Skip to content

Remove usage of com.nimbusds.oauth2 from grant-related classes #926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Apr 25, 2025
Merged

Remove usage of com.nimbusds.oauth2 from grant-related classes #926

merged 19 commits into from
Apr 25, 2025

Conversation

Avery-Dunn
Copy link
Contributor

@Avery-Dunn Avery-Dunn commented Mar 27, 2025
edited
Loading

This PR removes the com.nimbusds.oauth2 dependency from various classes that deal with different grant types, as per #909

The dependency was mainly used by these classes to create maps of different parameters needed for each OAuth grant type, so the changes are mostly the same for each file:

  • Remove com.nimbusds.oauth2.sdk.AuthorizationGrant and various similar imports
  • Replace usages of Nimbus's AuthorizationGrant subclasses with our existing OAuthAuthorizationGrant class
  • Replace Nimbus's AuthorizationGrant.toParameters() method with our own Map<String, List<String>> creation
  • Add a new GrantConstants file for standardized OAuth parameter names and values
  • Refactor older code and remove unused code

@Avery-Dunn Avery-Dunn requested a review from a team as a code owner March 27, 2025 00:17
@Avery-Dunn Avery-Dunn changed the base branch from dev to avdunn/nimbus-removal March 27, 2025 00:19
bgavrilMS
bgavrilMS requested changes Mar 27, 2025
View reviewed changes
Copy link
Member

@bgavrilMS bgavrilMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comments marked with issue

@Avery-Dunn Avery-Dunn requested a review from bgavrilMS March 31, 2025 20:48
@Avery-Dunn
Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentica…
aa16f7d 
…tion-library-for-java into avdunn/nimbus-grants

# Conflicts:
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/OnBehalfOfRequest.java
@Avery-Dunn
Resolve merge conflicts
579e4d1
billwert
billwert reviewed Apr 2, 2025
View reviewed changes
msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByAuthorizationGrantSupplier.java Outdated
params.putAll(authGrant.toParameters());

authGrant = new OAuthAuthorizationGrant(updatedGrant, authGrant.getParameters());
authGrant = new OAuthAuthorizationGrant(params, null, null);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe some constructor overloads if null, null is a commonish case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This spot and one other in a test were the only places that used a double null, however another also had a null for the third parameter (claims) but not the second (scopes).

In the latest commit I added a constructor that omits the claims parameter, as that's the one that's most likely to be null in a flow.

billwert
billwert suggested changes Apr 2, 2025
View reviewed changes
Copy link

@billwert billwert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High level looks good. Two themes:

  1. Replace Map<String, List<String>> as the representation of params with some type with good helpers.
  2. OAuthAuthorizationGrant seems immutable, so it doesn't need to recreate the params and add claims etc every time. Just do it at construction.

bgavrilMS
bgavrilMS reviewed Apr 4, 2025
View reviewed changes
msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationCodeRequest.java
} else {
authorizationGrant = new AuthorizationCodeGrant(
new AuthorizationCode(parameters.authorizationCode()), parameters.redirectUri());
params.put("code_verifier", Collections.singletonList(parameters.codeVerifier()));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how much of PKCE was handled by nimbus, so please make sure we have enough tests that validate that auth_code uses PKCE. Both desktop and web app scenarios.

@Avery-Dunn Avery-Dunn requested a review from billwert April 10, 2025 21:29
bgavrilMS
bgavrilMS reviewed Apr 14, 2025
View reviewed changes
@Avery-Dunn Avery-Dunn requested a review from bgavrilMS April 16, 2025 17:09
This was referenced Apr 23, 2025
Merged
Merged
bgavrilMS
bgavrilMS reviewed Apr 25, 2025
View reviewed changes
msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AcquireTokenByAuthorizationGrantSupplier.java Outdated

if (msalRequest.application().authenticationAuthority.authorityType != AuthorityType.AAD) {
return authGrant;
//Additional processing is only needed if it's a password grant with a non-AAD authority
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

User Real discovery needs to be done only for AAD authority. For non-AAD authority, perform the basic grant only.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you got the condition correct, but the comment wrong?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, the if statement correctly exits the method if it's not-AAD, however when writing the comment I just said "non-AAD" because of the != AuthorityType.AAD part

Comment fixed in the latest commit

@Avery-Dunn
Merge branch 'dev' of https://github.com/AzureAD/microsoft-authentica…
4009b7a 
…tion-library-for-java into avdunn/nimbus-grants

# Conflicts:
#	msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java
@Avery-Dunn
Merge latest dev
8be97d5
@Avery-Dunn Avery-Dunn mentioned this pull request Apr 25, 2025
Open
@Avery-Dunn Avery-Dunn merged commit 700a850 into avdunn/nimbus-removal Apr 25, 2025
2 of 3 checks passed
@Avery-Dunn Avery-Dunn deleted the avdunn/nimbus-grants branch June 3, 2025 17:05
@Avery-Dunn Avery-Dunn mentioned this pull request Aug 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bgavrilMS bgavrilMS bgavrilMS approved these changes

@billwert billwert Awaiting requested review from billwert

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Avery-Dunn @billwert @bgavrilMS @Ugonnaak1