Skip to content

Fix panic in AcquireTokenSilent for public clients due to nil Credential #581

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Nov 4, 2025
Merged

Fix panic in AcquireTokenSilent for public clients due to nil Credential #581

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
191432a
Added a guard for public client refreshing through credential
4gust Sep 9, 2025
4d33507
refreshing token when refresh_on is present and added test
4gust Sep 9, 2025
fd4970d
Updated test name
4gust Sep 9, 2025
a91bfd2
Added test for authcode for confidential client
4gust Oct 29, 2025
93e748b
updated code based on comment
4gust Nov 3, 2025
776d345
Update apps/internal/base/base.go
4gust Nov 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions apps/confidential/confidential_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -432,6 +432,77 @@ func TestAcquireTokenByAuthCode(t *testing.T) {
}
}

func TestAcquireTokenByAuthCodeTokenExpiry(t *testing.T) {
accessToken := "initial-access-token"
newAccessToken := "new-access-token"
homeTenant := "home-tenant"
clientInfo := base64.RawStdEncoding.EncodeToString([]byte(
fmt.Sprintf(`{"uid":"uid","utid":"%s"}`, homeTenant),
))
lmo := "login.microsoftonline.com"

originalTime := base.Now
defer func() {
base.Now = originalTime
}()

cred, err := NewCredFromSecret(fakeSecret)
if err != nil {
t.Fatal(err)
}

mockClient := mock.NewClient()
mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, "common")))
mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))
mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(newAccessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))

client, err := New(fmt.Sprintf(authorityFmt, lmo, "common"), fakeClientID, cred, WithHTTPClient(mockClient), WithInstanceDiscovery(false))
if err != nil {
t.Fatal(err)
}

// Acquire token using auth code
ar, err := client.AcquireTokenByAuthCode(context.Background(), "code", "https://localhost", tokenScope)
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != accessToken {
t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
}

account := ar.Account

// First silent call should return cached token
ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != accessToken {
t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
}
if ar.Metadata.TokenSource != base.TokenSourceCache {
t.Fatalf("expected token source %v, got %v", base.TokenSourceCache, ar.Metadata.TokenSource)
}

// Move time forward past RefreshOn (1001 seconds)
fixedTime := time.Now().Add(time.Duration(1001) * time.Second)
base.Now = func() time.Time {
return fixedTime
}

// Second silent call should automatically refresh and return new token
ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != newAccessToken {
t.Fatalf("expected %q, got %q", newAccessToken, ar.AccessToken)
}
// Verify the token came from the identity provider (refresh), not cache
if ar.Metadata.TokenSource != base.TokenSourceIdentityProvider {
t.Fatalf("expected token source %v, got %v", base.TokenSourceIdentityProvider, ar.Metadata.TokenSource)
}
}
func TestInvalidJsonErrFromResponse(t *testing.T) {
cred, err := NewCredFromSecret(fakeSecret)
if err != nil {
Expand Down
15 changes: 13 additions & 2 deletions apps/internal/base/base.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -367,8 +367,19 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
// If the token is not same, we don't need to refresh it.
// Which means it refreshed.
if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken {
if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
return b.AuthResultFromToken(ctx, authParams, tr)
switch silent.RequestType {
case accesstokens.ATConfidential:
if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
return b.AuthResultFromToken(ctx, authParams, tr)
}
case accesstokens.ATPublic:
token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken)
if err != nil {
return ar, err
}
return b.AuthResultFromToken(ctx, authParams, token)
case accesstokens.ATUnknown:
return ar, errors.New("silent request type cannot be ATUnknown")
}
}
}
Expand Down
56 changes: 56 additions & 0 deletions apps/public/public_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"time"

"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base"
internalTime "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/types/time"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/mock"
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/fake"
Expand Down Expand Up @@ -1046,3 +1047,58 @@ func getNewClientWithMockedResponses(

return client, nil
}

func TestAcquireTokenSilentWithRefreshOnIsExpired(t *testing.T) {
accessToken := "*"
homeTenant := "home-tenant"
clientInfo := base64.RawStdEncoding.EncodeToString([]byte(
fmt.Sprintf(`{"uid":"uid","utid":"%s"}`, homeTenant),
))
lmo := "login.microsoftonline.com"
originalTime := base.Now
defer func() {
base.Now = originalTime
}()
mockClient := mock.NewClient()
mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, "common")))
mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))
mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody("new-"+accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))

client, err := New("common",
WithAuthority(fmt.Sprintf(authorityFmt, lmo, "common")),
WithHTTPClient(mockClient),
WithInstanceDiscovery(false))
if err != nil {
t.Fatal(err)
}
// the auth flow isn't important, we just need to populate the cache
ar, err := client.AcquireTokenByAuthCode(context.Background(), "code", "https://localhost", tokenScope)
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != accessToken {
t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
}
account := ar.Account
ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != accessToken {
t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
}
// moving time forward to expire the current token
fixedTime := time.Now().Add(time.Duration(36001) * time.Second)
base.Now = func() time.Time {
return fixedTime
}
// calling the acquire token again
ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
if err != nil {
t.Fatal(err)
}
if ar.AccessToken != "new-"+accessToken {
t.Fatalf("expected %q, got %q", "new-"+accessToken, ar.AccessToken)
}

}
Loading