pr comments

Author: GladwinJohnson

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs

@@ -29,7 +29,7 @@ namespace Microsoft.Identity.Client
     public sealed class AcquireTokenForClientParameterBuilder :
         AbstractConfidentialClientAcquireTokenParameterBuilder<AcquireTokenForClientParameterBuilder>
     {
-        private AcquireTokenForClientParameters Parameters { get; } = new AcquireTokenForClientParameters();
+        internal AcquireTokenForClientParameters Parameters { get; } = new AcquireTokenForClientParameters();
 
         /// <inheritdoc/>
         internal AcquireTokenForClientParameterBuilder(IConfidentialClientApplicationExecutor confidentialClientApplicationExecutor)
@@ -158,26 +158,6 @@ public AcquireTokenForClientParameterBuilder WithFmiPath(string pathSuffix)
             return this;
         }
 
-        /// <summary>
-        /// Specifies that the token refresh should only occur if the specified SHA-256 hash
-        /// of the previously issued access token matches a cached token.
-        /// If the hash does not match, the existing cached token is returned without refresh.
-        /// </summary>
-        /// <param name="hash">The SHA-256 hash of the access token to refresh.</param>
-        /// <returns>The builder to chain the .With methods</returns>
-        public AcquireTokenForClientParameterBuilder WithAccessTokenSha256ToRefresh(string hash)
-        {
-            ValidateUseOfExperimentalFeature();
-
-            if (string.IsNullOrWhiteSpace(hash))
-            {
-                throw new ArgumentNullException(nameof(hash), "Access token hash cannot be null or empty.");
-            }
-
-            Parameters.AccessTokenHashToRefresh = hash;
-            return this;
-        }
-
         /// <inheritdoc/>
         internal override Task<AuthenticationResult> ExecuteInternalAsync(CancellationToken cancellationToken)
         {

src/client/Microsoft.Identity.Client/Extensibility/RP/AcquireTokenForClientParameterBuilderForResourceProviders.cs

@@ -0,0 +1,38 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.ApiConfig.Parameters;
+
+namespace Microsoft.Identity.Client.RP
+{
+    /// <summary>
+    /// Resource Provider extensibility methods for AcquireTokenForClientParameterBuilder
+    /// </summary>
+    public static class AcquireTokenForClientParameterBuilderForResourceProviders
+    {
+        /// <summary>
+        /// Configures the SDK to not retrieve a token from the cache if it matches the SHA256 hash 
+        /// of the token configured. Similar to WithForceRefresh(bool) API, but instead of bypassing 
+        /// the cache for all tokens, the cache bypass only occurs for 1 token
+        /// </summary>
+        /// <param name="builder">The existing AcquireTokenForClientParameterBuilder instance.</param>
+        /// <param name="hash">
+        /// A Base64-encoded SHA-256 hash of the token (UTF-8). For example:
+        /// <c>Convert.ToBase64String(SHA256(Encoding.UTF8.GetBytes(accessToken)))</c>.
+        /// </param>
+        /// <returns>The builder to chain the .With methods.</returns>
+        public static AcquireTokenForClientParameterBuilder WithAccessTokenSha256ToRefresh(
+            this AcquireTokenForClientParameterBuilder builder,
+            string hash)
+        {
+            if (!string.IsNullOrWhiteSpace(hash))
+            {
+                builder.Parameters.AccessTokenHashToRefresh = hash;
+            }
+
+            return builder;
+        }
+    }
+}

src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs

@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Security.Cryptography;
 using System.Text;
+using System.Text.RegularExpressions;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.ApiConfig.Parameters;
@@ -13,6 +14,7 @@
 using Microsoft.Identity.Client.Extensibility;
 using Microsoft.Identity.Client.Instance;
 using Microsoft.Identity.Client.OAuth2;
+using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
 using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Internal.Requests
@@ -21,6 +23,7 @@ internal class ClientCredentialRequest : RequestBase
     {
         private readonly AcquireTokenForClientParameters _clientParameters;
         private static readonly SemaphoreSlim s_semaphoreSlim = new SemaphoreSlim(1, 1);
+        private readonly ICryptographyManager _cryptoManager;
 
         public ClientCredentialRequest(
             IServiceBundle serviceBundle,
@@ -29,6 +32,7 @@ public ClientCredentialRequest(
             : base(serviceBundle, authenticationRequestParameters, clientParameters)
         {
             _clientParameters = clientParameters;
+            _cryptoManager = serviceBundle.PlatformProxy.CryptographyManager;
         }
 
         protected override async Task<AuthenticationResult> ExecuteAsync(CancellationToken cancellationToken)
@@ -47,14 +51,20 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
             {
                 logger.Error(MsalErrorMessage.ClientCredentialWrongAuthority);
             }
-
             AuthenticationResult authResult;
 
+            // Skip cache if either:
+            // 1) ForceRefresh is set, or
+            // 2) Claims are specified and there is no AccessTokenHashToRefresh.
+            // This ensures that when both claims and AccessTokenHashToRefresh are set,
+            // we do NOT skip the cache, allowing MSAL to attempt retrieving a matching
+            // cached token by the provided hash before requesting a new token.
             bool skipCache = _clientParameters.ForceRefresh || 
                 (!string.IsNullOrEmpty(AuthenticationRequestParameters.Claims) && 
                 string.IsNullOrEmpty(_clientParameters.AccessTokenHashToRefresh));
 
-            // Skip checking cache when force refresh or claims are specified
+            // Skip checking cache when either ForceRefresh is true
+            // or (Claims are present without a token hash).
             if (skipCache)
             {
                 AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
@@ -196,42 +206,83 @@ private async Task<AuthenticationResult> SendTokenRequestToAppTokenProviderAsync
 
         private async Task<MsalAccessTokenCacheItem> GetCachedAccessTokenAsync()
         {
+            // 1) Get the cached item 
             MsalAccessTokenCacheItem cachedAccessTokenItem = await CacheManager.FindAccessTokenAsync().ConfigureAwait(false);
 
-            if (cachedAccessTokenItem != null && !_clientParameters.ForceRefresh)
+            // 2) If no cached item or force refresh is requested, return null
+            if (!IsValidCachedToken(cachedAccessTokenItem))
             {
-                if (!string.IsNullOrEmpty(_clientParameters.AccessTokenHashToRefresh))
-                {
-                    string cachedTokenHash = ComputeSHA256(cachedAccessTokenItem.Secret);
+                return null;
+            }
 
-                    if (string.Equals(cachedTokenHash, _clientParameters.AccessTokenHashToRefresh, StringComparison.Ordinal))
-                    {
-                        AuthenticationRequestParameters.RequestContext.Logger.Info(
-                            "[ClientCredentialRequest] A cached token was found, but it matches the AccessTokenHashToRefresh, so it is ignored");
-                        return null; // triggers a new token acquisition
-                    }
-                }
+            // 3) If there is a matching AccessTokenHashToRefresh, ignore this cached token
+            if (IsTokenIgnoredByMatchingHash(cachedAccessTokenItem))
+            {
+                return null;
+            }
+
+            // 4) Otherwise, record a cache hit and return the cached token
+            MarkAccessTokenAsCacheHit();
+            return cachedAccessTokenItem;
+        }
 
-                AuthenticationRequestParameters.RequestContext.ApiEvent.IsAccessTokenCacheHit = true;
-                Metrics.IncrementTotalAccessTokensFromCache();
-                return cachedAccessTokenItem;
+        /// <summary>
+        /// Checks if the cached access token can be used.
+        /// </summary>
+        private bool IsValidCachedToken(MsalAccessTokenCacheItem cachedAccessTokenItem)
+        {
+            // Return false if:
+            // - The cache is empty
+            // - ForceRefresh is enabled
+            if (cachedAccessTokenItem == null || _clientParameters.ForceRefresh)
+            {
+                return false;
             }
 
-            return null;
+            return true;
         }
 
-        private static string ComputeSHA256(string token)
+        /// <summary>
+        /// Determines whether the cached token should be ignored due to matching the AccessTokenHashToRefresh.
+        /// </summary>
+        private bool IsTokenIgnoredByMatchingHash(MsalAccessTokenCacheItem cachedAccessTokenItem)
         {
-#if NET6_0_OR_GREATER
-            byte[] hashBytes = SHA256.HashData(Encoding.UTF8.GetBytes(token));
-            return Convert.ToBase64String(hashBytes);
-#else
-            using (var sha256 = SHA256.Create())
+            if (string.IsNullOrEmpty(_clientParameters.AccessTokenHashToRefresh))
+            {
+                return false;
+            }
+
+            string cachedTokenHash = _cryptoManager.CreateSha256Hash(cachedAccessTokenItem.Secret);
+
+            // If the hash of the cached token matches the hash to refresh, ignore the cached token
+            bool matchesHash = string.Equals(
+                cachedTokenHash,
+                _clientParameters.AccessTokenHashToRefresh,
+                StringComparison.Ordinal);
+
+            if (matchesHash)
             {
-                byte[] hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(token));
-                return Convert.ToBase64String(hashBytes);
+                AuthenticationRequestParameters.RequestContext.Logger.Info(
+                    "[ClientCredentialRequest] A cached token was found and its hash matches AccessTokenHashToRefresh, so it is ignored.");
+                return true;
             }
-#endif
+            else
+            {
+                AuthenticationRequestParameters.RequestContext.Logger.Info(
+                    "[ClientCredentialRequest] A cached token was found, but its hash does NOT match AccessTokenHashToRefresh. Using the cached token.");
+                return false;
+            }
+        }
+
+        /// <summary>
+        /// Marks the current access token retrieval as a successful cache hit, 
+        /// and increments any relevant telemetry or counters.
+        /// </summary>
+        private void MarkAccessTokenAsCacheHit()
+        {
+            // Mark the request as a cache hit
+            AuthenticationRequestParameters.RequestContext.ApiEvent.IsAccessTokenCacheHit = true;
+            Metrics.IncrementTotalAccessTokensFromCache();
         }
 
         private AuthenticationResult CreateAuthenticationResultFromCache(MsalAccessTokenCacheItem cachedAccessTokenItem)

src/client/Microsoft.Identity.Client/PublicApi/net462/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net472/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0-android/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0-ios/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/net8.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

src/client/Microsoft.Identity.Client/PublicApi/netstandard2.0/PublicAPI.Unshipped.txt

@@ -1,2 +1,3 @@
 const Microsoft.Identity.Client.MsalError.ForceRefreshNotCompatibleWithTokenHash = "force_refresh_and_token_hash_not_compatible" -> string
-Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder.WithAccessTokenSha256ToRefresh(string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder
+Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders
+static Microsoft.Identity.Client.RP.AcquireTokenForClientParameterBuilderForResourceProviders.WithAccessTokenSha256ToRefresh(this Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder builder, string hash) -> Microsoft.Identity.Client.AcquireTokenForClientParameterBuilder

tests/Microsoft.Identity.Test.Unit/PublicApiTests/ConfidentialClientApplicationTests.cs

@@ -11,6 +11,7 @@
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.RP;
 using Microsoft.Identity.Client.Cache;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Internal.ClientCredential;
@@ -2338,6 +2339,7 @@ public async Task AcquireTokenForClient_WithClaims_And_MismatchedHash_UsesCache_
 
                 // First network call: populates the cache with "cache-token"
                 httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage(token: "cache-token");
+
                 var initialResult = await app.AcquireTokenForClient(TestConstants.s_scope)
                     .ExecuteAsync()
                     .ConfigureAwait(false);