AzureAD · Avery-Dunn · Aug 23, 2024 · Aug 6, 2024 · Aug 10, 2024 · Aug 10, 2024
@@ -242,14 +242,11 @@ private static String getInstanceDiscoveryEndpoint(URL authorityUrl) {
      static AadInstanceDiscoveryResponse sendInstanceDiscoveryRequest(URL authorityUrl,
                                                                              MsalRequest msalRequest,
                                                                              ServiceBundle serviceBundle) {
-        IHttpResponse httpResponse;
 
-        if (msalRequest.application().authenticationAuthority.authorityType == AuthorityType.OIDC) {
-            httpResponse = executeRequest(authorityUrl.toString(), msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
-        } else {
-            String instanceDiscoveryRequestUrl = getInstanceDiscoveryEndpoint(authorityUrl) + formInstanceDiscoveryParameters(authorityUrl);
-            httpResponse = executeRequest(instanceDiscoveryRequestUrl, msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
-        }
+        String instanceDiscoveryRequestUrl = getInstanceDiscoveryEndpoint(authorityUrl) +
+                formInstanceDiscoveryParameters(authorityUrl);
+
+        IHttpResponse httpResponse = executeRequest(instanceDiscoveryRequestUrl, msalRequest.headers().getReadonlyHeaderMap(), msalRequest, serviceBundle);
 
         AadInstanceDiscoveryResponse response = JsonHelper.convertJsonToObject(httpResponse.body(), AadInstanceDiscoveryResponse.class);
 
@@ -370,25 +367,9 @@ private static void doInstanceDiscoveryAndCache(URL authorityUrl,
         cacheInstanceDiscoveryResponse(authorityUrl.getHost(), aadInstanceDiscoveryResponse);
     }
 
-    static AadInstanceDiscoveryResponse doOidcInstanceDiscoveryAndCache(OidcAuthority authority, AbstractClientApplicationBase clientApplication, ServiceBundle serviceBundle) {
-        //This class was originally made under the assumption of only dealing with Azure AD/Entra style endpoints,
-        //  and the expectation that the instance discovery would be done during the first token request.
-        //Newer features, such as CIAM custom authorities, allow any authority that follows OIDC's standard for an
-        //  instance metadata endpoint, and that endpoint contains data we may need before the first token request.
-        //Rather than rewrite method signatures in multiple public and private classes or add a lot of duplicate code,
-        //  as a quick and dirty workaround here we just pretend to be in the middle of a token request
-        RequestContext context = new RequestContext(clientApplication, null, null);
-        MsalRequest msalRequest = new MsalRequest(clientApplication, null, context) {};
-
-        AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse = sendInstanceDiscoveryRequest(authority.canonicalAuthorityUrl, msalRequest, serviceBundle);
-        cacheInstanceDiscoveryResponse(authority.canonicalAuthorityUrl.getHost(), aadInstanceDiscoveryResponse);
-
-        return aadInstanceDiscoveryResponse;
-    }
-
     private static void validate(AadInstanceDiscoveryResponse aadInstanceDiscoveryResponse) {
         if (StringHelper.isBlank(aadInstanceDiscoveryResponse.tenantDiscoveryEndpoint())) {
             throw new MsalServiceException(aadInstanceDiscoveryResponse);
         }
     }
-}
+}
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryResponse.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryResponse.java
@@ -29,13 +29,4 @@ class AadInstanceDiscoveryResponse {
 
     @JsonProperty("correlation_id")
     private String correlationId;
-
-    @JsonProperty("authorization_endpoint")
-    private String authorizationEndpoint;
-
-    @JsonProperty("token_endpoint")
-    private String tokenEndpoint;
-
-    @JsonProperty("device_authorization_endpoint")
-    private String deviceCodeEndpoint;
 }
@@ -558,21 +558,16 @@ public T correlationId(String val) {
                         builder.httpClient)
         );
 
-        //In most cases we will retrieve various auth/token/etc. via instance discovery during a token request,
-        //  the format is well known enough to be stored in the codebase itself, or the instance discovery result is
-        //  provided at app creation so we can cache it and skip discovery.
-        //However, if the authority being set is a generic OIDC authority (rather than Azure AD-style) then we need to perform
-        //  instance discovery when the client app is created, as there are some app-level methods that require the endpoints from
-        //  the instance discovery metadata.
         if (aadAadInstanceDiscoveryResponse != null) {
             AadInstanceDiscoveryProvider.cacheInstanceDiscoveryResponse(
                     authenticationAuthority.host,
                     aadAadInstanceDiscoveryResponse);
-        } else if (authenticationAuthority.authorityType == AuthorityType.OIDC) {
-            AadInstanceDiscoveryProvider.doOidcInstanceDiscoveryAndCache((OidcAuthority) authenticationAuthority, this, serviceBundle);
+        }
+
+        if (authenticationAuthority.authorityType == AuthorityType.OIDC) {
             ((OidcAuthority) authenticationAuthority).setAuthorityProperties(
-                    AadInstanceDiscoveryProvider.doOidcInstanceDiscoveryAndCache(
-                            (OidcAuthority) authenticationAuthority, this, serviceBundle));
+                    OidcDiscoveryProvider.performOidcDiscovery(
+                            (OidcAuthority) authenticationAuthority, this));
         }
     }
 }
@@ -105,6 +105,22 @@ IHttpResponse executeHttpRequest(HttpRequest httpRequest,
         return httpResponse;
     }
 
+    IHttpResponse executeHttpRequest(HttpRequest httpRequest) {
+        IHttpResponse httpResponse;
+
+        try {
+            httpResponse = executeHttpRequestWithRetries(httpRequest, httpClient);
+        } catch (Exception e) {
+            throw new MsalClientException(e);
+        }
+
+        if (httpResponse.headers() != null) {
+            HttpHelper.verifyReturnedCorrelationId(httpRequest, httpResponse);
+        }
+
+        return httpResponse;
+    }
+
     private String getRequestThumbprint(RequestContext requestContext) {
         StringBuilder sb = new StringBuilder();
         sb.append(requestContext.clientId() + POINT_DELIMITER);

@@ -12,19 +12,19 @@ public class OidcAuthority extends Authority {
     private static final String AUTHORITY_FORMAT = "https://%s/%s/";
 
     OidcAuthority(URL authorityUrl) throws MalformedURLException {
-        super(transformAuthority(authorityUrl), AuthorityType.OIDC);
+        super(createOidcDiscoveryUrl(authorityUrl), AuthorityType.OIDC);
 
         this.authority = String.format(AUTHORITY_FORMAT, host, tenant);
     }
 
-    private static URL transformAuthority(URL originalAuthority) throws MalformedURLException {
-        String transformedAuthority = originalAuthority.toString();
-        transformedAuthority += WELL_KNOWN_OPENID_CONFIGURATION;
+    private static URL createOidcDiscoveryUrl(URL originalAuthority) throws MalformedURLException {
+        String authority = originalAuthority.toString();
+        authority += WELL_KNOWN_OPENID_CONFIGURATION;
 
-        return new URL(transformedAuthority);
+        return new URL(authority);
     }
 
-    void setAuthorityProperties(AadInstanceDiscoveryResponse instanceDiscoveryResponse) {
+    void setAuthorityProperties(OidcDiscoveryResponse instanceDiscoveryResponse) {
         this.authorizationEndpoint = instanceDiscoveryResponse.authorizationEndpoint();
         this.tokenEndpoint = instanceDiscoveryResponse.tokenEndpoint();
         this.deviceCodeEndpoint = instanceDiscoveryResponse.deviceCodeEndpoint();

@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+class OidcDiscoveryProvider {
+
+    static OidcDiscoveryResponse performOidcDiscovery(OidcAuthority authority, AbstractClientApplicationBase clientApplication) {
+        HttpRequest httpRequest = new HttpRequest(
+                HttpMethod.GET,
+                authority.canonicalAuthorityUrl.toString());
+
+        IHttpResponse httpResponse = ((HttpHelper)clientApplication.serviceBundle.getHttpHelper()).executeHttpRequest(httpRequest);
+
+        OidcDiscoveryResponse response = JsonHelper.convertJsonToObject(httpResponse.body(), OidcDiscoveryResponse.class);
+
+        if (httpResponse.statusCode() != HttpHelper.HTTP_STATUS_200) {
+            throw MsalServiceExceptionFactory.fromHttpResponse(httpResponse);
+        }
+
+        return response;
+    }
+}
@@ -0,0 +1,23 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.microsoft.aad.msal4j;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import lombok.AccessLevel;
+import lombok.Getter;
+import lombok.experimental.Accessors;
+
+@Accessors(fluent = true)
+@Getter(AccessLevel.PACKAGE)
+class OidcDiscoveryResponse {
+
+    @JsonProperty("authorization_endpoint")
+    private String authorizationEndpoint;
+
+    @JsonProperty("token_endpoint")
+    private String tokenEndpoint;
+
+    @JsonProperty("device_authorization_endpoint")
+    private String deviceCodeEndpoint;
+}