AI generated code with spec and prompt shared

Author: neha-bhargava

msal4j-sdk/pom.xml

@@ -157,6 +157,12 @@
             <version>2.14.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>jakarta.xml.bind</groupId>
+            <artifactId>jakarta.xml.bind-api</artifactId>
+            <version>2.3.2</version>
+            <scope>compile</scope>
+        </dependency>
     </dependencies>
 
     <!-- force https -->

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthenticationErrorCode.java

@@ -147,4 +147,10 @@ public class AuthenticationErrorCode {
      * For more information on managed identity see https://aka.ms/msal4j-managed-identity.
      */
     public static final String MANAGED_IDENTITY_REQUEST_FAILED = "managed_identity_request_failed";
+
+    /**
+     * Indicates a cryptographic operation error occurred, such as when generating hash values
+     * or performing other cryptographic functions.
+     */
+    public static final String CRYPTO_ERROR = "crypto_error";
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/Constants.java

@@ -23,4 +23,15 @@ final class Constants {
     public static final String MSI_ENDPOINT = "MSI_ENDPOINT";
     public static final String IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT";
 
+    // Constants for token revocation and client capabilities
+    public static final String CLIENT_CAPABILITY_CP1 = "cp1";
+    public static final String TOKEN_REVOCATION_REQUEST_PARAM = "x-ms-revoke-token";
+    public static final String TOKEN_HASH_CLAIM = "x-ms-token-hash";
+    
+    // Only Service Fabric and App Service managed identity environments support token revocation
+    public static final ManagedIdentitySourceType[] TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS = {
+            ManagedIdentitySourceType.APP_SERVICE,
+            ManagedIdentitySourceType.SERVICE_FABRIC
+    };
+
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityApplication.java

@@ -17,6 +17,7 @@
 public class ManagedIdentityApplication extends AbstractApplicationBase implements IManagedIdentityApplication {
 
     private final ManagedIdentityId managedIdentityId;
+    private List<String> clientCapabilities;
     static TokenCache sharedTokenCache = new TokenCache();
 
     //Deprecated the field in favor of the static getManagedIdentitySource method
@@ -44,6 +45,7 @@ private ManagedIdentityApplication(Builder builder) {
 
         this.managedIdentityId = builder.managedIdentityId;
         this.tenant = Constants.MANAGED_IDENTITY_DEFAULT_TENTANT;
+        this.clientCapabilities = builder.clientCapabilities;
     }
 
     public static TokenCache getSharedTokenCache() {
@@ -57,6 +59,8 @@ static IEnvironmentVariables getEnvironmentVariables() {
     public ManagedIdentityId getManagedIdentityId() {
         return this.managedIdentityId;
     }
+
+    public List<String> getClientCapabilities() { return this.clientCapabilities; }
 
     @Override
     public CompletableFuture<IAuthenticationResult> acquireTokenForManagedIdentity(ManagedIdentityParameters managedIdentityParameters)
@@ -105,7 +109,7 @@ public Builder resource(String resource) {
         /**
          * Informs the token issuer that the application is able to perform complex authentication actions.
          * For example, "cp1" means that the application is able to perform conditional access evaluation,
-         * because the application has been setup to parse WWW-Authenticate headers associated with a 401 response from the protected APIs,
+         * because the application has been set up to parse WWW-Authenticate headers associated with a 401 response from the protected APIs,
          * and to retry the request with claims API.
          * 
          * @param clientCapabilities a list of capabilities (e.g., ["cp1"]) recognized by the token service.

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityParameters.java

@@ -15,11 +15,12 @@ public class ManagedIdentityParameters implements IAcquireTokenParameters {
     String resource;
     boolean forceRefresh;
     String claims;
-
-    private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims) {
+    private String tokenToRevoke;    
+    private ManagedIdentityParameters(String resource, boolean forceRefresh, String claims, String tokenToRevoke) {
         this.resource = resource;
         this.forceRefresh = forceRefresh;
         this.claims = claims;
+        this.tokenToRevoke = tokenToRevoke;
     }
 
     @Override
@@ -78,10 +79,19 @@ public String resource() {
         return this.resource;
     }
 
+    /**
+     * Gets the token to be revoked in supported Managed Identity environments.
+     * @return the token to be revoked
+     */
+    public String getTokenToRevoke() {
+        return this.tokenToRevoke;
+    }
+
     public static class ManagedIdentityParametersBuilder {
         private String resource;
         private boolean forceRefresh;
         private String claims;
+        private String tokenToRevoke;
 
         ManagedIdentityParametersBuilder() {
         }
@@ -112,9 +122,23 @@ public ManagedIdentityParametersBuilder claims(String claims) {
             this.claims = claims;
             return this;
         }
+        
+        /**
+         * Specifies a token to be revoked in supported Managed Identity environments (App Service, Service Fabric).
+         * The token will be converted to a SHA256 hash for revocation to avoid transmitting the original token.
+         * 
+         * @param tokenToRevoke The access token to revoke
+         * @return this builder instance
+         */
+        public ManagedIdentityParametersBuilder tokenToRevoke(String tokenToRevoke) {
+            ParameterValidationUtils.validateNotBlank("tokenToRevoke", tokenToRevoke);
+            
+            this.tokenToRevoke = tokenToRevoke;
+            return this;
+        }
 
         public ManagedIdentityParameters build() {
-            return new ManagedIdentityParameters(this.resource, this.forceRefresh, this.claims);
+            return new ManagedIdentityParameters(this.resource, this.forceRefresh, this.claims, this.tokenToRevoke);
         }
 
         public String toString() {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ManagedIdentityRequest.java

@@ -12,6 +12,7 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -31,6 +32,36 @@ class ManagedIdentityRequest extends MsalRequest {
 
     public ManagedIdentityRequest(ManagedIdentityApplication managedIdentityApplication, RequestContext requestContext) {
         super(managedIdentityApplication, requestContext);
+        
+        // Check if the environment supports token revocation
+        ManagedIdentitySourceType sourceType = ManagedIdentityClient.getManagedIdentitySource();
+        boolean supportsTokenRevocation = false;
+        
+        for (ManagedIdentitySourceType type : Constants.TOKEN_REVOCATION_SUPPORTED_ENVIRONMENTS) {
+            if (type == sourceType) {
+                supportsTokenRevocation = true;
+                break;
+            }
+        }
+        
+        // If client capabilities include CP1 (token revocation) and the source type supports it,
+        // add the token revocation parameter to query parameters
+        if (supportsTokenRevocation && 
+            managedIdentityApplication.getClientCapabilities() != null &&
+            managedIdentityApplication.getClientCapabilities().contains(Constants.CLIENT_CAPABILITY_CP1)) {
+            
+            if (requestContext.apiParameters() instanceof ManagedIdentityParameters) {
+                ManagedIdentityParameters parameters = (ManagedIdentityParameters) requestContext.apiParameters();
+                if (parameters.getTokenToRevoke() != null && !parameters.getTokenToRevoke().isEmpty()) {
+                    LOG.info("[Managed Identity] Adding token revocation parameter to request");
+                    if (queryParameters == null) {
+                        queryParameters = new HashMap<>();
+                    }
+                    String tokenHash = TokenRevocationUtil.convertTokenToSHA256HashString(parameters.getTokenToRevoke());
+                    queryParameters.put(Constants.TOKEN_REVOCATION_REQUEST_PARAM, Collections.singletonList(tokenHash));
+                }
+            }
+        }
     }
 
     public String getBodyAsString() {

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRevocationUtil.java

@@ -0,0 +1,42 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import javax.xml.bind.DatatypeConverter;
+
+/**
+ * Utility class for token revocation operations
+ */
+public final class TokenRevocationUtil {
+
+    private TokenRevocationUtil() {
+        // Private constructor to prevent instantiation
+    }
+
+    /**
+     * Converts a token to its SHA256 hash string representation.
+     * This is used in token revocation scenarios to identify tokens without transmitting the original token.
+     *
+     * @param token The token to hash
+     * @return The SHA256 hash of the token as a lowercase hex string
+     * @throws MsalClientException If the SHA-256 algorithm is not available
+     */
+    public static String convertTokenToSHA256HashString(String token) {
+        if (token == null || token.isEmpty()) {
+            throw new IllegalArgumentException("Token cannot be null or empty");
+        }
+
+        try {
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(token.getBytes(StandardCharsets.UTF_8));
+            return DatatypeConverter.printHexBinary(hash).toLowerCase();
+        } catch (NoSuchAlgorithmException e) {
+            throw new MsalClientException("Failed to create SHA-256 hash: " + e.getMessage(),
+                    AuthenticationErrorCode.CRYPTO_ERROR);
+        }
+    }
+}

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/TokenRevocationTest.java

@@ -0,0 +1,64 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.BeforeEach;
+import static org.junit.jupiter.api.Assertions.*;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
+public class TokenRevocationTest {
+
+    private static final String TEST_TOKEN = "test_token";
+    private static final String EXPECTED_TOKEN_HASH = "cc0af97287543b65da2c7e1476426021826cab166f1e063ed012b855ff819656";
+    private static final String TEST_RESOURCE = "https://management.azure.com";
+    
+    @Test
+    public void testConvertTokenToSHA256Hash() {
+        String hash = TokenRevocationUtil.convertTokenToSHA256HashString(TEST_TOKEN);
+        assertEquals(EXPECTED_TOKEN_HASH, hash);
+    }
+    
+    @Test
+    public void testTokenToRevokeValidation() {
+        // Should throw exception when null
+        assertThrows(IllegalArgumentException.class, () -> {
+            TokenRevocationUtil.convertTokenToSHA256HashString(null);
+        });
+        
+        // Should throw exception when empty
+        assertThrows(IllegalArgumentException.class, () -> {
+            TokenRevocationUtil.convertTokenToSHA256HashString("");
+        });
+    }
+    
+    @Test
+    public void testManagedIdentityParametersBuilder() {
+        ManagedIdentityParameters params = ManagedIdentityParameters.builder(TEST_RESOURCE)
+                .tokenToRevoke(TEST_TOKEN)
+                .build();
+        
+        assertEquals(TEST_RESOURCE, params.resource());
+        assertEquals(TEST_TOKEN, params.getTokenToRevoke());
+    }
+    
+    @Test
+    public void testManagedIdentityParametersBuilderValidation() {
+        // Should throw exception when tokenToRevoke is null or empty
+        assertThrows(IllegalArgumentException.class, () -> {
+            ManagedIdentityParameters.builder(TEST_RESOURCE)
+                .tokenToRevoke(null)
+                .build();
+        });
+        
+        assertThrows(IllegalArgumentException.class, () -> {
+            ManagedIdentityParameters.builder(TEST_RESOURCE)
+                .tokenToRevoke("")
+                .build();
+        });
+    }
+}