updated the cache key ext

4gust · 4gust · commit 7a0b5a14423c · 2026-02-25T10:46:52.000Z
diff --git a/msal/token_cache.py b/msal/token_cache.py
@@ -39,6 +39,9 @@
     "scope",
     "username",
     "password",
+    "client_assertion",
+    "client_assertion_type",
+    "assertion",
 })
 
 
@@ -89,6 +92,7 @@ class TokenCache(object):
 
     class CredentialType:
         ACCESS_TOKEN = "AccessToken"
+        ACCESS_TOKEN_EXTENDED = "atext"  # Used when ext_cache_key is present (matches Go/dotnet)
         REFRESH_TOKEN = "RefreshToken"
         ACCOUNT = "Account"  # Not exactly a credential type, but we put it here
         ID_TOKEN = "IdToken"
@@ -125,7 +129,9 @@ def __init__(self):
                     "-".join([  # Note: Could use a hash here to shorten key length
                         home_account_id or "",
                         environment or "",
-                        self.CredentialType.ACCESS_TOKEN,
+                        # Use "atext" credential type when ext_cache_key is
+                        # present, matching MSAL Go and MSAL .NET behaviour.
+                        "atext" if ext_cache_key else "AccessToken",
                         client_id or "",
                         realm or "",
                         target or "",
diff --git a/tests/test_token_cache.py b/tests/test_token_cache.py
@@ -442,3 +442,121 @@ def test_non_fmi_tokens_not_affected_by_fmi_cache(self):
         self.assertEqual(1, len(at_entries))
         self.assertEqual("regular_token", at_entries[0]["secret"])
 
+
+class TestCrossMsalCacheKeyCompatibility(unittest.TestCase):
+    """Verify that _compute_ext_cache_key produces hashes identical to MSAL Go
+    (CacheExtKeyGenerator) and MSAL .NET (CoreHelpers.ComputeAccessTokenExtCacheKey).
+
+    All three libraries use the same algorithm:
+      1. Sort key-value pairs alphabetically by key (ordinal / case-sensitive)
+      2. Concatenate them: "key1value1key2value2…"
+      3. SHA-256 hash
+      4. Base64url encode (no padding), lowercased
+
+    The expected hashes below are copied from:
+      - MSAL Go:   authority_ext_cachekey_test.go  (TestAppKeyWithCacheKeyComponent)
+      - MSAL .NET: CacheKeyExtensionTests.cs       (RunHappyPathTest, CacheExtEnsurePopKeysFunctionAsync)
+    """
+
+    def test_two_params_hash_matches_go_and_dotnet(self):
+        """Go/dotnet expected: bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi"""
+        result = _compute_ext_cache_key({"key1": "value1", "key2": "value2"})
+        self.assertEqual("bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi", result)
+
+    def test_two_different_params_hash_matches_go_and_dotnet(self):
+        """Go/dotnet expected: 3-rg6_wyjx5bcy0c3cqq7gajtzgsqy3oxqpwj4y8k4u"""
+        result = _compute_ext_cache_key({"key3": "value3", "key4": "value4"})
+        self.assertEqual("3-rg6_wyjx5bcy0c3cqq7gajtzgsqy3oxqpwj4y8k4u", result)
+
+    def test_five_params_hash_matches_go_and_dotnet(self):
+        """Go/dotnet expected (full hash): rn_gkpxxkkqjxcqnvnmr2duvxg66xanvkz6qfqpwp2e
+        Go test uses substring match 'gkpxxkkqjxcqnvnmr2duvxg66xanvkz6qfqpwp2e'."""
+        result = _compute_ext_cache_key({
+            "key3": "value3", "key4": "value4",
+            "key5": "value5", "key6": "value6", "key7": "value7",
+        })
+        self.assertEqual("rn_gkpxxkkqjxcqnvnmr2duvxg66xanvkz6qfqpwp2e", result)
+
+    def test_order_independence_matches_go_and_dotnet(self):
+        """Same keys in different insertion order must produce the same hash
+        (mirrors TestCacheKeyComponentHashConsistency in Go)."""
+        h1 = _compute_ext_cache_key({"key3": "value3", "key4": "value4",
+                                      "key5": "value5", "key6": "value6", "key7": "value7"})
+        h2 = _compute_ext_cache_key({"key7": "value7", "key4": "value4",
+                                      "key6": "value6", "key5": "value5", "key3": "value3"})
+        self.assertEqual(h1, h2)
+
+    def test_at_cache_key_uses_atext_credential_type(self):
+        """When ext_cache_key is present the credential type segment of the
+        AT cache key must be 'atext' (not 'accesstoken'), matching Go/dotnet.
+
+        Go:    {hid}-{env}-atext-{clientID}-{realm}-{scopes}-{hash}
+        .NET:  {hid}-{env}-atext-{clientID}-{tenantId}-{scopes}-{hash}
+        """
+        cache = TokenCache()
+        key_maker = cache.key_makers[TokenCache.CredentialType.ACCESS_TOKEN]
+        key = key_maker(
+            home_account_id="hid", environment="env", client_id="cid",
+            realm="realm", target="scope",
+            ext_cache_key="bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi")
+        self.assertEqual(
+            "hid-env-atext-cid-realm-scope-bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi",
+            key)
+
+    def test_at_cache_key_without_ext_uses_accesstoken(self):
+        """Regular ATs (no ext_cache_key) must keep 'accesstoken' credential type."""
+        cache = TokenCache()
+        key_maker = cache.key_makers[TokenCache.CredentialType.ACCESS_TOKEN]
+        key = key_maker(
+            home_account_id="hid", environment="env", client_id="cid",
+            realm="realm", target="scope")
+        self.assertEqual("hid-env-accesstoken-cid-realm-scope", key)
+
+    def test_dotnet_style_full_at_cache_key(self):
+        """Reproduce the exact cache key from MSAL .NET CacheKeyExtensionTests:
+        expectedCacheKey1 = '-login.windows.net-atext-d3adb33f-c0de-ed0c-c0de-deadb33fc0d3-common-r1/scope1 r1/scope2-bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi'
+        """
+        cache = TokenCache()
+        key_maker = cache.key_makers[TokenCache.CredentialType.ACCESS_TOKEN]
+        ext_hash = _compute_ext_cache_key({"key1": "value1", "key2": "value2"})
+        key = key_maker(
+            home_account_id="",
+            environment="login.windows.net",
+            client_id="d3adb33f-c0de-ed0c-c0de-deadb33fc0d3",
+            realm="common",
+            target="r1/scope1 r1/scope2",
+            ext_cache_key=ext_hash)
+        expected = "-login.windows.net-atext-d3adb33f-c0de-ed0c-c0de-deadb33fc0d3-common-r1/scope1 r1/scope2-bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi"
+        self.assertEqual(expected, key)
+
+    def test_dotnet_style_second_cache_key(self):
+        """Reproduce CacheKeyExtensionTests expectedCacheKey2."""
+        cache = TokenCache()
+        key_maker = cache.key_makers[TokenCache.CredentialType.ACCESS_TOKEN]
+        ext_hash = _compute_ext_cache_key({"key3": "value3", "key4": "value4"})
+        key = key_maker(
+            home_account_id="",
+            environment="login.windows.net",
+            client_id="d3adb33f-c0de-ed0c-c0de-deadb33fc0d3",
+            realm="common",
+            target="r1/scope1 r1/scope2",
+            ext_cache_key=ext_hash)
+        expected = "-login.windows.net-atext-d3adb33f-c0de-ed0c-c0de-deadb33fc0d3-common-r1/scope1 r1/scope2-3-rg6_wyjx5bcy0c3cqq7gajtzgsqy3oxqpwj4y8k4u"
+        self.assertEqual(expected, key)
+
+    def test_go_style_at_cache_key(self):
+        """Reproduce the Go AccessToken.Key() format:
+        Go test: 'testhid-env-atext-clientid-realm-user.read-{hash}'
+        """
+        cache = TokenCache()
+        key_maker = cache.key_makers[TokenCache.CredentialType.ACCESS_TOKEN]
+        ext_hash = _compute_ext_cache_key({"key1": "value1", "key2": "value2"})
+        key = key_maker(
+            home_account_id="testhid",
+            environment="env",
+            client_id="clientid",
+            realm="realm",
+            target="user.read",
+            ext_cache_key=ext_hash)
+        expected = "testhid-env-atext-clientid-realm-user.read-bns2ytmx5hxkh4fnfixridmezpbbayhnmuh6t4bbghi"
+        self.assertEqual(expected, key)
