Cache key extensibility for MSAL (#5107)

* Adding cache logic for additional components

* Adding logging.
Adding tests.

* Resolving test

* Clean Up

* Resolving cache key issues.
Adding test cases.

* Updating public api

* Remove unused using directive

* Adding credential type test

* Updating public api files

* Apply suggestions from code review

Co-authored-by: Gladwin Johnson <[email protected]>

* Update tests/Microsoft.Identity.Test.Unit/PublicApiTests/CacheKeyExtensionTests.cs

Co-authored-by: Gladwin Johnson <[email protected]>

* Addressing feedback.
clean up.
refactoring

* Adding pop test
Refactoring
Clean up

* Adding additional test

* Updating validation checks
Adding tests

---------

Co-authored-by: trwalke <[email protected]>
Co-authored-by: Gladwin Johnson <[email protected]>

Author: 3 people

src/client/Microsoft.Identity.Client/ApiConfig/AbstractConfidentialClientAcquireTokenParameterBuilder.cs

@@ -92,7 +92,7 @@ public T WithProofOfPossession(PoPAuthenticationConfiguration popAuthenticationC
         /// <summary>
         /// Modifies the request to acquire a Signed HTTP Request (SHR) Proof-of-Possession (PoP) token, rather than a Bearer.
         /// SHR PoP tokens are bound to the HTTP request and to a cryptographic key, which MSAL manages on Windows.
-       /// SHR PoP tokens are different from mTLS PoP tokens, which are used for Mutual TLS (mTLS) authentication. See <see href="https://aka.ms/mtls-pop"/> for details.
+        /// SHR PoP tokens are different from mTLS PoP tokens, which are used for Mutual TLS (mTLS) authentication. See <see href="https://aka.ms/mtls-pop"/> for details.
         /// </summary>
         /// <param name="popAuthenticationConfiguration">Configuration properties used to construct a Proof-of-Possession request.</param>
         /// <returns>The builder.</returns>

src/client/Microsoft.Identity.Client/ApiConfig/AcquireTokenForClientParameterBuilder.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;

src/client/Microsoft.Identity.Client/ApiConfig/Parameters/AcquireTokenCommonParameters.cs

@@ -30,5 +30,6 @@ internal class AcquireTokenCommonParameters
         public Func<OnBeforeTokenRequestData, Task> OnBeforeTokenRequestHandler { get; internal set; }
         public X509Certificate2 MtlsCertificate { get; internal set; }
         public List<string> AdditionalCacheParameters { get; set; }
+        public SortedList<string, string> CacheKeyComponents { get; internal set; }
     }
 }

src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs

@@ -160,6 +160,8 @@ public X509Certificate2 ClientCredentialCertificate
                 return null;
             }
         }
+
+        public SortedList<string, string> CacheKeyComponents { get; internal set; }
 #endregion
 
 #region Region

src/client/Microsoft.Identity.Client/Cache/CacheKeyFactory.cs

@@ -1,10 +1,12 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
-using System.Globalization;
+using System.Collections.Generic;
+using System.Linq;
 using Microsoft.Identity.Client.Cache.Items;
 using Microsoft.Identity.Client.Internal.Requests;
 using Microsoft.Identity.Client.TelemetryCore.Internal.Events;
+using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Cache
 {
@@ -48,12 +50,15 @@ public static string GetExternalCacheKeyFromResponse(
                 return key;
             }
 
-            if (requestParameters.AppConfig.IsConfidentialClient ||
-                requestParameters.ApiId == ApiEvent.ApiIds.AcquireTokenSilent)
+            if (requestParameters.AppConfig.IsConfidentialClient)
             {
                 return homeAccountIdFromResponse;
             }
-
+            if (requestParameters.ApiId == ApiEvent.ApiIds.AcquireTokenSilent)
+            {
+                return homeAccountIdFromResponse;
+            }
+            
             return null;
         }
 
@@ -78,17 +83,25 @@ private static bool GetOboOrAppKey(AuthenticationRequestParameters requestParame
                 requestParameters.ApiId == ApiEvent.ApiIds.AcquireTokenForUserAssignedManagedIdentity)
             {
                 string tenantId = requestParameters.Authority.TenantId ?? "";
-                key = GetClientCredentialKey(requestParameters.AppConfig.ClientId, tenantId, requestParameters.AuthenticationScheme?.KeyId);
-
+                key = GetAppTokenCacheItemKey(requestParameters.AppConfig.ClientId, tenantId, requestParameters.AuthenticationScheme?.KeyId, requestParameters.CacheKeyComponents);
                 return true;
             }
 
             key = null;
             return false;
         }
 
-        public static string GetClientCredentialKey(string clientId, string tenantId, string popKid)
+        public static string GetAppTokenCacheItemKey(
+            string clientId,
+            string tenantId,
+            string popKid,
+            SortedList<string, string> cacheKeyComponents = null)
         {
+            if (cacheKeyComponents != null && cacheKeyComponents.Any())
+            {
+                return $"{popKid}{clientId}_{tenantId}_{CoreHelpers.ComputeAccessTokenExtCacheKey(cacheKeyComponents)}_AppTokenCache";
+            }
+
             return $"{popKid}{clientId}_{tenantId}_AppTokenCache";
         }
 

src/client/Microsoft.Identity.Client/Cache/Items/MsalAccessTokenCacheItem.cs

@@ -2,14 +2,19 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
 using Microsoft.Identity.Client.AuthScheme;
 using Microsoft.Identity.Client.Cache.Keys;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.Utils;
+
 #if SUPPORTS_SYSTEM_TEXT_JSON
+using System.Text.Json.Nodes;
 using System.Text.Json;
 using JObject = System.Text.Json.Nodes.JsonObject;
 #else
@@ -31,7 +36,8 @@ internal MsalAccessTokenCacheItem(
             string homeAccountId,
             string keyId = null,
             string oboCacheKey = null,
-            IEnumerable<string> persistedCacheParameters = null)
+            IEnumerable<string> persistedCacheParameters = null,
+            SortedList<string, string> cacheKeyComponents = null)
             : this(
                 scopes: ScopeHelper.OrderScopesAlphabetically(response.Scope), // order scopes to avoid cache duplication. This is not in the hot path.
                 cachedAt: DateTimeOffset.UtcNow,
@@ -48,6 +54,8 @@ internal MsalAccessTokenCacheItem(
             RawClientInfo = response.ClientInfo;
             HomeAccountId = homeAccountId;
             OboCacheKey = oboCacheKey;
+
+            InitializeAdditionalCacheKeyComponents(cacheKeyComponents);
 #if !MOBILE
             PersistedCacheParameters = AcquireCacheParametersFromResponse(persistedCacheParameters, response.ExtensionData);
 #endif
@@ -95,7 +103,8 @@ private IDictionary<string, string> AcquireCacheParametersFromResponse(
             string keyId = null,
             DateTimeOffset? refreshOn = null,
             string tokenType = StorageJsonValues.TokenTypeBearer,
-            string oboCacheKey = null)
+            string oboCacheKey = null,
+            SortedList<string, string> cacheKeyComponents = null)
             : this(scopes, cachedAt, expiresOn, extendedExpiresOn, refreshOn, tenantId, keyId, tokenType)
         {
             Environment = preferredCacheEnv;
@@ -105,6 +114,8 @@ private IDictionary<string, string> AcquireCacheParametersFromResponse(
             HomeAccountId = homeAccountId;
             OboCacheKey = oboCacheKey;
 
+            InitializeAdditionalCacheKeyComponents(cacheKeyComponents);
+
             InitCacheKey();
         }
 
@@ -153,11 +164,21 @@ internal MsalAccessTokenCacheItem WithExpiresOn(DateTimeOffset expiresOn)
                KeyId,
                RefreshOn,
                TokenType,
-               OboCacheKey);
+               OboCacheKey,
+               AdditionalCacheKeyComponents);
 
             return newAtItem;
         }
 
+        private void InitializeAdditionalCacheKeyComponents(SortedList<string, string> cacheKeyComponents)
+        {
+            if (cacheKeyComponents != null && cacheKeyComponents.Any())
+            {
+                AdditionalCacheKeyComponents = cacheKeyComponents;
+                CredentialType = StorageJsonValues.CredentialTypeAccessTokenExtended;
+            }
+        }
+
         //internal for test
         internal void InitCacheKey()
         {
@@ -170,6 +191,19 @@ internal void InitCacheKey()
                 _credentialDescriptor = StorageJsonValues.CredentialTypeAccessTokenWithAuthScheme;
             }
 
+            if (AdditionalCacheKeyComponents != null)
+            {
+                _credentialDescriptor = StorageJsonValues.CredentialTypeAccessTokenExtended;
+                if (_extraKeyParts != null)
+                {
+                    _extraKeyParts = _extraKeyParts.Concat(new[] { CoreHelpers.ComputeAccessTokenExtCacheKey(AdditionalCacheKeyComponents) }).ToArray();
+                }
+                else
+                {
+                    _extraKeyParts = new[] { CoreHelpers.ComputeAccessTokenExtCacheKey(AdditionalCacheKeyComponents) };
+                }
+            }
+
             CacheKey = MsalCacheKeys.GetCredentialKey(
                 HomeAccountId,
                 Environment,
@@ -246,6 +280,8 @@ internal string TenantId
 
         internal string CacheKey { get; private set; }
 
+        internal SortedList<string, string> AdditionalCacheKeyComponents { get; private set; }
+
         /// <summary>
         /// Additional parameters that were requested in the token request and are stored in the cache.
         /// These are acquired from the response and are stored in the cache for later use.
@@ -284,6 +320,7 @@ internal static MsalAccessTokenCacheItem FromJObject(JObject j)
             string keyId = JsonHelper.ExtractExistingOrDefault<string>(j, StorageJsonKeys.KeyId);
             string tokenType = JsonHelper.ExtractExistingOrDefault<string>(j, StorageJsonKeys.TokenType) ?? StorageJsonValues.TokenTypeBearer;
             string scopes = JsonHelper.ExtractExistingOrEmptyString(j, StorageJsonKeys.Target);
+            var additionalCacheKeyComponents = JsonHelper.ExtractInnerJsonAsDictionary(j, StorageJsonKeys.CacheExtensions);
 
             var item = new MsalAccessTokenCacheItem(
                 scopes: scopes,
@@ -295,6 +332,12 @@ internal static MsalAccessTokenCacheItem FromJObject(JObject j)
                 keyId: keyId,
                 tokenType: tokenType);
 
+            if (additionalCacheKeyComponents != null)
+            {
+                item.AdditionalCacheKeyComponents = new SortedList<string, string>(additionalCacheKeyComponents);
+                item.CredentialType = StorageJsonValues.CredentialTypeAccessTokenExtended;
+            }
+
             item.OboCacheKey = oboCacheKey;
             item.PopulateFieldsFromJObject(j);
 
@@ -324,7 +367,21 @@ internal override JObject ToJObject()
             // previous versions of MSAL used "ext_expires_on" instead of the correct "extended_expires_on".
             // this is here for back compatibility
             SetItemIfValueNotNull(json, StorageJsonKeys.ExtendedExpiresOn_MsalCompat, extExpiresUnixTimestamp);
+            if (AdditionalCacheKeyComponents != null)
+            {
+#if SUPPORTS_SYSTEM_TEXT_JSON
+                var obj = new JsonObject();
+
+                foreach (KeyValuePair<string, string> accId in AdditionalCacheKeyComponents)
+                {
+                    obj[accId.Key] = accId.Value;
+                }
 
+                json[StorageJsonKeys.CacheExtensions] = obj;
+#else
+                SetItemIfValueNotNull(json, StorageJsonKeys.CacheExtensions, JObject.FromObject(AdditionalCacheKeyComponents));
+#endif
+            }
             return json;
         }
 

src/client/Microsoft.Identity.Client/Cache/StorageJsonKeys.cs

@@ -1,6 +1,8 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+using System.Collections.Generic;
+
 namespace Microsoft.Identity.Client.Cache
 {
     internal static class StorageJsonKeys
@@ -39,5 +41,47 @@ internal static class StorageJsonKeys
         // previous versions of MSAL used "ext_expires_on" instead of the correct "extended_expires_on".
         // this is here for back compatibility
         public const string ExtendedExpiresOn_MsalCompat = "ext_expires_on";
+
+        public const string CacheExtensions = "ext";
+
+        //Known storeage keys need to be added here
+        public static readonly HashSet<string> s_knownStorageJsonKeys = new HashSet<string>
+        {
+            HomeAccountId, 
+            Environment, 
+            Realm, 
+            LocalAccountId, 
+            Username, 
+            AuthorityType, 
+            AlternativeAccountId,
+            GivenName, 
+            FamilyName, 
+            MiddleName,
+            Name, 
+            AvatarUrl, 
+            CredentialType,
+            ClientId,
+            Secret,
+            Target,
+            CachedAt, 
+            ExpiresOn, 
+            RefreshOn, 
+            ExtendedExpiresOn, 
+            ClientInfo,
+            FamilyId,
+            AppMetadata, 
+            KeyId,
+            TokenType, 
+            WamAccountIds, 
+            AccountSource,
+            UserAssertionHash,
+            ExtendedExpiresOn_MsalCompat, 
+            CacheExtensions
+        };
+
+        public static bool IsKnownStorageJsonKey(string key)
+        {
+            return s_knownStorageJsonKeys.Contains(key);
+        }
     }
 }

src/client/Microsoft.Identity.Client/Cache/StorageJsonValues.cs

@@ -12,6 +12,7 @@ internal static class StorageJsonValues
         public const string TokenTypeBearer = "Bearer";
         public const string CredentialTypeRefreshToken = "RefreshToken";
         public const string CredentialTypeAccessToken = "AccessToken";
+        public const string CredentialTypeAccessTokenExtended = "ATExt";
         public const string CredentialTypeAccessTokenWithAuthScheme = "AccessToken_With_AuthScheme";
         public const string CredentialTypeIdToken = "IdToken";
         public const string AccountRootKey = "Account";

src/client/Microsoft.Identity.Client/Extensibility/AcquireTokenForClientBuilderExtensions.cs

@@ -2,7 +2,11 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.ComponentModel;
+using System.Diagnostics.CodeAnalysis;
+using System.Text;
+using Microsoft.Identity.Client.Cache;
 
 namespace Microsoft.Identity.Client.Extensibility
 {
@@ -11,6 +15,60 @@ namespace Microsoft.Identity.Client.Extensibility
     /// </summary>
     public static class AcquireTokenForClientBuilderExtensions
     {
+        /// <summary>
+        /// Specifies additional cache key components to use when caching and retrieving tokens.
+        /// </summary>
+        /// <param name="cacheKeyComponents">The list of additional cache key components.</param>
+        /// <param name="builder"></param>
+        /// <returns>The builder.</returns>
+        /// <remarks>
+        /// <list type="bullet">
+        /// <item><description>This api can be used to associate certificate key identifiers along with other keys with a particular token.</description></item>
+        /// <item><description>In order for the tokens to be successfully retrieved from the cache, all components used to cache the token must be provided.</description></item>
+        /// </list>
+        /// </remarks>
+        internal static AcquireTokenForClientParameterBuilder WithAdditionalCacheKeyComponents(this AcquireTokenForClientParameterBuilder builder,
+            IDictionary<string, string> cacheKeyComponents)
+        {
+            builder.ValidateUseOfExperimentalFeature();
+
+            if (cacheKeyComponents == null || cacheKeyComponents.Count == 0)
+            {
+                //no-op
+                return builder;
+            }
+
+            StringBuilder offendingKeys = new();
+
+            //Ensure known JSON keys are not added to cache key components
+            foreach (var kvp in cacheKeyComponents)
+            {
+                if (StorageJsonKeys.IsKnownStorageJsonKey(kvp.Key))
+                {
+                    offendingKeys.AppendLine(kvp.Key);
+                }
+            }
+
+            if (offendingKeys.Length != 0)
+            {
+                throw new ArgumentException($"Keys added to {nameof(cacheKeyComponents)} are invalid. Offending keys are: {offendingKeys.ToString()}");
+            }
+
+            if (builder.CommonParameters.CacheKeyComponents == null)
+            {
+                builder.CommonParameters.CacheKeyComponents = new SortedList<string, string>(cacheKeyComponents);
+            }
+            else
+            {
+                foreach (var kvp in cacheKeyComponents)
+                {
+                    builder.CommonParameters.CacheKeyComponents.Add(kvp.Key, kvp.Value);
+                }
+            }
+            
+            return builder;
+        }
+
         /// <summary>
         /// Binds the token to a key in the cache. L2 cache keys contain the key id.
         /// No cryptographic operations is performed on the token.

src/client/Microsoft.Identity.Client/Internal/Requests/AuthenticationRequestParameters.cs

@@ -127,6 +127,8 @@ public string Claims
 
         public IEnumerable<string> PersistedCacheParameters => _commonParameters.AdditionalCacheParameters;
 
+        public SortedList<string, string> CacheKeyComponents => _commonParameters.CacheKeyComponents;
+
         #region TODO REMOVE FROM HERE AND USE FROM SPECIFIC REQUEST PARAMETERS
         // TODO: ideally, these can come from the particular request instance and not be in RequestBase since it's not valid for all requests.