Added withAttribute for AcquireTokenByCredential

Author: 4gust

apps/confidential/confidential.go

@@ -550,11 +550,9 @@ func WithTenantID(tenantID string) interface {
 // acquireTokenSilentOptions are all the optional settings to an AcquireTokenSilent() call.
 // These are set by using various AcquireTokenSilentOption functions.
 type acquireTokenSilentOptions struct {
-	account             Account
-	claims, tenantID    string
-	authnScheme         AuthenticationScheme
-	extraBodyParameters map[string]string
-	cacheKeyComponents  map[string]string
+	account          Account
+	claims, tenantID string
+	authnScheme      AuthenticationScheme
 }
 
 // AcquireSilentOption is implemented by options for AcquireTokenSilent
@@ -587,7 +585,7 @@ func WithSilentAccount(account Account) interface {
 
 // AcquireTokenSilent acquires a token from either the cache or using a refresh token.
 //
-// Options: [WithClaims], [WithSilentAccount], [WithTenantID], [WithFMIPath]
+// Options: [WithClaims], [WithSilentAccount], [WithTenantID]
 func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts ...AcquireSilentOption) (AuthResult, error) {
 	o := acquireTokenSilentOptions{}
 	if err := options.ApplyOptions(&o, opts); err != nil {
@@ -604,16 +602,14 @@ func (cca Client) AcquireTokenSilent(ctx context.Context, scopes []string, opts
 	}
 
 	silentParameters := base.AcquireTokenSilentParameters{
-		Scopes:              scopes,
-		Account:             o.account,
-		RequestType:         accesstokens.ATConfidential,
-		Credential:          cca.cred,
-		IsAppCache:          o.account.IsZero(),
-		TenantID:            o.tenantID,
-		AuthnScheme:         o.authnScheme,
-		Claims:              o.claims,
-		ExtraBodyParameters: o.extraBodyParameters,
-		CacheKeyComponents:  o.cacheKeyComponents,
+		Scopes:      scopes,
+		Account:     o.account,
+		RequestType: accesstokens.ATConfidential,
+		Credential:  cca.cred,
+		IsAppCache:  o.account.IsZero(),
+		TenantID:    o.tenantID,
+		AuthnScheme: o.authnScheme,
+		Claims:      o.claims,
 	}
 
 	return cca.acquireTokenSilentInternal(ctx, silentParameters)
@@ -737,7 +733,7 @@ type AcquireByCredentialOption interface {
 
 // AcquireTokenByCredential acquires a security token from the authority, using the client credentials grant.
 //
-// Options: [WithClaims], [WithTenantID], [WithFMIPath]]
+// Options: [WithClaims], [WithTenantID], [WithFMIPath], [WithAttribute]
 func (cca Client) AcquireTokenByCredential(ctx context.Context, scopes []string, opts ...AcquireByCredentialOption) (AuthResult, error) {
 	o := acquireTokenByCredentialOptions{}
 	err := options.ApplyOptions(&o, opts)
@@ -829,7 +825,7 @@ func (cca Client) RemoveAccount(ctx context.Context, account Account) error {
 //
 // Example:
 //
-//	result, err := client.AcquireTokenByCredential(ctx, scopes, confidential.WithFMIPath("fmit/path"))
+//	result, err := client.AcquireTokenByCredential(ctx, scopes, confidential.WithFMIPath("fmi/path"))
 func WithFMIPath(path string) interface {
 	AcquireByCredentialOption
 	options.CallOption
@@ -842,8 +838,47 @@ func WithFMIPath(path string) interface {
 			func(a any) error {
 				switch t := a.(type) {
 				case *acquireTokenByCredentialOptions:
-					t.cacheKeyComponents = map[string]string{"fmi_path": path}
-					t.extraBodyParameters = map[string]string{"fmi_path": path}
+					if t.extraBodyParameters == nil {
+						t.extraBodyParameters = make(map[string]string)
+					}
+					if t.cacheKeyComponents == nil {
+						t.cacheKeyComponents = make(map[string]string)
+					}
+					t.cacheKeyComponents["fmi_path"] = path
+					t.extraBodyParameters["fmi_path"] = path
+				default:
+					return fmt.Errorf("unexpected options type %T", a)
+				}
+				return nil
+			},
+		),
+	}
+}
+
+// WithAttribute provies the attribute which is passed on as "xmc_attr" in the token request body.
+// This is used in conjunction with federated managed identities to specify the identity attribute
+//
+// Example:
+//
+// Using raw string literal (backticks) for easier formatting
+// attrs := `{"FavoriteColor": "Blue", "file:/c/users/foobar/documents/info.txt": "{\"permissions\":[\"read\",\"write\"]}"}`
+// result, err := client.AcquireTokenByCredential(ctx, scopes, confidential.WithAttribute(attrs))
+func WithAttribute(attrValue string) interface {
+	AcquireByCredentialOption
+	options.CallOption
+} {
+	return struct {
+		AcquireByCredentialOption
+		options.CallOption
+	}{
+		CallOption: options.NewCallOption(
+			func(a any) error {
+				switch t := a.(type) {
+				case *acquireTokenByCredentialOptions:
+					if t.extraBodyParameters == nil {
+						t.extraBodyParameters = make(map[string]string)
+					}
+					t.extraBodyParameters["attributes"] = attrValue
 				default:
 					return fmt.Errorf("unexpected options type %T", a)
 				}

apps/confidential/confidential_test.go

@@ -2065,3 +2065,160 @@ func TestFMICacheIsolation(t *testing.T) {
 		t.Fatalf("Expected 2 cache entries (1 regular + 1 FMI), got %d", len(cache))
 	}
 }
+
+// TestWithAttribute validates that the WithAttribute option correctly passes
+// the attribute value to extraBodyParameters in the token request
+func TestWithAttribute(t *testing.T) {
+	tests := []struct {
+		name          string
+		attrValue     string
+		expectInBody  bool
+		expectedValue string
+	}{
+		{
+			name:          "simple attribute",
+			attrValue:     `{"FavoriteColor":"Blue"}`,
+			expectInBody:  true,
+			expectedValue: `{"FavoriteColor":"Blue"}`,
+		},
+		{
+			name:          "nested JSON attribute",
+			attrValue:     `{"FavoriteColor": "Blue", "file:/c/users/foobar/documents/info.txt": "{\"permissions\":[\"read\",\"write\"]}"}`,
+			expectInBody:  true,
+			expectedValue: `{"FavoriteColor": "Blue", "file:/c/users/foobar/documents/info.txt": "{\"permissions\":[\"read\",\"write\"]}"}`,
+		},
+		{
+			name:          "empty attribute",
+			attrValue:     "",
+			expectInBody:  false,
+			expectedValue: "",
+		},
+		{
+			name:          "complex nested structure",
+			attrValue:     `{"user":"admin","config":"{\"level\":5,\"permissions\":[\"read\",\"write\",\"execute\"]}"}`,
+			expectInBody:  true,
+			expectedValue: `{"user":"admin","config":"{\"level\":5,\"permissions\":[\"read\",\"write\",\"execute\"]}"}`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cred, err := NewCredFromSecret(fakeSecret)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			lmo := "login.microsoftonline.com"
+			tenant := "test-tenant"
+			accessToken := "test-access-token"
+			authority := fmt.Sprintf(authorityFmt, lmo, tenant)
+
+			mockClient := mock.NewClient()
+			mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, tenant)))
+			mockClient.AppendResponse(
+				mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(tenant, authority), "", "", 3600, 0)),
+				mock.WithCallback(func(r *http.Request) {
+					// Parse the request body
+					if err := r.ParseForm(); err != nil {
+						t.Fatal(err)
+					}
+
+					// Check if "attributes" parameter is present in the request body
+					if tt.expectInBody {
+						if !r.Form.Has("attributes") {
+							t.Fatal("Expected 'attributes' parameter in request body, but it was not found")
+						}
+
+						actualValue := r.Form.Get("attributes")
+						if actualValue != tt.expectedValue {
+							t.Fatalf("Expected attributes value %q, got %q", tt.expectedValue, actualValue)
+						}
+					} else {
+						if r.Form.Has("attributes") {
+							t.Fatalf("Did not expect 'attributes' parameter in request body, but found: %q", r.Form.Get("attributes"))
+						}
+					}
+				}),
+			)
+
+			client, err := New(authority, fakeClientID, cred, WithHTTPClient(mockClient), WithInstanceDiscovery(false))
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			ctx := context.Background()
+			var ar AuthResult
+			if tt.attrValue != "" {
+				ar, err = client.AcquireTokenByCredential(ctx, tokenScope, WithAttribute(tt.attrValue))
+			} else {
+				ar, err = client.AcquireTokenByCredential(ctx, tokenScope, WithAttribute(tt.attrValue))
+			}
+
+			if err != nil {
+				t.Fatalf("AcquireTokenByCredential failed: %v", err)
+			}
+
+			if ar.AccessToken != accessToken {
+				t.Fatalf("Expected access token %q, got %q", accessToken, ar.AccessToken)
+			}
+		})
+	}
+}
+
+// TestWithAttributeAndFMIPath validates that WithAttribute and WithFMIPath can be used together
+// and both values are correctly passed to extraBodyParameters
+func TestWithAttributeAndFMIPath(t *testing.T) {
+	cred, err := NewCredFromSecret(fakeSecret)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lmo := "login.microsoftonline.com"
+	tenant := "test-tenant"
+	accessToken := "test-access-token"
+	authority := fmt.Sprintf(authorityFmt, lmo, tenant)
+	fmiPath := "test/fmi/path"
+	attrValue := `{"color":"blue","size":"large"}`
+
+	mockClient := mock.NewClient()
+	mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, tenant)))
+	mockClient.AppendResponse(
+		mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(tenant, authority), "", "", 3600, 0)),
+		mock.WithCallback(func(r *http.Request) {
+			if err := r.ParseForm(); err != nil {
+				t.Fatal(err)
+			}
+
+			// Verify both parameters are present
+			if !r.Form.Has("fmi_path") {
+				t.Fatal("Expected 'fmi_path' parameter in request body")
+			}
+			if !r.Form.Has("attributes") {
+				t.Fatal("Expected 'attributes' parameter in request body")
+			}
+
+			// Verify values
+			if actualFMI := r.Form.Get("fmi_path"); actualFMI != fmiPath {
+				t.Fatalf("Expected fmi_path %q, got %q", fmiPath, actualFMI)
+			}
+			if actualAttr := r.Form.Get("attributes"); actualAttr != attrValue {
+				t.Fatalf("Expected attributes %q, got %q", attrValue, actualAttr)
+			}
+		}),
+	)
+
+	client, err := New(authority, fakeClientID, cred, WithHTTPClient(mockClient), WithInstanceDiscovery(false))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ctx := context.Background()
+	ar, err := client.AcquireTokenByCredential(ctx, tokenScope, WithFMIPath(fmiPath), WithAttribute(attrValue))
+	if err != nil {
+		t.Fatalf("AcquireTokenByCredential failed: %v", err)
+	}
+
+	if ar.AccessToken != accessToken {
+		t.Fatalf("Expected access token %q, got %q", accessToken, ar.AccessToken)
+	}
+}

apps/internal/oauth/ops/authority/authority_ext_cachekey_test.go

@@ -136,6 +136,32 @@ func TestAppKeyWithCacheKeyComponent(t *testing.T) {
 			},
 			wantedExtraCacheKey: "3-rg6_wyjx5bcy0c3cqq7gajtzgsqy3oxqpwj4y8k4u",
 		},
+		{
+			name:     "with extra 5 params",
+			clientID: "client1",
+			tenant:   "tenant1",
+			params: map[string]string{
+				"key3": "value3",
+				"key4": "value4",
+				"key5": "value5",
+				"key6": "value6",
+				"key7": "value7",
+			},
+			wantedExtraCacheKey: "gkpxxkkqjxcqnvnmr2duvxg66xanvkz6qfqpwp2e",
+		},
+		{
+			name:     "with extra 5 params different order ",
+			clientID: "client1",
+			tenant:   "tenant1",
+			params: map[string]string{
+				"key7": "value7",
+				"key4": "value4",
+				"key6": "value6",
+				"key5": "value5",
+				"key3": "value3",
+			},
+			wantedExtraCacheKey: "gkpxxkkqjxcqnvnmr2duvxg66xanvkz6qfqpwp2e",
+		},
 	}
 
 	for _, tt := range tests {