Address PR feedback

Author: Avery-Dunn

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -575,14 +575,8 @@ public T correlationId(String val) {
                     aadAadInstanceDiscoveryResponse);
         }
 
-        if (authenticationAuthority.authorityType == AuthorityType.OIDC) {
-            ((OidcAuthority) authenticationAuthority).setAuthorityProperties(
-                    OidcDiscoveryProvider.performOidcDiscovery(
-                            (OidcAuthority) authenticationAuthority, this));
-
-            if (!((OidcAuthority) authenticationAuthority).isIssuerValid()) {
-                throw new MsalClientException(String.format("Invalid issuer from OIDC discovery: %s", ((OidcAuthority) authenticationAuthority).issuerFromOidcDiscovery), "issuer_validation");
-            }
-        }
+        ((OidcAuthority) authenticationAuthority).setAuthorityProperties(
+                OidcDiscoveryProvider.performOidcDiscovery(
+                        (OidcAuthority) authenticationAuthority, this));
     }
 }

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/OidcAuthority.java

@@ -8,11 +8,11 @@
 
 public class OidcAuthority extends Authority {
     //Part of the OpenIdConnect standard, this is appended to the authority to create the endpoint that has OIDC metadata
-    static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
+    private static final String WELL_KNOWN_OPENID_CONFIGURATION = ".well-known/openid-configuration";
     private static final String AUTHORITY_FORMAT = "https://%s/%s/";
     private static final String CIAM_AUTHORITY_FORMAT = "https://%s.ciamlogin.com/%s";
 
-    String issuerFromOidcDiscovery;
+    private String issuerFromOidcDiscovery;
 
     OidcAuthority(URL authorityUrl) throws MalformedURLException {
         super(createOidcDiscoveryUrl(authorityUrl), AuthorityType.OIDC);
@@ -33,6 +33,16 @@ void setAuthorityProperties(OidcDiscoveryResponse instanceDiscoveryResponse) {
         this.deviceCodeEndpoint = instanceDiscoveryResponse.deviceCodeEndpoint();
         this.selfSignedJwtAudience = this.tokenEndpoint;
         this.issuerFromOidcDiscovery = instanceDiscoveryResponse.issuer();
+
+        validateIssuer();
+    }
+
+    private void validateIssuer() {
+        if (!isIssuerValid()) {
+            throw new MsalClientException(
+                    String.format("Invalid issuer from OIDC discovery. Issuer %s does not match authority %s, or is in an unexpected format", issuerFromOidcDiscovery, canonicalAuthorityUrl),
+                    "issuer_validation");
+        }
     }
 
     /**
@@ -42,7 +52,7 @@ void setAuthorityProperties(OidcDiscoveryResponse instanceDiscoveryResponse) {
      *
      * @return true if the issuer is valid, false otherwise
      */
-    boolean isIssuerValid() {
+    private boolean isIssuerValid() {
         if (issuerFromOidcDiscovery == null) {
             return false;
         }

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/OidcAuthorityTest.java

@@ -0,0 +1,107 @@
+package com.microsoft.aad.msal4j;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.BeforeEach;
+import org.mockito.Mockito;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+class OidcAuthorityTest {
+
+    private OidcDiscoveryResponse mockDiscoveryResponse;
+
+    @BeforeEach
+    void setup() {
+        mockDiscoveryResponse = Mockito.mock(OidcDiscoveryResponse.class);
+        when(mockDiscoveryResponse.authorizationEndpoint()).thenReturn("https://login.example.com/authorize");
+        when(mockDiscoveryResponse.tokenEndpoint()).thenReturn("https://login.example.com/token");
+        when(mockDiscoveryResponse.deviceCodeEndpoint()).thenReturn("https://login.example.com/devicecode");
+    }
+
+    @Test
+    void testSetAuthorityProperties_IssuerMatchesAuthority() throws MalformedURLException {
+        // Arrange
+        URL authorityUrl = new URL("https://login.example.com/tenant1/");
+        OidcAuthority authority = new OidcAuthority(authorityUrl);
+
+        // Match the issuer to the authority URL (without the well-known segment)
+        when(mockDiscoveryResponse.issuer()).thenReturn("https://login.example.com/tenant1/");
+
+        // Act & Assert - Should not throw exception
+        assertDoesNotThrow(() -> authority.setAuthorityProperties(mockDiscoveryResponse));
+
+        // Verify properties were set
+        assertEquals("https://login.example.com/authorize", authority.authorizationEndpoint());
+        assertEquals("https://login.example.com/token", authority.tokenEndpoint());
+        assertEquals("https://login.example.com/devicecode", authority.deviceCodeEndpoint());
+        assertEquals("https://login.example.com/token", authority.selfSignedJwtAudience);
+    }
+
+    @Test
+    void testSetAuthorityProperties_IssuerFollowsCiamPattern() throws MalformedURLException {
+        // Arrange
+        String tenant = "contoso";
+        URL authorityUrl = new URL("https://" + tenant + ".ciamlogin.com/" + tenant + "/");
+        OidcAuthority authority = new OidcAuthority(authorityUrl);
+
+        // Set an issuer that follows CIAM pattern but doesn't exactly match the authority
+        String ciamIssuer = "https://" + tenant + ".ciamlogin.com/" + tenant + "/v2.0";
+        when(mockDiscoveryResponse.issuer()).thenReturn(ciamIssuer);
+
+        // Act & Assert - Should not throw exception
+        assertDoesNotThrow(() -> authority.setAuthorityProperties(mockDiscoveryResponse));
+    }
+
+    @Test
+    void testSetAuthorityProperties_IssuerInvalid() throws MalformedURLException {
+        // Arrange
+        URL authorityUrl = new URL("https://login.example.com/tenant1/");
+        OidcAuthority authority = new OidcAuthority(authorityUrl);
+
+        // Set an issuer that doesn't match the authority and doesn't follow CIAM pattern
+        when(mockDiscoveryResponse.issuer()).thenReturn("https://login.different.com/tenant1/");
+
+        // Act & Assert - Should throw MsalClientException
+        MsalClientException exception = assertThrows(MsalClientException.class,
+                () -> authority.setAuthorityProperties(mockDiscoveryResponse));
+
+        // Verify exception details
+        assertEquals("issuer_validation", exception.errorCode());
+        assertTrue(exception.getMessage().contains("Invalid issuer from OIDC discovery"));
+    }
+
+    @Test
+    void testSetAuthorityProperties_IssuerIsNull() throws MalformedURLException {
+        // Arrange
+        URL authorityUrl = new URL("https://login.example.com/tenant1/");
+        OidcAuthority authority = new OidcAuthority(authorityUrl);
+
+        // Set null issuer
+        when(mockDiscoveryResponse.issuer()).thenReturn(null);
+
+        // Act & Assert - Should throw MsalClientException
+        MsalClientException exception = assertThrows(MsalClientException.class,
+                () -> authority.setAuthorityProperties(mockDiscoveryResponse));
+
+        // Verify exception details
+        assertEquals("issuer_validation", exception.errorCode());
+        assertTrue(exception.getMessage().contains("Invalid issuer from OIDC discovery"));
+    }
+
+    @Test
+    void testSetAuthorityProperties_TrailingSlashNormalization() throws MalformedURLException {
+        // Arrange
+        URL authorityUrl = new URL("https://login.example.com/tenant1/");
+        OidcAuthority authority = new OidcAuthority(authorityUrl);
+
+        // Match the issuer to the authority but without trailing slash
+        when(mockDiscoveryResponse.issuer()).thenReturn("https://login.example.com/tenant1");
+
+        // Act & Assert - Should not throw exception because normalization happens
+        assertDoesNotThrow(() -> authority.setAuthorityProperties(mockDiscoveryResponse));
+    }
+}