public void BrokerSilentRequestTest()
{
string CanonicalizedAuthority = AuthorityInfo.CanonicalizeAuthorityUri(CoreHelpers.UrlDecode(TestConstants.AuthorityTestTenant));
using (var harness = CreateBrokerHelper())
{
IBroker broker = harness.ServiceBundle.PlatformProxy.CreateBroker(null);
_brokerSilentAuthStrategy =
new SilentBrokerAuthStrategy(
new SilentRequest(harness.ServiceBundle, _parameters, _acquireTokenSilentParameters),
harness.ServiceBundle,
_parameters,
_acquireTokenSilentParameters,
broker);
Assert.AreEqual(false, _brokerSilentAuthStrategy.Broker.IsBrokerInstalledAndInvokable());
AssertException.TaskThrowsAsync <PlatformNotSupportedException>(() => _brokerSilentAuthStrategy.Broker.AcquireTokenSilentAsync(_parameters, _acquireTokenSilentParameters)).ConfigureAwait(false);
}
}
public async Task MexEndpointFailsToResolveTestAsync()
{
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerForTenantEndpointDiscovery(TestConstants.AuthorityOrganizationsTenant);
AddMockHandlerDefaultUserRealmDiscovery(httpManager);
// MEX
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedUrl = "https://msft.sts.microsoft.com/adfs/services/trust/mex",
ExpectedMethod = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(
File.ReadAllText(ResourceHelper.GetTestResourceRelativePath("TestMex.xml"))
.Replace("<wsp:All>", " "))
}
});
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
.WithHttpManager(httpManager)
.WithTelemetry(new TraceTelemetryConfig())
.BuildConcrete();
// Call acquire token, Mex parser fails
MsalClientException result = await AssertException.TaskThrowsAsync <MsalClientException>(
async() => await app.AcquireTokenByUsernamePassword(
TestConstants.s_scope,
TestConstants.s_user.Username,
_secureString).ExecuteAsync(CancellationToken.None).ConfigureAwait(false)).ConfigureAwait(false);
// Check exception message
Assert.AreEqual("Parsing WS metadata exchange failed", result.Message);
Assert.AreEqual("parsing_ws_metadata_exchange_failed", result.ErrorCode);
// There should be no cached entries.
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
}
}
public async Task AcquireTokenByIntegratedWindowsAuthInvalidClientTestAsync()
{
IDictionary <string, string> extraQueryParamsAndClaims =
TestConstants.s_extraQueryParams.ToDictionary(e => e.Key, e => e.Value);
extraQueryParamsAndClaims.Add(OAuth2Parameter.Claims, TestConstants.Claims);
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerForTenantEndpointDiscovery(TestConstants.AuthorityCommonTenant);
MockHttpMessageHandler realmDiscoveryHandler = AddMockHandlerDefaultUserRealmDiscovery(httpManager);
AddMockHandlerMex(httpManager);
AddMockHandlerWsTrustWindowsTransport(httpManager);
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/token",
ExpectedMethod = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateInvalidClientResponseMessage()
});
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
.WithHttpManager(httpManager)
.WithExtraQueryParameters(TestConstants.s_extraQueryParams)
.WithTelemetry(new TraceTelemetryConfig())
.BuildConcrete();
MsalServiceException result = await AssertException.TaskThrowsAsync <MsalServiceException>(
async() => await app.AcquireTokenByIntegratedWindowsAuth(TestConstants.s_scope)
.WithClaims(TestConstants.Claims)
.WithUsername(TestConstants.s_user.Username)
.ExecuteAsync().ConfigureAwait(false)).ConfigureAwait(false);
// Check inner exception
Assert.AreEqual(MsalError.InvalidClient, result.ErrorCode);
// There should be no cached entries.
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
}
}
public async Task PopWhenBrokerIsNotAvailableTest_Async()
{
//MSAL should not fall back to using the browser if the broker is not available when using POP
// Arrange
using (var harness = CreateTestHarness())
{
harness.HttpManager.AddInstanceDiscoveryMockHandler();
var mockBroker = Substitute.For <IBroker>();
mockBroker.IsBrokerInstalledAndInvokable(AuthorityType.Aad).Returns(false);
mockBroker.IsPopSupported.Returns(true);
var pca = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithExperimentalFeatures(true)
.WithBrokerPreview()
.WithTestBroker(mockBroker)
.WithHttpManager(harness.HttpManager)
.BuildConcrete();
pca.ServiceBundle.Config.BrokerCreatorFunc = (x, y, z) => mockBroker;
pca.ServiceBundle.ConfigureMockWebUI();
harness.HttpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateSuccessTokenResponseMessage(
"user.read",
MockHelpers.CreateIdToken(TestConstants.UniqueId, TestConstants.DisplayableId),
MockHelpers.CreateClientInfo(TestConstants.Uid, TestConstants.Utid))
});
// Act
var exception = await AssertException.TaskThrowsAsync <MsalClientException>(async() => { await pca.AcquireTokenInteractive(TestConstants.s_graphScopes)
.WithProofOfPossession(TestConstants.Nonce, HttpMethod.Get, new Uri(TestConstants.AuthorityCommonTenant))
.ExecuteAsync()
.ConfigureAwait(false); }).ConfigureAwait(false);
Assert.AreEqual(MsalError.BrokerApplicationRequired, exception.ErrorCode);
Assert.AreEqual(MsalErrorMessage.CannotInvokeBrokerForPop, exception.Message);
}
}
public async Task ROPC_MSA_Async()
{
var labResponse = await LabUserHelper.GetMsaUserAsync().ConfigureAwait(false);
SecureString securePassword = new NetworkCredential("", labResponse.User.GetOrFetchPassword()).SecurePassword;
var msalPublicClient = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithAuthority(Authority)
.Build();
var result = await AssertException.TaskThrowsAsync <MsalClientException>(() =>
msalPublicClient
.AcquireTokenByUsernamePassword(s_scopes, labResponse.User.Upn, securePassword)
.ExecuteAsync(CancellationToken.None))
.ConfigureAwait(false);
Assert.AreEqual(MsalError.RopcDoesNotSupportMsaAccounts, result.ErrorCode);
Assert.AreEqual(MsalErrorMessage.RopcDoesNotSupportMsaAccounts, result.Message);
}
public async Task HttpRequestExceptionIsNotSuppressedAsync()
{
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
var app = ConfidentialClientApplicationBuilder.Create(MsalTestConstants.ClientId)
.WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
.WithRedirectUri(MsalTestConstants.RedirectUri)
.WithClientSecret(MsalTestConstants.ClientSecret)
.WithHttpManager(httpManager)
.BuildConcrete();
// add mock response bigger than 1MB for Http Client
httpManager.AddFailingRequest(new InvalidOperationException());
await AssertException.TaskThrowsAsync <InvalidOperationException>(
() => app.AcquireTokenForClient(MsalTestConstants.Scope.ToArray()).ExecuteAsync(CancellationToken.None)).ConfigureAwait(false);
}
}
public async Task AcquireTokenSilent_LoginHint_NoAccountAsync()
{
using (var httpManager = new MockHttpManager())
{
PublicClientApplication app = PublicClientApplicationBuilder.Create(MsalTestConstants.ClientId)
.WithAuthority(new Uri(MsalTestConstants.AuthorityTestTenant), true)
.WithHttpManager(httpManager)
.WithTelemetry(new TraceTelemetryConfig())
.BuildConcrete();
_tokenCacheHelper.PopulateCache(app.UserTokenCacheInternal.Accessor);
var exception = await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() => app.AcquireTokenSilent(
MsalTestConstants.Scope.ToArray(),
"*****@*****.**")
.WithAuthority(app.Authority, false)
.ExecuteAsync()).ConfigureAwait(false);
Assert.AreEqual(MsalError.NoAccountForLoginHint, exception.ErrorCode);
}
}
public async Task AcquireTokenSilent_Account_NoHomeAccountIDAsync()
{
using (var httpManager = new MockHttpManager())
{
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(TestConstants.AuthorityTestTenant), true)
.WithHttpManager(httpManager)
.BuildConcrete();
TokenCacheHelper.PopulateCache(app.UserTokenCacheInternal.Accessor);
var exception = await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() => app.AcquireTokenSilent(
TestConstants.s_scope.ToArray(),
new Account(null, null, null))
.ExecuteAsync()).ConfigureAwait(false);
Assert.AreEqual(MsalError.NoTokensFoundError, exception.ErrorCode);
Assert.AreEqual(UiRequiredExceptionClassification.AcquireTokenSilentFailed, exception.Classification);
}
}
public async Task PopWhenBrokerIsNotEnabledForATS_Async()
{
// Arrange
var pca = PublicClientApplicationBuilder
.Create(TestConstants.ClientId)
.WithExperimentalFeatures()
.BuildConcrete();
// Act
MsalClientException ex = await AssertException.TaskThrowsAsync <MsalClientException>(async() =>
await pca.AcquireTokenSilent(TestConstants.s_graphScopes, TestConstants.LocalAccountId)
.WithProofOfPossession(TestConstants.Nonce, HttpMethod.Get, new Uri(TestConstants.AuthorityCommonTenant))
.ExecuteAsync()
.ConfigureAwait(false))
.ConfigureAwait(false);
Assert.AreEqual(MsalError.BrokerRequiredForPop, ex.ErrorCode);
Assert.AreEqual(MsalErrorMessage.BrokerRequiredForPop, ex.Message);
}
public void BrokerInteractiveRequestTest()
{
string CanonicalizedAuthority = AuthorityInfo.CanonicalizeAuthorityUri(CoreHelpers.UrlDecode(MsalTestConstants.AuthorityTestTenant));
using (var harness = CreateTestHarness())
{
// Arrange
var parameters = harness.CreateAuthenticationRequestParameters(
MsalTestConstants.AuthorityTestTenant,
null,
null,
null,
MsalTestConstants.ExtraQueryParams);
// Act
BrokerFactory brokerFactory = new BrokerFactory();
BrokerInteractiveRequest brokerInteractiveRequest = new BrokerInteractiveRequest(parameters, null, null, null, brokerFactory.Create(harness.ServiceBundle));
Assert.AreEqual(false, brokerInteractiveRequest.Broker.CanInvokeBroker(null));
AssertException.TaskThrowsAsync <PlatformNotSupportedException>(() => brokerInteractiveRequest.Broker.AcquireTokenUsingBrokerAsync(new Dictionary <string, string>())).ConfigureAwait(false);
}
}
private static async Task RunAfterAccessFailureAsync(
IPublicClientApplication pca,
Func <Task> operationThatTouchesCache)
{
bool beforeAccessCalled = false;
bool afterAccessCalled = false;
pca.UserTokenCache.SetBeforeAccess(args =>
{
beforeAccessCalled = true;
throw new InvalidOperationException();
});
pca.UserTokenCache.SetAfterAccess(args => { afterAccessCalled = true; });
await AssertException.TaskThrowsAsync <InvalidOperationException>(
operationThatTouchesCache).ConfigureAwait(false);
Assert.IsTrue(beforeAccessCalled);
Assert.IsTrue(afterAccessCalled);
}
private async Task <PublicClientApplication> SetupAndAcquireOnceAsync(
MockHttpAndServiceBundle httpManagerAndBundle,
int httpStatusCode,
int?retryAfterInSeconds,
TokenResponseType tokenResponseType)
{
Trace.WriteLine("1. Setup test");
var httpManager = httpManagerAndBundle.HttpManager;
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithHttpManager(httpManager)
.BuildConcrete();
new TokenCacheHelper().PopulateCache(app.UserTokenCacheInternal.Accessor, expiredAccessTokens: true);
var tokenResponse = httpManager.AddAllMocks(tokenResponseType);
UpdateStatusCodeAndHeaders(tokenResponse.ResponseMessage, httpStatusCode, retryAfterInSeconds);
if (httpStatusCode >= 500 && httpStatusCode < 600 && !retryAfterInSeconds.HasValue)
{
var response2 = httpManager.AddTokenResponse(
tokenResponseType, s_throttlingHeader);
UpdateStatusCodeAndHeaders(response2.ResponseMessage, httpStatusCode, retryAfterInSeconds);
}
var account = (await app.GetAccountsAsync().ConfigureAwait(false)).Single();
Trace.WriteLine("2. First failing call ");
var ex = await AssertException.TaskThrowsAsync <MsalServiceException>(
() => app.AcquireTokenSilent(TestConstants.s_scope, account).ExecuteAsync(),
allowDerived : true)
.ConfigureAwait(false);
Assert.AreEqual(0, httpManager.QueueSize, "No more requests expected");
Assert.AreEqual(httpStatusCode, ex.StatusCode);
Assert.AreEqual(tokenResponseType == TokenResponseType.InvalidGrant, ex is MsalUiRequiredException);
return(app);
}
public async Task AcquireTokenByIntegratedWindowsAuthTest_ManagedUser_DiscoveryFailed_ThrowsExceptionAsync()
{
// Arrange
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.NotFound)
{
Content = new StringContent(
"{\"ver\":\"1.0\"," +
"\"account_type\":\"Managed\"," +
"\"domain_name\":\"some_domain.onmicrosoft.com\"," +
"\"cloud_audience_urn\":\"urn:federation:MicrosoftOnline\"," +
"\"cloud_instance_name\":\"login.microsoftonline.com\"}")
}
});
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
.WithHttpManager(httpManager)
.BuildConcrete();
// Act
MsalServiceException exception = await AssertException.TaskThrowsAsync <MsalServiceException>(
async() => await app
.AcquireTokenByIntegratedWindowsAuth(TestConstants.s_scope)
.WithUsername(TestConstants.s_user.Username)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false)).ConfigureAwait(false);
// Assert
Assert.AreEqual(MsalError.UserRealmDiscoveryFailed, exception.ErrorCode);
Assert.AreEqual(HttpStatusCode.NotFound, (HttpStatusCode)exception.StatusCode);
}
}
public async Task AcquireTokenWithFederatedUsernameIncorrectPasswordAsync()
{
var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
var user = labResponse.User;
SecureString incorrectSecurePassword = new SecureString();
incorrectSecurePassword.AppendChar('x');
incorrectSecurePassword.MakeReadOnly();
var msalPublicClient = PublicClientApplicationBuilder.Create(labResponse.App.AppId).WithAuthority(_authority).Build();
var result = await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
msalPublicClient
.AcquireTokenByUsernamePassword(s_scopes, user.Upn, incorrectSecurePassword)
.ExecuteAsync(CancellationToken.None)
)
.ConfigureAwait(false);
Assert.AreEqual(result.ErrorCode, "invalid_grant");
}
public async Task AuthorityValidationTestWithFalseValidateAuthorityAsync()
{
LabResponse labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
LabUser user = labResponse.User;
IPublicClientApplication pca = PublicClientApplicationBuilder
.Create(labResponse.App.AppId)
.WithAuthority("https://bogus.microsoft.com/common", false)
.WithTestLogging()
.Build();
Trace.WriteLine("Acquire a token using a not so common authority alias");
HttpRequestException exception = await AssertException.TaskThrowsAsync <HttpRequestException>(() =>
pca.AcquireTokenByUsernamePassword(
s_scopes,
user.Upn,
new NetworkCredential("", user.GetOrFetchPassword()).SecurePassword)
.ExecuteAsync())
.ConfigureAwait(false);
}
public async Task FailingTest_SeleniumFailureAsync()
{
var pca = PublicClientApplicationBuilder
.Create("1d18b3b0-251b-4714-a02a-9956cec86c2d")
.WithRedirectUri(SeleniumWebUI.FindFreeLocalhostRedirectUri())
.Build();
// This should fail after a few seconds
var seleniumLogic = new SeleniumWebUI((driver) =>
{
Trace.WriteLine("Looking for an element that does not exist");
driver.FindElement(By.Id("i_hope_this_element_does_not_exist"));
}, TestContext);
// The exception propagated to the test should be Selenium exception,
// the test should not wait for the TCP listener to time out
await AssertException.TaskThrowsAsync <NoSuchElementException>(() => pca
.AcquireTokenInteractive(s_scopes)
.WithCustomWebUi(seleniumLogic)
.ExecuteAsync(CancellationToken.None))
.ConfigureAwait(false);
}
public async Task RetryAfter_ConfidentialClient_Async()
{
using (var httpManagerAndBundle = new MockHttpAndServiceBundle())
{
var httpManager = httpManagerAndBundle.HttpManager;
var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
.WithClientSecret(TestConstants.ClientSecret)
.WithHttpManager(httpManager)
.BuildConcrete();
var throttlingManager = (httpManagerAndBundle.ServiceBundle.ThrottlingManager as SingletonThrottlingManager);
var(retryAfterProvider, _, _) = throttlingManager.GetTypedThrottlingProviders();
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerForTenantEndpointDiscovery(app.Authority);
var tokenResponse = httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
tokenResponse.ResponseMessage.StatusCode = (HttpStatusCode)429;
const int RetryAfterInSeconds = 10;
UpdateStatusCodeAndHeaders(tokenResponse.ResponseMessage, 429, RetryAfterInSeconds);
var ex = await AssertException.TaskThrowsAsync <MsalServiceException>(
() => app.AcquireTokenForClient(TestConstants.s_scope).ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(429, ex.StatusCode);
AssertThrottlingCacheEntryCount(throttlingManager, retryAfterEntryCount: 1);
var ex2 = await AssertException.TaskThrowsAsync <MsalThrottledServiceException>(
() => app.AcquireTokenForClient(TestConstants.s_scope).ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(429, ex2.StatusCode);
Assert.AreSame(ex, ex2.OriginalServiceException);
throttlingManager.SimulateTimePassing(TimeSpan.FromSeconds(RetryAfterInSeconds + 1));
httpManager.AddMockHandlerSuccessfulClientCredentialTokenResponseMessage();
await app.AcquireTokenForClient(TestConstants.s_scope).ExecuteAsync().ConfigureAwait(false);
}
}
public async Task SimilarRequests_AreThrottled_HttpStatus_Async()
{
using (var httpManagerAndBundle = new MockHttpAndServiceBundle())
{
var app = await SetupAndAquireOnceAsync(httpManagerAndBundle, 429, null).ConfigureAwait(false);
var account = (await app.GetAccountsAsync().ConfigureAwait(false)).Single();
var throttlingManager = (httpManagerAndBundle.ServiceBundle.ThrottlingManager as SingletonThrottlingManager);
AssertThrottlingCacheEntryCount(throttlingManager, httpStatusEntryCount: 1);
Trace.WriteLine("A similar request, e.g. with a claims challenge, will be throttled");
var ex = await AssertException.TaskThrowsAsync <MsalThrottledServiceException>(
() => app.AcquireTokenSilent(TestConstants.s_scope, account)
.WithClaims(TestConstants.Claims) // claims are not part of the strict thumbprint
.ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(429, ex.StatusCode);
AssertThrottlingCacheEntryCount(throttlingManager, httpStatusEntryCount: 1);
Trace.WriteLine("A different request, e.g. with other scopes, will not be throttled");
httpManagerAndBundle.HttpManager.AddTokenResponse(TokenResponseType.Valid);
await app.AcquireTokenSilent(new[] { "Other.Scopes" }, account).ExecuteAsync()
.ConfigureAwait(false);
Trace.WriteLine("Create a new PCA and try a different flow");
var pca2 = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithHttpManager(httpManagerAndBundle.HttpManager)
.BuildConcrete();
new TokenCacheHelper().PopulateCache(
pca2.UserTokenCacheInternal.Accessor,
expiredAccessTokens: true);
await AssertException.TaskThrowsAsync <MsalThrottledServiceException>(
() => pca2.AcquireTokenSilent(TestConstants.s_scope, account)
.ExecuteAsync())
.ConfigureAwait(false);
}
}
private async Task <(MockHttpMessageHandler MockHttpHandler, Guid Correlationid)> RunSilentFlowWithTokenErrorAsync(AcquireTokenSilentParameterBuilder request, string errorCode)
{
_app.UserTokenCacheInternal.Accessor.ClearAccessTokens();
var correlationId = Guid.NewGuid();
var tokenRequest = _harness.HttpManager.AddFailureTokenEndpointResponse(
errorCode,
TestConstants.AuthorityUtidTenant,
correlationId.ToString());
var ex = await AssertException.TaskThrowsAsync <MsalServiceException>(
() => request.WithCorrelationId(correlationId).ExecuteAsync(),
allowDerived : true)
.ConfigureAwait(false);
Assert.AreEqual(
correlationId,
Guid.Parse(ex.CorrelationId),
"Test error - Exception correlation ID does not match WithCorrelationId value");
return(tokenRequest, correlationId);
}
public async Task FederatedUsernamePasswordCommonAuthorityTestAsync()
{
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerForTenantEndpointDiscovery(TestConstants.AuthorityCommonTenant);
AddMockHandlerDefaultUserRealmDiscovery(httpManager);
AddMockHandlerMex(httpManager);
AddMockHandlerWsTrustUserName(httpManager);
// AAD
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedUrl = "https://login.microsoftonline.com/common/oauth2/v2.0/token",
ExpectedMethod = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateInvalidRequestTokenResponseMessage()
});
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
.WithHttpManager(httpManager)
.WithTelemetry(new TraceTelemetryConfig())
.BuildConcrete();
// Call acquire token
MsalServiceException result = await AssertException.TaskThrowsAsync <MsalServiceException>(
async() => await app.AcquireTokenByUsernamePassword(
TestConstants.s_scope,
TestConstants.s_user.Username,
_secureString).ExecuteAsync(CancellationToken.None).ConfigureAwait(false)).ConfigureAwait(false);
// Check inner exception
Assert.AreEqual(MsalError.InvalidRequest, result.ErrorCode);
// There should be no cached entries.
Assert.AreEqual(0, app.UserTokenCacheInternal.Accessor.GetAllAccessTokens().Count());
}
}
public async Task AcquireTokenByIntegratedWindowsAuthTest_UnknownUserAsync()
{
// Arrange
using (var httpManager = new MockHttpManager())
{
httpManager.AddInstanceDiscoveryMockHandler();
httpManager.AddMockHandlerForTenantEndpointDiscovery(TestConstants.AuthorityCommonTenant);
// user realm discovery - unknown user type
httpManager.AddMockHandler(
new MockHttpMessageHandler
{
ExpectedMethod = HttpMethod.Get,
ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(
"{\"ver\":\"1.0\"," +
"\"account_type\":\"Bogus\"}")
}
});
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(ClientApplicationBase.DefaultAuthority), true)
.WithHttpManager(httpManager)
.WithTelemetry(new TraceTelemetryConfig())
.BuildConcrete();
// Act
MsalClientException exception = await AssertException.TaskThrowsAsync <MsalClientException>(
async() => await app
.AcquireTokenByIntegratedWindowsAuth(TestConstants.s_scope)
.WithUsername(TestConstants.s_user.Username)
.ExecuteAsync(CancellationToken.None)
.ConfigureAwait(false)).ConfigureAwait(false);
// Assert
Assert.AreEqual(MsalError.UnknownUserType, exception.ErrorCode);
}
}
// regression for #2837
public async Task AuthorityOverrideAndRegionalAsync()
{
const string region = "eastus";
Environment.SetEnvironmentVariable("REGION_NAME", region);
var app = ConfidentialClientApplicationBuilder
.Create(TestConstants.ClientId)
.WithAzureRegion(ConfidentialClientApplication.AttemptRegionDiscovery)
.WithClientSecret(TestConstants.ClientSecret)
.Build();
#pragma warning disable CS0618 // Type or member is obsolete
var ex = await AssertException.TaskThrowsAsync <MsalClientException>(() =>
app
.AcquireTokenForClient(TestConstants.s_scope)
.WithAuthority($"https://login.microsoft.com/17b189bc-2b81-4ec5-aa51-3e628cbc931b")
#pragma warning restore CS0618 // Type or member is obsolete
.ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(MsalError.RegionalAndAuthorityOverride, ex.ErrorCode);
}
public async Task RetryAfter_ConfidentialClient_ErrorMessage_Async()
{
using (var httpManagerAndBundle = new MockHttpAndServiceBundle())
{
var httpManager = httpManagerAndBundle.HttpManager;
var app = ConfidentialClientApplicationBuilder.Create(TestConstants.ClientId)
.WithClientSecret(TestConstants.ClientSecret)
.WithHttpManager(httpManager)
.BuildConcrete();
httpManager.AddInstanceDiscoveryMockHandler();
var tokenResponse = httpManager.AddMockHandlerForThrottledResponseMessage();
var serverEx = await AssertException.TaskThrowsAsync <MsalThrottledServiceException>(
() => app.AcquireTokenForClient(TestConstants.s_scope).ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(serverEx.StatusCode, 429);
Assert.AreEqual(serverEx.ErrorCode, MsalError.RequestThrottled);
Assert.AreEqual(serverEx.Message, MsalErrorMessage.AadThrottledError);
Assert.AreEqual(serverEx.ResponseBody, MockHelpers.TooManyRequestsContent);
}
}
public async Task AuthorityValidationFailure_IsRethrown_Async()
{
// Arrange
var validationException = new MsalServiceException(MsalError.InvalidInstance, "authority validation failed");
_networkCacheMetadataProvider = new NetworkCacheMetadataProvider();
// network fails with invalid_instance exception
_networkMetadataProvider
.When(x => x.GetMetadataAsync(Arg.Any <Uri>(), _testRequestContext))
.Do(x => throw validationException);
// Act
var actualException = await AssertException.TaskThrowsAsync <MsalServiceException>(() =>
_discoveryManager.GetMetadataEntryAsync(
AuthorityInfo.FromAuthorityUri("https://some_env.com/tid", true),
_testRequestContext))
.ConfigureAwait(false);
// Assert
Assert.AreSame(validationException, actualException);
_knownMetadataProvider.DidNotReceiveWithAnyArgs();
}
public async Task B2C_NoScopes_NoAccessToken_Async()
{
using (var httpManager = new MockHttpManager())
{
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithAuthority(new Uri(TestConstants.B2CLoginAuthority), true)
.WithHttpManager(httpManager)
.BuildConcrete();
MsalMockHelpers.ConfigureMockWebUI(
app.ServiceBundle.PlatformProxy,
AuthorizationResult.FromUri(app.AppConfig.RedirectUri + "?code=some-code"));
// Arrange 1 - interactive call with 0 scopes
httpManager.AddMockHandlerForTenantEndpointDiscovery(TestConstants.B2CLoginAuthority);
httpManager.AddSuccessTokenResponseMockHandlerForPost(
TestConstants.B2CLoginAuthority,
responseMessage: MockHelpers.CreateSuccessResponseMessage(MockHelpers.B2CTokenResponseWithoutAT));
// Act
AuthenticationResult result = await app
.AcquireTokenInteractive(null) // no scopes -> no Access Token!
.ExecuteAsync()
.ConfigureAwait(false);
// Assert
AssertNoAccessToken(result);
Assert.AreEqual(0, httpManager.QueueSize);
var ex = await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() =>
app.AcquireTokenSilent(null, result.Account).ExecuteAsync()
).ConfigureAwait(false);
Assert.AreEqual(MsalError.ScopesRequired, ex.ErrorCode);
Assert.AreEqual(UiRequiredExceptionClassification.AcquireTokenSilentFailed, ex.Classification);
}
}
public async Task BadTokenError_RemoveAccountFromCacheAsync()
{
// Arrange
using (MockHttpAndServiceBundle harness = base.CreateTestHarness())
{
Trace.WriteLine("1. Create PCA");
PublicClientApplication app = PublicClientApplicationBuilder.Create(TestConstants.ClientId)
.WithHttpManager(harness.HttpManager)
.BuildConcrete();
var tokenCacheHelper = new TokenCacheHelper();
tokenCacheHelper.PopulateCache(app.UserTokenCacheInternal.Accessor, addSecondAt: false);
Trace.WriteLine("2. Configure AAD to respond with the typical Invalid Grant error and Bad Token sub error");
AddHttpMocks_BadTokenError(harness.HttpManager);
var account = new Account(TestConstants.s_userIdentifier, TestConstants.DisplayableId, null);
// Act
var exception = await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() => app
.AcquireTokenSilent(
TestConstants.s_scope.ToArray(),
account)
.WithForceRefresh(true)
.ExecuteAsync())
.ConfigureAwait(false);
Assert.AreEqual(MsalError.BadToken, exception.SubError);
var accounts = await app.GetAccountsAsync().ConfigureAwait(false);
Assert.IsFalse(accounts.Any());
var refreshTokens = app.UserTokenCacheInternal.Accessor.GetAllRefreshTokens();
Assert.IsFalse(refreshTokens.Any());
}
}
public async Task FociAppLeavesFamilyAsync()
{
using (_harness = new MockHttpAndServiceBundle())
{
InitApps();
// A and B are part of the family
await InteractiveAsync(_appA, ServerTokenResponse.FociToken).ConfigureAwait(false);
await SilentAsync(_appB, ServerTokenResponse.FociToken).ConfigureAwait(false);
// B leaves the family -> STS will not refresh its token based on the FRT
await AssertException.TaskThrowsAsync <MsalUiRequiredException>(() => SilentAsync(_appB, ServerTokenResponse.ErrorClientMismatch)).ConfigureAwait(false);
// B can resume acquiring tokens silently via the normal RT, after an interactive flow
await InteractiveAsync(_appB, ServerTokenResponse.NonFociToken).ConfigureAwait(false);
await SilentAsync(_appB, ServerTokenResponse.NonFociToken).ConfigureAwait(false);
// Assert
await AssertAccountsAsync().ConfigureAwait(false);
AssertAppHasRT(_appB);
AssertFRTExists();
}
}
[WorkItem(1407)] // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/1407
public async Task DeviceCodeExceptionsOn200OKAsync()
{
using (var harness = CreateTestHarness())
{
TestCommon.MockInstanceDiscoveryAndOpenIdRequest(harness.HttpManager);
var handler = new MockHttpMessageHandler()
{
ExpectedMethod = HttpMethod.Post,
ResponseMessage = MockHelpers.CreateInvalidClientResponseMessage()
};
harness.HttpManager.AddMockHandler(handler);
var parameters = harness.CreateAuthenticationRequestParameters(
TestConstants.AuthorityHomeTenant,
TestConstants.s_scope,
new TokenCache(harness.ServiceBundle, false),
account: null);
DeviceCodeResult actualDeviceCodeResult = null;
var deviceCodeParameters = new AcquireTokenWithDeviceCodeParameters
{
DeviceCodeResultCallback = result =>
{
actualDeviceCodeResult = result;
return(Task.FromResult(0));
}
};
var request = new DeviceCodeRequest(harness.ServiceBundle, parameters, deviceCodeParameters);
var ex = await AssertException.TaskThrowsAsync <MsalServiceException>(
() => request.ExecuteAsync(CancellationToken.None)).ConfigureAwait(false);
}
}
public async Task RemoveAADAccountAsync()
{
string aadHomeAccId = $"{TestConstants.Uid}.{TestConstants.Utid}";
// Arrange
using (var harness = CreateTestHarness())
{
var wamAccountProvider = new WebAccountProvider("id", "*****@*****.**", null);
var requestParams = harness.CreateAuthenticationRequestParameters(TestConstants.AuthorityConsumerTidTenant); // MSA
requestParams.Account = new Account(
aadHomeAccId, // matching in on home acc id
"*****@*****.**", // matching is not on UPN
null); // account does not have wam_id, might be coming directly from WAM
var webAccount = new WebAccount(wamAccountProvider, "*****@*****.**", WebAccountState.Connected);
IReadOnlyList <WebAccount> webAccounts = new List <WebAccount>()
{
webAccount
};
_wamProxy.FindAllWebAccountsAsync(wamAccountProvider, TestConstants.ClientId).Returns(Task.FromResult(webAccounts));
// WAM can give MSAL the home account ID of a Wam account, which MSAL matches to a WAM account
_aadPlugin.GetHomeAccountIdOrNull(webAccount).Returns(aadHomeAccId);
var atsParams = new AcquireTokenSilentParameters();
_webAccountProviderFactory.GetAccountProviderAsync("organizations").ReturnsForAnyArgs(Task.FromResult(wamAccountProvider));
// Act Assert
await AssertException.TaskThrowsAsync <FileNotFoundException>( // Since WebAccount is a real object, it throws this exception
() => _wamBroker.RemoveAccountAsync(harness.ServiceBundle.Config, requestParams.Account))
.ConfigureAwait(false);
}
}
public async Task ATI_RequiresSyncContext_Async()
{
var wamBroker = new WamBroker(
new CoreUIParent(), // no sync context here
_logger,
_aadPlugin,
_msaPlugin,
_wamProxy,
_webAccountProviderFactory,
_accountPickerFactory);
using (var harness = CreateTestHarness())
{
var requestParams = harness.CreateAuthenticationRequestParameters(TestConstants.AuthorityHomeTenant); // AAD
var atiParams = new AcquireTokenInteractiveParameters();
// Act
var ex = await AssertException.TaskThrowsAsync <MsalClientException>(
() => wamBroker.AcquireTokenInteractiveAsync(requestParams, atiParams)).ConfigureAwait(false);
// Assert
Assert.AreEqual(MsalError.WamUiThread, ex.ErrorCode);
}
}
