[Bug fix] Use hub app's FRT to get nested app's AT

changelog.txt

@@ -6,6 +6,8 @@ V.Next
 - [PATCH] Return status code in errorResponse when server response is not in expected Json format. (#2321)
 - [PATCH] Reduce the amount of setAccountVisibility() call. (#2355)
 - [MINOR] Added telemetry for cross cloud and MSA passthrough requests (#2367)
+- [MINOR] [Bug fix] Use hub app's FRT to get nested app's AT (#2379)
+
 
 V.17.2.0
 ---------

common4j/src/main/com/microsoft/identity/common/java/controllers/BaseController.java

@@ -58,13 +58,15 @@
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.exception.ErrorStrings;
 import com.microsoft.identity.common.java.exception.ServiceException;
+import com.microsoft.identity.common.java.exception.UiRequiredException;
 import com.microsoft.identity.common.java.foci.FociQueryUtilities;
 import com.microsoft.identity.common.java.logging.DiagnosticContext;
 import com.microsoft.identity.common.java.logging.Logger;
 import com.microsoft.identity.common.java.providers.microsoft.MicrosoftAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.MicrosoftTokenRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsOAuth2Strategy;
+import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenResponse;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationRequest;
 import com.microsoft.identity.common.java.providers.oauth2.AuthorizationResponse;
@@ -460,6 +462,70 @@ protected TokenResult performTokenRequest(@SuppressWarnings(WarningType.rawtype_
         return tokenResult;
     }
 
+    /**
+     * Renewing AT of nested app.
+     */
+    protected synchronized void renewAccessTokenForNestedApp(@NonNull final SilentTokenCommandParameters parameters,
+                                    @NonNull final AcquireTokenResult acquireTokenSilentResult,
+                                    @SuppressWarnings(WarningType.rawtype_warning) @NonNull final OAuth2TokenCache tokenCache,
+                                    @SuppressWarnings(WarningType.rawtype_warning) @NonNull final OAuth2Strategy strategy,
+                                    @NonNull final ICacheRecord cacheRecord)
+            throws IOException, ClientException, ServiceException {
+        final String methodTag = TAG + ":renewAccessTokenForNestedApp";
+        Logger.info(
+                methodTag,
+                "Renewing access token for nested app..."
+        );
+
+        RefreshTokenRecord refreshTokenRecord = cacheRecord.getRefreshToken();
+
+        logParameters(methodTag, parameters);
+
+        // 1. First get RT of hub app using FRT. Only a hub app's RT can be used to renew AT of nested app
+        // Create a correlation_id for the request
+        final UUID correlationId = UUID.randomUUID();
+        Logger.verbose(methodTag,
+                "Create the token request with correlationId ["
+                        + correlationId
+                        + "]");
+        final MicrosoftStsTokenRequest tokenRequest = FociQueryUtilities.createTokenRequest(parameters.getClientId(), getDelimitedDefaultScopeString(),
+                refreshTokenRecord.getSecret(), parameters.getRedirectUri(), (MicrosoftStsOAuth2Strategy) strategy, correlationId, "2");
+        final TokenResult tokenResult = strategy.requestToken(tokenRequest);
+
+        if (tokenResult.getSuccess()) {
+            final MicrosoftStsTokenResponse tokenResponse = (MicrosoftStsTokenResponse) tokenResult.getTokenResponse();
+            Logger.info(
+                    methodTag,
+                    "Token request was successful"
+            );
+            List<ICacheRecord> acquireTokenResultRecords = getAcquireTokenResultRecords(tokenResponse, (MicrosoftStsOAuth2Strategy) strategy,
+                    (MicrosoftStsAuthorizationRequest) getAuthorizationRequest(strategy, parameters));
+
+            // 2. Using above cache record with hub app's FRT, we will renew AT for nested app.
+            if (!acquireTokenResultRecords.isEmpty()) {
+                renewAccessToken(
+                        parameters,
+                        acquireTokenSilentResult,
+                        tokenCache,
+                        strategy,
+                        acquireTokenResultRecords.get(0)
+                );
+            }
+        } else {
+            if (tokenResult.getErrorResponse() != null) {
+                final String errorCode = tokenResult.getErrorResponse().getError();
+                Logger.info(methodTag, "Fetching Hub app RT with FRT failed with Error: " + errorCode + " SubError: " + tokenResult.getErrorResponse().getSubError());
+                if (SERVICE_NOT_AVAILABLE.equals(errorCode)) {
+                    throw new ServiceException(SERVICE_NOT_AVAILABLE, "AAD is not available.", tokenResult.getErrorResponse().getStatusCode(), null);
+                } else {
+                    throw new ClientException(ErrorStrings.NO_TOKENS_FOUND, "No valid RT found for hub app");
+                }
+            } else {
+                Logger.warn(methodTag, "Invalid state, No token success or error response on the token result");
+            }
+        }
+    }
+
     protected void renewAccessToken(@NonNull final SilentTokenCommandParameters parameters,
                                     @NonNull final AcquireTokenResult acquireTokenSilentResult,
                                     @SuppressWarnings(WarningType.rawtype_warning) @NonNull final OAuth2TokenCache tokenCache,