Skip to content

Refactor get-account-by-local-account-id FixesAB#3397557, Fixes AB#3397557 #2781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 15 commits into from
Oct 27, 2025
Merged

Refactor get-account-by-local-account-id FixesAB#3397557, Fixes AB#3397557 #2781

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
88f6918
Refactor get-account-by-local-account-id
siddhijain Oct 9, 2025
7309e5c
remove method created to test
siddhijain Oct 9, 2025
6728e2f
Fixing spacing issue
siddhijain Oct 9, 2025
c28e18b
Update common4j/src/main/com/microsoft/identity/common/java/cache/Msa…
siddhijain Oct 9, 2025
6e909fa
Merge branch 'dev' into sjain/refactor-get-account-by-local-account-id
siddhijain Oct 9, 2025
45d5e58
remove a variable to simplify condition
siddhijain Oct 9, 2025
557a281
Merge branch 'dev' into sjain/refactor-get-account-by-local-account-id
siddhijain Oct 10, 2025
0a103f6
Removed variable to simplify condition
siddhijain Oct 21, 2025
d04ff77
Merge branch 'dev' into sjain/refactor-get-account-by-local-account-id
siddhijain Oct 23, 2025
cd8ac32
incorporating PR comments
siddhijain Oct 24, 2025
94a5961
Merge branch 'dev' into sjain/refactor-get-account-by-local-account-id
siddhijain Oct 24, 2025
74847af
updated changelog.txt
siddhijain Oct 24, 2025
87d16ff
Merge branch 'dev' into sjain/refactor-get-account-by-local-account-id
siddhijain Oct 26, 2025
338f399
Fix failing tests
siddhijain Oct 27, 2025
847e9d4
updated documentation
siddhijain Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 30 additions & 55 deletions ...n4j/src/main/com/microsoft/identity/common/java/cache/AbstractAccountCredentialCache.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,23 +113,11 @@ protected List<AccountRecord> getAccountsFilteredByInternal(@Nullable final Stri
final List<AccountRecord> matchingAccounts = new ArrayList<>();

for (final AccountRecord account : allAccounts) {
boolean matches = true;
if (mustMatchOnHomeAccountId && !StringUtil.equalsIgnoreCaseTrimBoth(homeAccountId, account.getHomeAccountId())) continue;
if (mustMatchOnEnvironment && !StringUtil.equalsIgnoreCaseTrimBoth(environment, account.getEnvironment())) continue;
if (mustMatchOnRealm && !StringUtil.equalsIgnoreCaseTrimBoth(realm, account.getRealm())) continue;

if (mustMatchOnHomeAccountId) {
matches = StringUtil.equalsIgnoreCaseTrimBoth(homeAccountId, account.getHomeAccountId());
}

if (mustMatchOnEnvironment) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(environment, account.getEnvironment());
}

if (mustMatchOnRealm) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(realm, account.getRealm());
}

if (matches) {
matchingAccounts.add(account);
}
matchingAccounts.add(account);
}

Logger.verbose(
Expand Down Expand Up @@ -191,28 +179,18 @@ protected List<Credential> getCredentialsFilteredByInternal(@NonNull final List<
final List<Credential> matchingCredentials = new ArrayList<>();

for (final Credential credential : allCredentials) {
boolean matches = true;

if (mustMatchOnHomeAccountId) {
matches = StringUtil.equalsIgnoreCaseTrimBoth(homeAccountId, credential.getHomeAccountId());
}
if (mustMatchOnHomeAccountId && !StringUtil.equalsIgnoreCaseTrimBoth(homeAccountId, credential.getHomeAccountId())) continue;

if (mustMatchOnEnvironment) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(environment, credential.getEnvironment());
}
if (mustMatchOnEnvironment && !StringUtil.equalsIgnoreCaseTrimBoth(environment, credential.getEnvironment())) continue;

if (mustMatchOnCredentialType) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(credentialType.name(), credential.getCredentialType());
}
if (mustMatchOnCredentialType && !StringUtil.equalsIgnoreCaseTrimBoth(credentialType.name(), credential.getCredentialType())) continue;

if (mustMatchOnClientId) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(clientId, credential.getClientId());
}
if (mustMatchOnClientId && !StringUtil.equalsIgnoreCaseTrimBoth(clientId, credential.getClientId())) continue;

if (mustMatchOnApplicationIdentifier) {
if (credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(applicationIdentifier, accessToken.getApplicationIdentifier());
if(!StringUtil.equalsIgnoreCaseTrimBoth(applicationIdentifier, accessToken.getApplicationIdentifier())) continue;
} else {
Logger.verbose(TAG, "Query specified applicationIdentifier match, but credential type does not have application identifier");
}
Expand All @@ -221,29 +199,31 @@ protected List<Credential> getCredentialsFilteredByInternal(@NonNull final List<
if (mustMatchOnMamEnrollmentIdentifier) {
if (credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(mamEnrollmentIdentifier, accessToken.getMamEnrollmentIdentifier());
if(!StringUtil.equalsIgnoreCaseTrimBoth(mamEnrollmentIdentifier, accessToken.getMamEnrollmentIdentifier())) continue;
} else {
Logger.verbose(TAG, "Query specified mamEnrollmentIdentifier match, but credential type does not have MAM enrollment identifier");
}
}

if (mustMatchOnRealm && credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(realm, accessToken.getRealm());
}

if (mustMatchOnRealm && credential instanceof IdTokenRecord) {
final IdTokenRecord idToken = (IdTokenRecord) credential;
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(realm, idToken.getRealm());
if (mustMatchOnRealm) {
String tokenRecordRealm = "";
if (credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
tokenRecordRealm = accessToken.getRealm();
} else if (credential instanceof IdTokenRecord) {
final IdTokenRecord idToken = (IdTokenRecord) credential;
tokenRecordRealm = idToken.getRealm();
}
if(!StringUtil.equalsIgnoreCaseTrimBoth(realm, tokenRecordRealm)) continue;
}

if (mustMatchOnTarget) {
if (credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
matches = matches && targetsIntersect(target, accessToken.getTarget(), true);
if(!targetsIntersect(target, accessToken.getTarget(), true)) continue;
} else if (credential instanceof RefreshTokenRecord) {
final RefreshTokenRecord refreshToken = (RefreshTokenRecord) credential;
matches = matches && targetsIntersect(target, refreshToken.getTarget(), true);
if(!targetsIntersect(target, refreshToken.getTarget(), true)) continue;
} else {
Logger.verbose(TAG, "Query specified target-match, but no target to match.");
}
Expand All @@ -252,40 +232,35 @@ protected List<Credential> getCredentialsFilteredByInternal(@NonNull final List<
if (mustMatchOnAuthScheme && credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
String atType = accessToken.getAccessTokenType();

if (null != atType) {
atType = atType.trim();
}

if (TokenRequest.TokenType.POP.equalsIgnoreCase(atType)) {
matches = matches && (
authScheme.equalsIgnoreCase(PopAuthenticationSchemeWithClientKeyInternal.SCHEME_POP_WITH_CLIENT_KEY)
|| authScheme.equalsIgnoreCase(PopAuthenticationSchemeInternal.SCHEME_POP)
);
} else {
matches = matches && authScheme.equalsIgnoreCase(atType);
}
if (!(authScheme.equalsIgnoreCase(PopAuthenticationSchemeWithClientKeyInternal.SCHEME_POP_WITH_CLIENT_KEY)
|| authScheme.equalsIgnoreCase(PopAuthenticationSchemeInternal.SCHEME_POP))) {
continue;
}
} else if (!authScheme.equalsIgnoreCase(atType)) continue;
}

if(mustMatchOnKid && credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
matches = matches && kid.equalsIgnoreCase(accessToken.getKid());
if (!kid.equalsIgnoreCase(accessToken.getKid())) continue;
}

if (mustMatchOnRequestedClaims || mustMatchExactClaims) {
if (credential instanceof AccessTokenRecord) {
final AccessTokenRecord accessToken = (AccessTokenRecord) credential;
if(!(mustMatchExactClaims && StringUtil.isNullOrEmpty(requestedClaims) && StringUtil.isNullOrEmpty(accessToken.getRequestedClaims()))) {
matches = matches && StringUtil.equalsIgnoreCaseTrimBoth(requestedClaims, accessToken.getRequestedClaims());
if(!StringUtil.equalsIgnoreCaseTrimBoth(requestedClaims, accessToken.getRequestedClaims())) continue;
}
} else {
Logger.verbose(TAG, "Query specified requested_claims-match, but attempted to match with non-AT credential type.");
}
}

if (matches) {
matchingCredentials.add(credential);
}
matchingCredentials.add(credential);
}

return matchingCredentials;
Expand Down
49 changes: 37 additions & 12 deletions common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,6 @@
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;

import edu.umd.cs.findbugs.annotations.Nullable;
import lombok.NonNull;
Expand Down Expand Up @@ -1092,16 +1091,45 @@ public AccountRecord getAccountByLocalAccountId(@Nullable final String environme
@NonNull final String clientId,
@NonNull final String localAccountId) {
final String methodName = ":getAccountByLocalAccountId";

final List<AccountRecord> accounts = getAccounts(environment, clientId);

Logger.verbosePII(
TAG + methodName,
"LocalAccountId: [" + localAccountId + "]"
);

for (final AccountRecord account : accounts) {
if (localAccountId.equals(account.getLocalAccountId())) {
List<AccountRecord> accountsFilteredByEnvAndLocalAccountId = new ArrayList<>();
List<AccountRecord> accountRecordList = mAccountCredentialCache.getAccounts();
for (AccountRecord accountRecord: accountRecordList) {
if (accountRecord.getLocalAccountId().equals(localAccountId)
&& accountRecord.getEnvironment().equals(environment)) {
accountsFilteredByEnvAndLocalAccountId.add(accountRecord);
}
}

Logger.verbose(
TAG + methodName,
"Found " + accountsFilteredByEnvAndLocalAccountId.size() + " accounts for this environment" +
" and localAccountId"
);

final Set<CredentialType> credentialTypes = new HashSet<>(
Arrays.asList(IdToken, V1IdToken, RefreshToken)
);

final List<Credential> appCredentials = mAccountCredentialCache.getCredentialsFilteredBy(
null, // homeAccountId
environment,
credentialTypes,
clientId,
null,
null,
null,
null,
null,
null
);

for (final AccountRecord account : accountsFilteredByEnvAndLocalAccountId) {
if (accountHasCredential(account, appCredentials)) {
return account;
}
}
Expand Down Expand Up @@ -1355,20 +1383,17 @@ private CredentialType getAccessTokenCredentialTypeForAuthenticationScheme(
private boolean accountHasCredential(@NonNull final AccountRecord account,
@NonNull final List<Credential> appCredentials) {
final String methodName = ":accountHasCredential";

final String accountHomeId = account.getHomeAccountId();
final String accountEnvironment = account.getEnvironment();

Logger.verbosePII(
TAG + methodName,
"HomeAccountId: [" + accountHomeId + "]"
+ "\n"
+ "Environment: [" + accountEnvironment + "]"
);

// Since we already filtered accounts and credentials by environment, there is no need to check
// environment again
for (final Credential credential : appCredentials) {
if (accountHomeId.equals(credential.getHomeAccountId())
&& accountEnvironment.equals(credential.getEnvironment())) {
if (accountHomeId.equals(credential.getHomeAccountId())) {
Logger.verbose(
TAG + methodName,
"Credentials located for account."
Expand Down
Loading