AzureAD · nilo-ms · Apr 17, 2025 · Apr 10, 2025 · Apr 11, 2025 · Apr 11, 2025
diff --git a/...com/microsoft/identity/common/nativeauth/internal/controllers/NativeAuthMsalController.kt b/...com/microsoft/identity/common/nativeauth/internal/controllers/NativeAuthMsalController.kt
@@ -223,10 +223,11 @@ class NativeAuthMsalController : BaseNativeAuthController() {
                         tokenApiResult = tokenApiResult
                     )
                 }
+                // TODO: this will need to change in JIT business logic PR
                 is SignInTokenApiResult.InvalidAuthenticationType,
                 is SignInTokenApiResult.MFARequired, is SignInTokenApiResult.CodeIncorrect,
                 is SignInTokenApiResult.UserNotFound, is SignInTokenApiResult.InvalidCredentials,
-                is SignInTokenApiResult.UnknownError -> {
+                is SignInTokenApiResult.UnknownError, is SignInTokenApiResult.JITRequired -> {
                     Logger.warnWithObject(
                         TAG,
                         tokenApiResult.correlationId,
@@ -298,10 +299,10 @@ class NativeAuthMsalController : BaseNativeAuthController() {
                         correlationId = tokenApiResult.correlationId
                     )
                 }
-
+                // TODO: this will need to change in JIT business logic PR
                 is SignInTokenApiResult.UnknownError, is SignInTokenApiResult.InvalidAuthenticationType,
                 is SignInTokenApiResult.MFARequired, is SignInTokenApiResult.InvalidCredentials,
-                is SignInTokenApiResult.UserNotFound -> {
+                is SignInTokenApiResult.UserNotFound, is SignInTokenApiResult.JITRequired -> {
                     Logger.warnWithObject(
                         TAG,
                         tokenApiResult.correlationId,
@@ -351,6 +352,7 @@ class NativeAuthMsalController : BaseNativeAuthController() {
                 oAuth2Strategy = oAuth2Strategy,
                 parameters = parametersWithScopes
             )
+            // TODO: this will need to change in JIT business logic PR
             return when (tokenApiResult) {
                 is SignInTokenApiResult.Success -> {
                     saveAndReturnTokens(
@@ -370,7 +372,7 @@ class NativeAuthMsalController : BaseNativeAuthController() {
                 }
                 is SignInTokenApiResult.UnknownError, is SignInTokenApiResult.InvalidAuthenticationType,
                 is SignInTokenApiResult.InvalidCredentials, is SignInTokenApiResult.UserNotFound,
-                is SignInTokenApiResult.MFARequired -> {
+                is SignInTokenApiResult.MFARequired, is SignInTokenApiResult.JITRequired -> {
                     Logger.warnWithObject(
                         TAG,
                         tokenApiResult.correlationId,
@@ -2117,6 +2119,7 @@ class NativeAuthMsalController : BaseNativeAuthController() {
         oAuth2Strategy: NativeAuthOAuth2Strategy,
         parametersWithScopes: SignInStartCommandParameters,
     ): SignInStartCommandResult {
+        // TODO: this will need to change in JIT business logic PR
         return when (this) {
             is SignInTokenApiResult.InvalidCredentials -> {
                 SignInCommandResult.InvalidCredentials(
@@ -2145,7 +2148,7 @@ class NativeAuthMsalController : BaseNativeAuthController() {
             }
             is SignInTokenApiResult.CodeIncorrect,
             is SignInTokenApiResult.InvalidAuthenticationType, is SignInTokenApiResult.UserNotFound,
-            is SignInTokenApiResult.UnknownError -> {
+            is SignInTokenApiResult.UnknownError, is SignInTokenApiResult.JITRequired -> {
                 Logger.warnWithObject(
                     TAG,
                     this.correlationId,
@@ -2167,6 +2170,7 @@ class NativeAuthMsalController : BaseNativeAuthController() {
         oAuth2Strategy: NativeAuthOAuth2Strategy,
         parametersWithScopes: SignInSubmitPasswordCommandParameters,
     ): SignInSubmitPasswordCommandResult {
+        // TODO: this will need to change in JIT business logic PR
         return when (this) {
             is SignInTokenApiResult.InvalidCredentials -> {
                 SignInCommandResult.InvalidCredentials(
@@ -2194,7 +2198,8 @@ class NativeAuthMsalController : BaseNativeAuthController() {
                 )
             }
             is SignInTokenApiResult.UserNotFound, is SignInTokenApiResult.CodeIncorrect,
-            is SignInTokenApiResult.InvalidAuthenticationType, is SignInTokenApiResult.UnknownError -> {
+            is SignInTokenApiResult.InvalidAuthenticationType, is SignInTokenApiResult.UnknownError,
+            is SignInTokenApiResult.JITRequired -> {
                 Logger.warnWithObject(
                     TAG,
                     this.correlationId,

diff --git a/...on/internal/providers/microsoft/nativeauth/integration/ResetPasswordOAuth2StrategyTest.kt b/...on/internal/providers/microsoft/nativeauth/integration/ResetPasswordOAuth2StrategyTest.kt
@@ -114,6 +114,9 @@ class ResetPasswordOAuth2StrategyTest {
         whenever(mockConfig.getResetPasswordContinueEndpoint()).thenReturn(ApiConstants.MockApi.ssprContinueRequestUrl)
         whenever(mockConfig.getResetPasswordSubmitEndpoint()).thenReturn(ApiConstants.MockApi.ssprSubmitRequestUrl)
         whenever(mockConfig.getResetPasswordPollCompletionEndpoint()).thenReturn(ApiConstants.MockApi.ssprPollCompletionRequestUrl)
+        whenever(mockConfig.getJITIntrospectEndpoint()).thenReturn(ApiConstants.MockApi.jitIntrospectRequestUrl)
+        whenever(mockConfig.getJITChallengeEndpoint()).thenReturn(ApiConstants.MockApi.jitChallengeRequestUrl)
+        whenever(mockConfig.getJITContinueEndpoint()).thenReturn(ApiConstants.MockApi.jitContinueRequestUrl)
         whenever(mockConfig.challengeType).thenReturn(CHALLENGE_TYPE)
 
         nativeAuthOAuth2Strategy = NativeAuthOAuth2Strategy(

diff --git a/...ity/common/internal/providers/microsoft/nativeauth/integration/SignInOAuthStrategyTest.kt b/...ity/common/internal/providers/microsoft/nativeauth/integration/SignInOAuthStrategyTest.kt
@@ -102,6 +102,9 @@ class SignInOAuthStrategyTest {
         whenever(mockConfig.getResetPasswordContinueEndpoint()).thenReturn(ApiConstants.MockApi.ssprContinueRequestUrl)
         whenever(mockConfig.getResetPasswordSubmitEndpoint()).thenReturn(ApiConstants.MockApi.ssprSubmitRequestUrl)
         whenever(mockConfig.getResetPasswordPollCompletionEndpoint()).thenReturn(ApiConstants.MockApi.ssprPollCompletionRequestUrl)
+        whenever(mockConfig.getJITIntrospectEndpoint()).thenReturn(ApiConstants.MockApi.jitIntrospectRequestUrl)
+        whenever(mockConfig.getJITChallengeEndpoint()).thenReturn(ApiConstants.MockApi.jitChallengeRequestUrl)
+        whenever(mockConfig.getJITContinueEndpoint()).thenReturn(ApiConstants.MockApi.jitContinueRequestUrl)
         whenever(mockConfig.challengeType).thenReturn(CHALLENGE_TYPE)
 
         nativeAuthOAuth2Strategy = NativeAuthOAuth2Strategy(

diff --git a/...ty/common/internal/providers/microsoft/nativeauth/integration/SignUpOAuth2StrategyTest.kt b/...ty/common/internal/providers/microsoft/nativeauth/integration/SignUpOAuth2StrategyTest.kt
@@ -101,6 +101,9 @@ class SignUpOAuth2StrategyTest {
         whenever(mockConfig.getResetPasswordContinueEndpoint()).thenReturn(ApiConstants.MockApi.ssprContinueRequestUrl)
         whenever(mockConfig.getResetPasswordSubmitEndpoint()).thenReturn(ApiConstants.MockApi.ssprSubmitRequestUrl)
         whenever(mockConfig.getResetPasswordPollCompletionEndpoint()).thenReturn(ApiConstants.MockApi.ssprPollCompletionRequestUrl)
+        whenever(mockConfig.getJITIntrospectEndpoint()).thenReturn(ApiConstants.MockApi.jitIntrospectRequestUrl)
+        whenever(mockConfig.getJITChallengeEndpoint()).thenReturn(ApiConstants.MockApi.jitChallengeRequestUrl)
+        whenever(mockConfig.getJITContinueEndpoint()).thenReturn(ApiConstants.MockApi.jitContinueRequestUrl)
         whenever(mockConfig.challengeType).thenReturn(CHALLENGE_TYPE)
 
         nativeAuthOAuth2Strategy = NativeAuthOAuth2Strategy(

diff --git a/...internal/providers/microsoft/nativeauth/integration/scenario/ResetPasswordScenarioTest.kt b/...internal/providers/microsoft/nativeauth/integration/scenario/ResetPasswordScenarioTest.kt
@@ -84,6 +84,9 @@ class ResetPasswordScenarioTest {
         whenever(mockConfig.getResetPasswordContinueEndpoint()).thenReturn(ApiConstants.MockApi.ssprContinueRequestUrl)
         whenever(mockConfig.getResetPasswordSubmitEndpoint()).thenReturn(ApiConstants.MockApi.ssprSubmitRequestUrl)
         whenever(mockConfig.getResetPasswordPollCompletionEndpoint()).thenReturn(ApiConstants.MockApi.ssprPollCompletionRequestUrl)
+        whenever(mockConfig.getJITIntrospectEndpoint()).thenReturn(ApiConstants.MockApi.jitIntrospectRequestUrl)
+        whenever(mockConfig.getJITChallengeEndpoint()).thenReturn(ApiConstants.MockApi.jitChallengeRequestUrl)
+        whenever(mockConfig.getJITContinueEndpoint()).thenReturn(ApiConstants.MockApi.jitContinueRequestUrl)
         whenever(mockConfig.challengeType).thenReturn(challengeType)
 
         nativeAuthOAuth2Strategy = NativeAuthOAuth2Strategy(

diff --git a/...common/internal/providers/microsoft/nativeauth/integration/scenario/SignUpScenarioTest.kt b/...common/internal/providers/microsoft/nativeauth/integration/scenario/SignUpScenarioTest.kt
@@ -78,6 +78,9 @@ class SignUpScenarioTest {
         whenever(mockConfig.getResetPasswordContinueEndpoint()).thenReturn(ApiConstants.MockApi.ssprContinueRequestUrl)
         whenever(mockConfig.getResetPasswordSubmitEndpoint()).thenReturn(ApiConstants.MockApi.ssprSubmitRequestUrl)
         whenever(mockConfig.getResetPasswordPollCompletionEndpoint()).thenReturn(ApiConstants.MockApi.ssprPollCompletionRequestUrl)
+        whenever(mockConfig.getJITIntrospectEndpoint()).thenReturn(ApiConstants.MockApi.jitIntrospectRequestUrl)
+        whenever(mockConfig.getJITChallengeEndpoint()).thenReturn(ApiConstants.MockApi.jitChallengeRequestUrl)
+        whenever(mockConfig.getJITContinueEndpoint()).thenReturn(ApiConstants.MockApi.jitContinueRequestUrl)
         whenever(mockConfig.challengeType).thenReturn(CHALLENGE_TYPE)
 
         nativeAuthOAuth2Strategy = NativeAuthOAuth2Strategy(

diff --git a/.../com/microsoft/identity/common/java/nativeauth/providers/NativeAuthOAuth2Configuration.kt b/.../com/microsoft/identity/common/java/nativeauth/providers/NativeAuthOAuth2Configuration.kt
@@ -63,6 +63,9 @@ class NativeAuthOAuth2Configuration(
         private const val SIGN_IN_INTROSPECT_ENDPOINT_SUFFIX = "/oauth2/v2.0/introspect"
         private const val SIGN_IN_CHALLENGE_ENDPOINT_SUFFIX = "/oauth2/v2.0/challenge"
         private const val SIGN_IN_TOKEN_ENDPOINT_SUFFIX = "/oauth2/v2.0/token"
+        private const val JIT_INTROSPECT_ENDPOINT_SUFFIX = "/register/v1.0/introspect"
+        private const val JIT_CHALLENGE_ENDPOINT_SUFFIX = "/register/v1.0/challenge"
+        private const val JIT_CONTINUE_ENDPOINT_SUFFIX = "/register/v1.0/continue"
     }
 
     override fun getAuthorityUrl(): URL {
@@ -217,6 +220,42 @@ class NativeAuthOAuth2Configuration(
         )
     }
 
+    /**
+     * Get the endpoint to be used for making a register/v1.0/introspect request.
+     *
+     * @return URL the endpoint
+     */
+    fun getJITIntrospectEndpoint(): URL {
+        return getEndpointUrlFromRootAndTenantAndSuffix(
+            root = getAuthorityUrl(),
+            endpointSuffix = JIT_INTROSPECT_ENDPOINT_SUFFIX
+        )
+    }
+
+    /**
+     * Get the endpoint to be used for making a register/v1.0/challenge request.
+     *
+     * @return URL the endpoint
+     */
+    fun getJITChallengeEndpoint(): URL {
+        return getEndpointUrlFromRootAndTenantAndSuffix(
+            root = getAuthorityUrl(),
+            endpointSuffix = JIT_CHALLENGE_ENDPOINT_SUFFIX
+        )
+    }
+
+    /**
+     * Get the endpoint to be used for making a register/v1.0/continue request.
+     *
+     * @return URL the endpoint
+     */
+    fun getJITContinueEndpoint(): URL {
+        return getEndpointUrlFromRootAndTenantAndSuffix(
+            root = getAuthorityUrl(),
+            endpointSuffix = JIT_CONTINUE_ENDPOINT_SUFFIX
+        )
+    }
+
     private fun getEndpointUrlFromRootAndTenantAndSuffix(root: URL, endpointSuffix: String): URL {
         return try {
             if (BuildValues.getDC().isNotEmpty()) {

diff --git a/...main/com/microsoft/identity/common/java/nativeauth/providers/NativeAuthRequestProvider.kt b/...main/com/microsoft/identity/common/java/nativeauth/providers/NativeAuthRequestProvider.kt
@@ -36,6 +36,9 @@ import com.microsoft.identity.common.java.nativeauth.commands.parameters.SignUpS
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.SignUpSubmitPasswordCommandParameters
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.SignUpSubmitUserAttributesCommandParameters
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.SignInStartCommandParameters
+import com.microsoft.identity.common.java.nativeauth.providers.requests.jit.JITChallengeRequest
+import com.microsoft.identity.common.java.nativeauth.providers.requests.jit.JITContinueRequest
+import com.microsoft.identity.common.java.nativeauth.providers.requests.jit.JITIntrospectRequest
 import com.microsoft.identity.common.java.net.HttpConstants
 import com.microsoft.identity.common.java.nativeauth.providers.requests.resetpassword.ResetPasswordChallengeRequest
 import com.microsoft.identity.common.java.nativeauth.providers.requests.resetpassword.ResetPasswordContinueRequest
@@ -71,6 +74,9 @@ class NativeAuthRequestProvider(private val config: NativeAuthOAuth2Configuratio
     private val resetPasswordContinueEndpoint = config.getResetPasswordContinueEndpoint().toString()
     private val resetPasswordSubmitEndpoint = config.getResetPasswordSubmitEndpoint().toString()
     private val resetPasswordPollCompletionEndpoint = config.getResetPasswordPollCompletionEndpoint().toString()
+    private val jitIntrospectEndpoint = config.getJITIntrospectEndpoint().toString()
+    private val jitChallengeEndpoint = config.getJITChallengeEndpoint().toString()
+    private val jitContinueEndpoint = config.getJITContinueEndpoint().toString()
 
     //region /oauth/v2.0/initiate
     /**
@@ -348,6 +354,58 @@ class NativeAuthRequestProvider(private val config: NativeAuthOAuth2Configuratio
     }
     //endregion
 
+    //region /register/introspect
+    internal fun createJITIntrospectRequest(
+        continuationToken: String,
+        correlationId: String
+    ): JITIntrospectRequest {
+        return JITIntrospectRequest.create(
+            continuationToken = continuationToken,
+            clientId = config.clientId,
+            requestUrl = jitIntrospectEndpoint,
+            headers = getRequestHeaders(correlationId)
+        )
+    }
+    //endregion
+
+    //region /register/challenge
+    internal fun createJITChallengeRequest(
+        continuationToken: String,
+        challengeType: String,
+        challengeTarget: String,
+        challengeChannel: String,
+        correlationId: String
+    ): JITChallengeRequest {
+        return JITChallengeRequest.create(
+            continuationToken = continuationToken,
+            challengeType = challengeType,
+            challengeTarget = challengeTarget,
+            challengeChannel = challengeChannel,
+            clientId = config.clientId,
+            requestUrl = jitChallengeEndpoint,
+            headers = getRequestHeaders(correlationId)
+        )
+    }
+    //endregion
+
+    //region /register/continue
+    internal fun createJITContinueRequest(
+        continuationToken: String,
+        grantType: String,
+        code: String,
+        correlationId: String
+    ): JITContinueRequest {
+        return JITContinueRequest.create(
+            continuationToken = continuationToken,
+            grantType = grantType,
+            oob = code,
+            clientId = config.clientId,
+            requestUrl = jitContinueEndpoint,
+            headers = getRequestHeaders(correlationId)
+        )
+    }
+    //endregion
+
     //region helpers
     private fun getRequestHeaders(correlationId: String): Map<String, String?> {
         val headers: MutableMap<String, String?> = TreeMap()