concurrent token refresh fix for managed identity and app token provider (cc) (#4309)

* mi

* app token

* Apply suggestions from code review

Co-authored-by: Peter <[email protected]>

* pr comments

* pr comments

* pr comments

* verbose logging

* pr comments

* Update src/client/Microsoft.Identity.Client/Internal/Requests/ManagedIdentityAuthRequest.cs

Co-authored-by: Peter <[email protected]>

* mi fix

* few more edits

* app token provider

* edits

* Apply suggestions from code review

Co-authored-by: Peter <[email protected]>

* pr comments

* pr comments

* ProactivelyRefreshed

* move around

---------

Co-authored-by: Gladwin Johnson <[email protected]>
Co-authored-by: Peter <[email protected]>

Author: 3 people

LibsAndSamples.sln

@@ -241,6 +241,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "WAMMauiApp", "tests\devapps
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Test.Integration.NetCore", "tests\Microsoft.Identity.Test.Integration.netcore\Microsoft.Identity.Test.Integration.NetCore.csproj", "{C5902FA4-CC11-43E8-B7E3-192B5FFA1C40}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "NetCoreTestApp", "tests\devapps\NetCoreTestApp\NetCoreTestApp.csproj", "{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}"
+EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.Identity.Client.Extensions", "src\client\Microsoft.Identity.Client.Extensions\Microsoft.Identity.Client.Extensions.csproj", "{870F5BB7-68E4-44D5-B50A-71F41B1E726E}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "src", "src", "{1A37FD75-94E9-4D6F-953A-0DABBD7B49E9}"
@@ -2649,6 +2651,48 @@ Global
 		{C5902FA4-CC11-43E8-B7E3-192B5FFA1C40}.Release|x64.Build.0 = Release|Any CPU
 		{C5902FA4-CC11-43E8-B7E3-192B5FFA1C40}.Release|x86.ActiveCfg = Release|Any CPU
 		{C5902FA4-CC11-43E8-B7E3-192B5FFA1C40}.Release|x86.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|Any CPU.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|Any CPU.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|ARM.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|ARM.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|ARM64.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|ARM64.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|iPhone.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|iPhone.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|iPhoneSimulator.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|iPhoneSimulator.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|x64.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|x64.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|x86.ActiveCfg = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug + MobileApps|x86.Build.0 = Debug + MobileApps|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|ARM.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|ARM.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|ARM64.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|ARM64.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|iPhone.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|iPhone.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|iPhoneSimulator.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|iPhoneSimulator.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|x64.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Debug|x86.Build.0 = Debug|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|Any CPU.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|ARM.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|ARM.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|ARM64.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|ARM64.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|iPhone.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|iPhone.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|iPhoneSimulator.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|iPhoneSimulator.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|x64.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|x64.Build.0 = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|x86.ActiveCfg = Release|Any CPU
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572}.Release|x86.Build.0 = Release|Any CPU
 		{870F5BB7-68E4-44D5-B50A-71F41B1E726E}.Debug + MobileApps|Any CPU.ActiveCfg = Debug|Any CPU
 		{870F5BB7-68E4-44D5-B50A-71F41B1E726E}.Debug + MobileApps|Any CPU.Build.0 = Debug|Any CPU
 		{870F5BB7-68E4-44D5-B50A-71F41B1E726E}.Debug + MobileApps|ARM.ActiveCfg = Debug|Any CPU
@@ -2808,6 +2852,7 @@ Global
 		{4EA542D2-D4C9-403C-B615-0047D0A62790} = {5FAAD966-36B8-4C19-A5FA-5410DD53063D}
 		{1B047736-9325-4F59-906B-89A3E12AC8FB} = {5FAAD966-36B8-4C19-A5FA-5410DD53063D}
 		{C5902FA4-CC11-43E8-B7E3-192B5FFA1C40} = {9B0B5396-4D95-4C15-82ED-DC22B5A3123F}
+		{4BEDCC7F-C027-4326-BAE4-AD62C1CD5572} = {384BA371-F17F-4A70-9423-D54F71BB3FCB}
 		{870F5BB7-68E4-44D5-B50A-71F41B1E726E} = {1A37FD75-94E9-4D6F-953A-0DABBD7B49E9}
 		{74805FE3-2E0D-4EAB-8CFE-A9D46F8D5972} = {34BE693E-3496-45A4-B1D2-D3A0E068EEDB}
 		{92064C48-0136-48CD-AE8D-C6FEDBC7B639} = {74805FE3-2E0D-4EAB-8CFE-A9D46F8D5972}

src/client/Microsoft.Identity.Client/Internal/Requests/ClientCredentialRequest.cs

@@ -17,6 +17,7 @@ namespace Microsoft.Identity.Client.Internal.Requests
     internal class ClientCredentialRequest : RequestBase
     {
         private readonly AcquireTokenForClientParameters _clientParameters;
+        private static readonly SemaphoreSlim s_semaphoreSlim = new SemaphoreSlim(1, 1);
 
         public ClientCredentialRequest(
             IServiceBundle serviceBundle,
@@ -36,106 +37,128 @@ protected override async Task<AuthenticationResult> ExecuteAsync(CancellationTok
                     MsalErrorMessage.ScopesRequired);
             }
 
-            MsalAccessTokenCacheItem cachedAccessTokenItem = null;
-            var logger = AuthenticationRequestParameters.RequestContext.Logger;
-            CacheRefreshReason cacheInfoTelemetry = CacheRefreshReason.NotApplicable;
-
-            AuthenticationResult authResult = null;
+            ILoggerAdapter logger = AuthenticationRequestParameters.RequestContext.Logger;
 
             if (AuthenticationRequestParameters.Authority is AadAuthority aadAuthority &&
                 aadAuthority.IsCommonOrOrganizationsTenant())
             {
                 logger.Error(MsalErrorMessage.ClientCredentialWrongAuthority);
             }
 
-            if (!_clientParameters.ForceRefresh &&
-                string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
+            AuthenticationResult authResult = null;
+
+            //skip checking cache for force refresh or when claims are present
+            if (_clientParameters.ForceRefresh || !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
             {
-                cachedAccessTokenItem = await CacheManager.FindAccessTokenAsync().ConfigureAwait(false);
+                AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ForceRefreshOrClaims;
+                logger.Info("[ClientCredentialRequest] Skipped looking for an Access Token in the cache because ForceRefresh was set.");
+                authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
+                return authResult;
+            }
 
-                if (cachedAccessTokenItem != null)
-                {
-                    AuthenticationRequestParameters.RequestContext.ApiEvent.IsAccessTokenCacheHit = true;
+            //check cache for AT
+            MsalAccessTokenCacheItem cachedAccessTokenItem = await GetCachedAccessTokenAsync().ConfigureAwait(false);
 
-                    Metrics.IncrementTotalAccessTokensFromCache();
-                    authResult = new AuthenticationResult(
-                                                            cachedAccessTokenItem,
-                                                            null,
-                                                            AuthenticationRequestParameters.AuthenticationScheme,
-                                                            AuthenticationRequestParameters.RequestContext.CorrelationId,
-                                                            TokenSource.Cache,
-                                                            AuthenticationRequestParameters.RequestContext.ApiEvent,
-                                                            account: null,
-                                                            spaAuthCode: null,
-                                                            additionalResponseParameters: null);
-                }
-                else
+            if (cachedAccessTokenItem != null)
+            {
+                //return the token in the cache and check if it needs to be proactively refreshed
+                authResult = CreateAuthenticationResultFromCache(cachedAccessTokenItem);
+
+                try
                 {
-                    if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo != CacheRefreshReason.Expired)
+                    var proactivelyRefresh = SilentRequestHelper.NeedsRefresh(cachedAccessTokenItem);
+
+                    // may fire a request to get a new token in the background when AT needs to be refreshed
+                    if (proactivelyRefresh)
                     {
-                        cacheInfoTelemetry = CacheRefreshReason.NoCachedAccessToken;
+                        AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ProactivelyRefreshed;
+
+                        SilentRequestHelper.ProcessFetchInBackground(
+                        cachedAccessTokenItem,
+                        () => GetAccessTokenAsync(cancellationToken, logger), logger);
                     }
                 }
+                catch (MsalServiceException e)
+                {
+                    return await HandleTokenRefreshErrorAsync(e, cachedAccessTokenItem).ConfigureAwait(false);
+                }
             }
             else
             {
-                cacheInfoTelemetry = CacheRefreshReason.ForceRefreshOrClaims;
-                logger.Info("Skipped looking for an Access Token in the cache because ForceRefresh or Claims were set. ");
+                //  No AT in the cache 
+                if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo != CacheRefreshReason.Expired)
+                {
+                    AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.NoCachedAccessToken;
+                }
+
+                authResult = await GetAccessTokenAsync(cancellationToken, logger).ConfigureAwait(false);
             }
 
-            if (AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo == CacheRefreshReason.NotApplicable)
+            return authResult;
+        }
+
+        private async Task<AuthenticationResult> GetAccessTokenAsync(
+            CancellationToken cancellationToken, 
+            ILoggerAdapter logger)
+        {
+            await ResolveAuthorityAsync().ConfigureAwait(false);
+
+            //calls sent to AAD
+            if (ServiceBundle.Config.AppTokenProvider == null)
             {
-                AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = cacheInfoTelemetry;
+                MsalTokenResponse msalTokenResponse = await SendTokenRequestAsync(GetBodyParameters(), cancellationToken).ConfigureAwait(false);
+                return await CacheTokenResponseAndCreateAuthenticationResultAsync(msalTokenResponse).ConfigureAwait(false);
             }
 
-            // No AT in the cache or AT needs to be refreshed
+            //calls sent to app token provider
+            AuthenticationResult authResult;
+            MsalAccessTokenCacheItem cachedAccessTokenItem = null;
+
             try
             {
-                if (cachedAccessTokenItem == null)
+                //allow only one call to the provider 
+                logger.Verbose(() => "[ClientCredentialRequest] Entering token acquire for client credential request semaphore.");
+                await s_semaphoreSlim.WaitAsync(cancellationToken).ConfigureAwait(false);
+                logger.Verbose(() => "[ClientCredentialRequest] Entered token acquire for client credential request semaphore.");
+                
+                // Bypass cache and send request to token endpoint, when 
+                // 1. Force refresh is requested, or
+                // 2. Claims are passed, or 
+                // 3. If the AT needs to be refreshed pro-actively 
+                if (_clientParameters.ForceRefresh ||
+                    AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo == CacheRefreshReason.ProactivelyRefreshed ||
+                    !string.IsNullOrEmpty(AuthenticationRequestParameters.Claims))
                 {
-                    authResult = await FetchNewAccessTokenAsync(cancellationToken).ConfigureAwait(false);
+                    authResult = await SendTokenRequestToAppTokenProviderAsync(logger, cancellationToken).ConfigureAwait(false);
                 }
                 else
                 {
-                    var shouldRefresh = SilentRequestHelper.NeedsRefresh(cachedAccessTokenItem);
+                    cachedAccessTokenItem = await GetCachedAccessTokenAsync().ConfigureAwait(false);
 
-                    // may fire a request to get a new token in the background
-                    if (shouldRefresh)
+                    if (cachedAccessTokenItem == null)
                     {
-                        AuthenticationRequestParameters.RequestContext.ApiEvent.CacheInfo = CacheRefreshReason.ProactivelyRefreshed;
-
-                        SilentRequestHelper.ProcessFetchInBackground(
-                        cachedAccessTokenItem,
-                        () => FetchNewAccessTokenAsync(cancellationToken), logger);
+                        authResult = await SendTokenRequestToAppTokenProviderAsync(logger, cancellationToken).ConfigureAwait(false);
+                    }
+                    else
+                    {
+                        logger.Verbose(() => "[ClientCredentialRequest] Getting Access token from cache ...");
+                        authResult = CreateAuthenticationResultFromCache(cachedAccessTokenItem);
                     }
                 }
-
+                
                 return authResult;
             }
-            catch (MsalServiceException e)
+            finally
             {
-                return await HandleTokenRefreshErrorAsync(e, cachedAccessTokenItem).ConfigureAwait(false);
+                s_semaphoreSlim.Release();
+                logger.Verbose(() => "[ClientCredentialRequest] Released token acquire for client credential request semaphore.");
             }
         }
 
-        private async Task<AuthenticationResult> FetchNewAccessTokenAsync(CancellationToken cancellationToken)
-        {
-            await ResolveAuthorityAsync().ConfigureAwait(false);
-            MsalTokenResponse msalTokenResponse;
-            if (ServiceBundle.Config.AppTokenProvider != null)
-            {
-                msalTokenResponse = await SendTokenRequestToProviderAsync(cancellationToken).ConfigureAwait(false);
-            }
-            else
-            {
-                msalTokenResponse = await SendTokenRequestAsync(GetBodyParameters(), cancellationToken).ConfigureAwait(false);
-            }
-
-            return await CacheTokenResponseAndCreateAuthenticationResultAsync(msalTokenResponse).ConfigureAwait(false);
-        }
-
-        private async Task<MsalTokenResponse> SendTokenRequestToProviderAsync(CancellationToken cancellationToken)
+        private async Task<AuthenticationResult> SendTokenRequestToAppTokenProviderAsync(ILoggerAdapter logger, 
+            CancellationToken cancellationToken)
         {
+            logger.Info("[ClientCredentialRequest] Sending Token response to client credential request endpoint ...");
             AppTokenProviderParameters appTokenProviderParameters = new AppTokenProviderParameters
             {
                 Scopes = GetOverriddenScopes(AuthenticationRequestParameters.Scope),
@@ -150,7 +173,40 @@ private async Task<MsalTokenResponse> SendTokenRequestToProviderAsync(Cancellati
             var tokenResponse = MsalTokenResponse.CreateFromAppProviderResponse(externalToken);
             tokenResponse.Scope = appTokenProviderParameters.Scopes.AsSingleString();
             tokenResponse.CorrelationId = appTokenProviderParameters.CorrelationId;
-            return tokenResponse;
+
+            AuthenticationResult authResult = await CacheTokenResponseAndCreateAuthenticationResultAsync(tokenResponse)
+                .ConfigureAwait(false);
+
+            return authResult;
+        }
+
+        private async Task<MsalAccessTokenCacheItem> GetCachedAccessTokenAsync()
+        {
+            MsalAccessTokenCacheItem cachedAccessTokenItem = await CacheManager.FindAccessTokenAsync().ConfigureAwait(false);
+
+            if (cachedAccessTokenItem != null && !_clientParameters.ForceRefresh)
+            {
+                AuthenticationRequestParameters.RequestContext.ApiEvent.IsAccessTokenCacheHit = true;
+                Metrics.IncrementTotalAccessTokensFromCache();
+                return cachedAccessTokenItem;
+            }
+
+            return null;
+        }
+
+        private AuthenticationResult CreateAuthenticationResultFromCache(MsalAccessTokenCacheItem cachedAccessTokenItem)
+        {
+            AuthenticationResult authResult = new AuthenticationResult(
+                                                            cachedAccessTokenItem,
+                                                            null,
+                                                            AuthenticationRequestParameters.AuthenticationScheme,
+                                                            AuthenticationRequestParameters.RequestContext.CorrelationId,
+                                                            TokenSource.Cache,
+                                                            AuthenticationRequestParameters.RequestContext.ApiEvent,
+                                                            account: null,
+                                                            spaAuthCode: null,
+                                                            additionalResponseParameters: null);
+            return authResult;
         }
 
         protected override SortedSet<string> GetOverriddenScopes(ISet<string> inputScopes)