision, it may re-fetch (2+ calls), or if
-        // the wrong token is used as the assertion, it may error out.
-        when(httpClientMock.send(any(HttpRequest.class)))
-                .thenReturn(
-                        createUserTokenResponse("charlie-exchange-token", user3_upn, user3_oid));
-
-        AgentIdentity charlieAgent = AgentIdentity.withUsername(AGENT_APP_ID, user3_upn);
-        IAuthenticationResult charlieResult = blueprintCca.acquireTokenForAgent(
-                AcquireTokenForAgentParameters.builder(tokenExchangeScope, charlieAgent).build()
-        ).get();
-
-        // If this assertion fails, it means Leg 2 returned Bob's user token instead of the
-        // cached assertion token, causing downstream problems.
-        assertEquals("charlie-exchange-token", charlieResult.accessToken(),
-                "Charlie should get a fresh Leg 3 token using the cached Leg 2 assertion");
-
-        // Verify only 1 new HTTP call was made (Leg 3 for Charlie).
-        // If 2+ new calls were made, Leg 2 had to re-fetch because of a cache collision.
-        verify(httpClientMock, times(1)).send(any(HttpRequest.class));
-
-        // ---- Step 7: Final cache state verification ----
-        assertEquals(4, agentCca.tokenCache.accessTokens.size(),
-                "Agent CCA should now have 4 tokens: 1 assertion + 3 user tokens");
-
-        // ---- Step 8: Non-agent client_credentials with exchange scope on BLUEPRINT ----
-        // This tests that the blueprint's own cache doesn't collide with the FMI token
-        // (which also targets api://AzureADTokenExchange/.default but has an extCacheKeyHash).
-        clearInvocations(httpClientMock);
-        when(httpClientMock.send(any(HttpRequest.class)))
-                .thenReturn(createAppTokenResponse("blueprint-exchange-app-token"));
-
-        IAuthenticationResult blueprintExchangeResult = blueprintCca.acquireToken(
-                ClientCredentialParameters.builder(tokenExchangeScope).build()
-        ).get();
-
-        // The FMI token has extCacheKeyHash set (from fmi_path), so a plain
-        // client_credentials call without fmi_path should NOT match it.
-        // It should trigger a new HTTP call and store a separate cache entry.
-        assertEquals("blueprint-exchange-app-token", blueprintExchangeResult.accessToken(),
-                "Blueprint's non-FMI exchange token should not collide with the FMI token");
-    }
 }
