Release 1.12.0 (#507)

* Initial commit

* fix: Correct scope for test dependency in POM

The `azure-security-keyvault-secrets` test dependency was include twice
and without the correct `test` scope.

* Updated keyvault secrets version

* Allow client assertion to be a callback and a per-request parameter (#482)

* Allow creating a client assertion from a callback

* Allow client credentials as a per-request parameter

* Minor changes to fix build issues

* Bump version numbers for 1.11.3 release (#484)

* Revert unintentional commit

* Add client_id to http request

* Retrigger the build

* Moving code to be executed for all client_Assertion requests

* Update README.md

* Update README.md

* Update README.md

* Update README.md

* Cause the User Principal to be Serializable when held in the HttpSession
as an attribute. This allows the J2EE web.xml "distributable" tag to
work.

https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/html/development_guide/clustering_in_web_applications

* Update oauth2-oidc-sdk dependency

* Changes in the relevant classes

* Update error message when Authority does not contain path

* Update IllegalArgumentExceptionMessages.java

fix typo

* Fix java.io.IOException: too many bytes written (#453)

Current implementation relies on system location for getting bytes, and if it is not "UTF-8" underlying outputstream will error with 
```java.io.IOException: too many bytes written```

Also fixed minor bug with wrong message being output

* Add trailing slash to authorities in silent calls (#431)

* Add trailing slash to authorities in silent calls

* Move trailing slash helper method to Authority class

* Silent calls now use cached environment info (#427)

* issue #428 resolution

* Fixed failing tests

* Updated vulnerable libraries' versions

* Revert some changes from the old PR

* Update regional endpoints (#504)

* Minor fixes/enhancements

* Update regional endpoint formatting

* Changelog and version changes for 1.12 release (#506)

Co-authored-by: siddhijain <[email protected]>
Co-authored-by: B. Schellhaas <[email protected]>
Co-authored-by: DidunAyodeji <[email protected]>
Co-authored-by: Dave Smith (Middleware Support) <[email protected]>
Co-authored-by: Matt Mazzola <[email protected]>
Co-authored-by: Marcelo Castro <[email protected]>

Author: 7 people

README.md

@@ -4,19 +4,19 @@
 --------------------|-----------------|---------------
 [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=main)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762) | [![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/CI/Java/MSAL%20Java%20CI%20Build?branchName=dev)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=762)| [![Javadocs](http://javadoc.io/badge/com.microsoft.azure/msal4j.svg)](http://javadoc.io/doc/com.microsoft.azure/msal4j)
 
-The Microsoft Authentication Library for Java (MSAL4J) enables applications to integrate with the [Microsoft identity platform](https://aka.ms/aaddevv2). It allows you to sign in users or apps with Microsoft identities (Azure AD, Microsoft accounts and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as [Microsoft Graph](https://graph.microsoft.io/) or your own APIs registered with the Microsoft identity platform. It is built using industry standard OAuth2 and OpenID Connect protocols.
+The Microsoft Authentication Library for Java (MSAL4J) enables applications to integrate with the [Microsoft identity platform](https://docs.microsoft.com/en-us/azure/active-directory/develop/). It allows you to sign in users or apps with Microsoft identities (Azure AD, Microsoft accounts and Azure AD B2C accounts) and obtain tokens to call Microsoft APIs such as [Microsoft Graph](https://graph.microsoft.io/) or your own APIs registered with the Microsoft identity platform. It is built using industry standard OAuth2 and OpenID Connect protocols.
 
 Quick links:
 
-| [Getting Started](https://docs.microsoft.com/azure/active-directory/develop/quickstart-v2-java-webapp) | [Docs](https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki) | [Samples](https://aka.ms/aaddevsamplesv2) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/6AhHwQp3pe)
+| [Getting Started](https://docs.microsoft.com/en-us/azure/active-directory/develop/web-app-quickstart?pivots=devlang-java) | [Home](https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki) | [Samples](https://github.com/Azure-Samples/ms-identity-msal-java-samples) | [Support](README.md#community-help-and-support) | [Feedback](https://forms.office.com/r/6AhHwQp3pe)
 | --- | --- | --- | --- | --- |
 
 ## Install
 
 The library supports the following Java environments:
 - Java 8 (or higher)
 
-Current version - 1.11.3
+Current version - 1.12.0
 
 You can find the changes for each version in the [change log](https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/master/changelog.txt).
 
@@ -28,12 +28,12 @@ Find [the latest package in the Maven repository](https://mvnrepository.com/arti
 <dependency>
     <groupId>com.microsoft.azure</groupId>
     <artifactId>msal4j</artifactId>
-    <version>1.11.3</version>
+    <version>1.12.0</version>
 </dependency>
 ```
 ### Gradle
 
-compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.11.3'
+compile group: 'com.microsoft.azure', name: 'msal4j', version: '1.12.0'
 
 ## Usage
 
@@ -58,7 +58,7 @@ This project has adopted the Microsoft Open Source Code of Conduct. For more inf
 
 ## Samples and Documentation
 
-We provide a [full suite of sample applications](https://aka.ms/aaddevsamplesv2) and [documentation](https://aka.ms/aaddevv2) to help you get started with learning the Microsoft identity platform.
+We provide a [full suite of sample applications](https://aka.ms/aaddevsamplesv2) and [documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/) to help you get started with learning the Microsoft identity platform.
 
 ## Community Help and Support
 

changelog.txt

@@ -1,3 +1,9 @@
+Version 1.12.0
+=============
+- Updates several dependencies to avoid security vulnerabilities
+- Improves serialization of ID tokens and authentication results
+- Various bug fixes related to authority paths, regional endpoints, and unclear logs
+
 Version 1.11.3
 =============
 - Allow client assertions as callbacks and as per-request parameters

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.azure</groupId>
 	<artifactId>msal4j</artifactId>
-	<version>1.11.3</version>
+	<version>1.12.0</version>
 	<packaging>jar</packaging>
 	<name>msal4j</name>
 	<description>
@@ -36,12 +36,17 @@
         <dependency>
             <groupId>com.nimbusds</groupId>
             <artifactId>oauth2-oidc-sdk</artifactId>
-            <version>9.22.1</version>
+            <version>9.32</version>
+        </dependency>
+        <dependency>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>2.4.8</version>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
-            <version>1.7.28</version>
+            <version>1.7.36</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -52,7 +57,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.12.1</version>
+            <version>2.13.2.1</version>
         </dependency>
 
         <!-- test dependencies -->

src/integrationtest/java/com.microsoft.aad.msal4j/AcquireTokenInteractiveIT.java

@@ -167,19 +167,35 @@ private void assertAcquireTokenInstanceAware(User user) {
         Assert.assertNotEquals(pca.authenticationAuthority.host, result.environment());
         Assert.assertEquals(result.account().environment(), result.environment());
         Assert.assertEquals(result.account().environment(), pca.getAccounts().join().iterator().next().environment());
+
+        IAuthenticationResult cachedResult;
+        try {
+            cachedResult = acquireTokenSilently(pca, result.account(), cfg.graphDefaultScope());
+        } catch (Exception ex) {
+            throw new RuntimeException(ex.getMessage());
+        }
+
+        //Ensure that the cached environment matches the original auth result environment (.us) instead of the client app's (.com)
+        Assert.assertEquals(result.account().environment(), cachedResult.environment());
     }
 
     @Test
     public void acquireTokensInHomeAndGuestClouds_ArlingtonAccount() throws MalformedURLException, ExecutionException, InterruptedException {
-        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_US_GOVERNMENT, TestConstants.AUTHORITY_ARLINGTON);
+        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_US_GOVERNMENT);
     }
 
     @Test
     public void acquireTokensInHomeAndGuestClouds_MooncakeAccount() throws MalformedURLException, ExecutionException, InterruptedException {
-        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_CHINA, TestConstants.AUTHORITY_MOONCAKE);
+        acquireTokensInHomeAndGuestClouds(AzureEnvironment.AZURE_CHINA);
+    }
+
+    private IAuthenticationResult acquireTokenSilently(IPublicClientApplication pca, IAccount account, String scope) throws InterruptedException, ExecutionException, MalformedURLException {
+        return pca.acquireTokenSilently(SilentParameters.builder(Collections.singleton(scope), account)
+                .build())
+                .get();
     }
 
-    public void acquireTokensInHomeAndGuestClouds(String homeCloud, String homeCloudAuthority) throws MalformedURLException, ExecutionException, InterruptedException {
+    public void acquireTokensInHomeAndGuestClouds(String homeCloud) throws MalformedURLException {
 
         User user = labUserProvider.getUserByGuestHomeAzureEnvironments
                 (AzureEnvironment.AZURE, homeCloud);

src/integrationtest/java/com.microsoft.aad.msal4j/DeviceCodeIT.java

@@ -44,7 +44,7 @@ public void DeviceCodeFlowADTest(String environment) throws Exception {
                 build();
 
         Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
-            runAutomatedDeviceCodeFlow(deviceCode, user, environment);
+            runAutomatedDeviceCodeFlow(deviceCode, user);
         };
 
         IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
@@ -57,8 +57,8 @@ public void DeviceCodeFlowADTest(String environment) throws Exception {
         Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
     }
 
-    @Test(dataProvider = "environments", dataProviderClass = EnvironmentsProvider.class)
-    public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
+    @Test()
+    public void DeviceCodeFlowADFSv2019Test() throws Exception {
 
         User user = labUserProvider.getOnPremAdfsUser(FederationProvider.ADFS_2019);
 
@@ -68,7 +68,7 @@ public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
                 build();
 
         Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
-            runAutomatedDeviceCodeFlow(deviceCode, user, environment);
+            runAutomatedDeviceCodeFlow(deviceCode, user);
         };
 
         IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
@@ -81,7 +81,39 @@ public void DeviceCodeFlowADFSv2019Test(String environment) throws Exception {
         Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
     }
 
-    private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user, String environment) {
+    @Test()
+    public void DeviceCodeFlowMSATest() throws Exception {
+
+        User user = labUserProvider.getMSAUser();
+
+        PublicClientApplication pca = PublicClientApplication.builder(
+                user.getAppId()).
+                authority(TestConstants.CONSUMERS_AUTHORITY).
+                build();
+
+        Consumer<DeviceCode> deviceCodeConsumer = (DeviceCode deviceCode) -> {
+            runAutomatedDeviceCodeFlow(deviceCode, user);
+        };
+
+        IAuthenticationResult result = pca.acquireToken(DeviceCodeFlowParameters
+                .builder(Collections.singleton(""),
+                        deviceCodeConsumer)
+                .build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
+
+        result = pca.acquireTokenSilently(SilentParameters.
+                builder(Collections.singleton(""), result.account()).
+                build())
+                .get();
+
+        Assert.assertNotNull(result);
+        Assert.assertFalse(Strings.isNullOrEmpty(result.accessToken()));
+    }
+
+    private void runAutomatedDeviceCodeFlow(DeviceCode deviceCode, User user) {
         boolean isRunningLocally = true;//!Strings.isNullOrEmpty(
         //System.getenv(TestConstants.LOCAL_FLAG_ENV_VAR));
 

src/integrationtest/java/com.microsoft.aad.msal4j/OAuthRequestValidationUnitT.java

@@ -31,7 +31,7 @@ public void oAuthRequest_for_acquireTokenByClientCertificate() throws Exception
         }
 
         Map<String, String> queryParams = splitQuery(query);
-        Assert.assertEquals(queryParams.size(), 7);
+        Assert.assertEquals(queryParams.size(), 8);
 
         // validate Authorization Grants query params
         Assert.assertEquals(queryParams.get("grant_type"), GRANT_TYPE_JWT);
@@ -55,6 +55,8 @@ public void oAuthRequest_for_acquireTokenByClientCertificate() throws Exception
         Assert.assertEquals(queryParams.get("requested_token_use"), ON_BEHALF_OF_USE_JWT);
 
         Assert.assertEquals(queryParams.get("client_info"), CLIENT_INFO_VALUE);
+        Assert.assertEquals(queryParams.get("client_id"), CLIENT_ID);
+
     }
 
     @Test
@@ -83,7 +85,7 @@ public void oAuthRequest_for_acquireTokenByClientAssertion() throws Exception {
 
         Map<String, String> queryParams = splitQuery(query);
 
-        Assert.assertEquals(queryParams.size(), 5);
+        Assert.assertEquals(queryParams.size(), 6);
 
         // validate Authorization Grants query params
         Assert.assertEquals(queryParams.get("grant_type"), CLIENT_CREDENTIALS_GRANT_TYPE);
@@ -96,5 +98,6 @@ public void oAuthRequest_for_acquireTokenByClientAssertion() throws Exception {
         Assert.assertEquals(queryParams.get("scope"), "https://SomeResource.azure.net openid profile offline_access");
 
         Assert.assertEquals(queryParams.get("client_info"), CLIENT_INFO_VALUE);
+        Assert.assertEquals(queryParams.get("client_id"), CLIENT_ID);
     }
 }

src/integrationtest/java/com.microsoft.aad.msal4j/TestConstants.java

@@ -25,6 +25,7 @@ public class TestConstants {
 
     public final static String ORGANIZATIONS_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "organizations/";
     public final static String COMMON_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "common/";
+    public final static String CONSUMERS_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "consumers/";
     public final static String COMMON_AUTHORITY_WITH_PORT = MICROSOFT_AUTHORITY_HOST_WITH_PORT + "msidlab4.onmicrosoft.com";
     public final static String MICROSOFT_AUTHORITY = MICROSOFT_AUTHORITY_HOST + "microsoft.onmicrosoft.com";
     public final static String TENANT_SPECIFIC_AUTHORITY = MICROSOFT_AUTHORITY_HOST + MICROSOFT_AUTHORITY_TENANT;

src/integrationtest/java/labapi/LabUserProvider.java

@@ -78,6 +78,13 @@ public User getB2cUser(String azureEnvironment, String b2cProvider) {
         return getLabUser(query);
     }
 
+    public User getMSAUser() {
+        UserQueryParameters query = new UserQueryParameters();
+        query.parameters.put(UserQueryParameters.USER_TYPE, UserType.MSA);
+
+        return getLabUser(query);
+    }
+
     public User getUserByAzureEnvironment(String azureEnvironment) {
 
         UserQueryParameters query = new UserQueryParameters();

src/main/java/com/microsoft/aad/msal4j/AadInstanceDiscoveryProvider.java

@@ -22,7 +22,8 @@ class AadInstanceDiscoveryProvider {
     private final static String DEFAULT_TRUSTED_HOST = "login.microsoftonline.com";
     private final static String AUTHORIZE_ENDPOINT_TEMPLATE = "https://{host}/{tenant}/oauth2/v2.0/authorize";
     private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE = "https://{host}:{port}/common/discovery/instance";
-    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.{host}:{port}/common/discovery/instance";
+    private final static String INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.r.{host}:{port}/common/discovery/instance";
+    private final static String INSTANCE_DISCOVERY_SOVEREIGN_ENDPOINT_TEMPLATE_WITH_REGION = "https://{region}.{host}:{port}/common/discovery/instance";
     private final static String INSTANCE_DISCOVERY_REQUEST_PARAMETERS_TEMPLATE = "?api-version=1.1&authorization_endpoint={authorizeEndpoint}";
     private final static String REGION_NAME = "REGION_NAME";
     private final static int PORT_NOT_SET = -1;
@@ -31,19 +32,24 @@ class AadInstanceDiscoveryProvider {
     private final static String IMDS_ENDPOINT = "https://169.254.169.254/metadata/instance/compute/location?" + DEFAULT_API_VERSION + "&format=text";
 
     final static TreeSet<String> TRUSTED_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
+    final static TreeSet<String> TRUSTED_SOVEREIGN_HOSTS_SET = new TreeSet<>(String.CASE_INSENSITIVE_ORDER);
 
     private final static Logger log = LoggerFactory.getLogger(HttpHelper.class);
 
     static ConcurrentHashMap<String, InstanceDiscoveryMetadataEntry> cache = new ConcurrentHashMap<>();
 
     static {
-        TRUSTED_HOSTS_SET.addAll(Arrays.asList(
-                "login.windows.net",
+        TRUSTED_SOVEREIGN_HOSTS_SET.addAll(Arrays.asList(
                 "login.chinacloudapi.cn",
                 "login-us.microsoftonline.com",
                 "login.microsoftonline.de",
-                "login.microsoftonline.com",
                 "login.microsoftonline.us"));
+
+        TRUSTED_HOSTS_SET.addAll(Arrays.asList(
+                "login.windows.net",
+                "login.microsoftonline.com"));
+
+        TRUSTED_HOSTS_SET.addAll(TRUSTED_SOVEREIGN_HOSTS_SET);
     }
 
     static InstanceDiscoveryMetadataEntry getMetadataEntry(URL authorityUrl,
@@ -133,10 +139,17 @@ private static String getInstanceDiscoveryEndpointWithRegion(URL authorityUrl, S
                 authorityUrl.getDefaultPort() :
                 authorityUrl.getPort();
 
-        return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION.
-                replace("{region}", region).
-                replace("{host}", discoveryHost).
-                replace("{port}", String.valueOf(port));
+        if (TRUSTED_SOVEREIGN_HOSTS_SET.contains(authorityUrl.getHost())) {
+            return INSTANCE_DISCOVERY_SOVEREIGN_ENDPOINT_TEMPLATE_WITH_REGION.
+                    replace("{region}", region).
+                    replace("{host}", discoveryHost).
+                    replace("{port}", String.valueOf(port));
+        } else {
+            return INSTANCE_DISCOVERY_ENDPOINT_TEMPLATE_WITH_REGION.
+                    replace("{region}", region).
+                    replace("{host}", discoveryHost).
+                    replace("{port}", String.valueOf(port));
+        }
     }
 
 

src/main/java/com/microsoft/aad/msal4j/AbstractClientApplicationBase.java

@@ -28,7 +28,7 @@
  * Abstract class containing common methods and properties to both {@link PublicClientApplication}
  * and {@link ConfidentialClientApplication}.
  */
-abstract class AbstractClientApplicationBase implements IClientApplicationBase {
+public abstract class AbstractClientApplicationBase implements IClientApplicationBase {
 
     protected Logger log;
     protected Authority authenticationAuthority;
@@ -300,16 +300,7 @@ ServiceBundle getServiceBundle() {
         return serviceBundle;
     }
 
-    protected static String enforceTrailingSlash(String authority) {
-        authority = authority.toLowerCase();
-
-        if (!authority.endsWith("/")) {
-            authority += "/";
-        }
-        return authority;
-    }
-
-    abstract static class Builder<T extends Builder<T>> {
+    public abstract static class Builder<T extends Builder<T>> {
         // Required parameters
         private String clientId;
 
@@ -358,7 +349,7 @@ public Builder(String clientId) {
          * @throws MalformedURLException if val is malformed URL
          */
         public T authority(String val) throws MalformedURLException {
-            authority = enforceTrailingSlash(val);
+            authority = Authority.enforceTrailingSlash(val);
 
             URL authorityURL = new URL(authority);
             Authority.validateAuthority(authorityURL);
@@ -378,7 +369,7 @@ public T authority(String val) throws MalformedURLException {
         }
 
         public T b2cAuthority(String val) throws MalformedURLException {
-            authority = enforceTrailingSlash(val);
+            authority = Authority.enforceTrailingSlash(val);
 
             URL authorityURL = new URL(authority);
             Authority.validateAuthority(authorityURL);

src/main/java/com/microsoft/aad/msal4j/AcquireTokenSilentSupplier.java

@@ -3,6 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.net.URL;
 import java.util.Date;
 
 class AcquireTokenSilentSupplier extends AuthenticationResultSupplier {
@@ -69,6 +70,14 @@ AuthenticationResult execute() throws Exception {
                 }
 
                 if (!StringHelper.isBlank(res.refreshToken())) {
+                    //There are certain scenarios where the cached authority may differ from the client app's authority,
+                    // such as when a request is instance aware. Unless overridden by SilentParameters.authorityUrl, the
+                    // cached authority should be used in the token refresh request
+                    if (silentRequest.parameters().authorityUrl() == null && !res.account().environment().equals(requestAuthority.host)) {
+                        requestAuthority = Authority.createAuthority(new URL(requestAuthority.authority().replace(requestAuthority.host(),
+                                res.account().environment())));
+                    }
+
                     RefreshTokenRequest refreshTokenRequest = new RefreshTokenRequest(
                             RefreshTokenParameters.builder(silentRequest.parameters().scopes(), res.refreshToken()).build(),
                             silentRequest.application(),

src/main/java/com/microsoft/aad/msal4j/Authority.java

@@ -117,7 +117,7 @@ static void validateAuthority(URL authorityUrl) {
 
         if (segments.length == 0) {
             throw new IllegalArgumentException(
-                    IllegalArgumentExceptionMessages.AUTHORITY_URI_EMPTY_PATH_SEGMENT);
+                    IllegalArgumentExceptionMessages.AUTHORITY_URI_MISSING_PATH_SEGMENT);
         }
 
         for (String segment : segments) {
@@ -151,4 +151,13 @@ private static boolean isB2CAuthority(final String firstPath) {
     String deviceCodeEndpoint() {
         return deviceCodeEndpoint;
     }
+
+    protected static String enforceTrailingSlash(String authority) {
+        authority = authority.toLowerCase();
+
+        if (!authority.endsWith("/")) {
+            authority += "/";
+        }
+        return authority;
+    }
 }

src/main/java/com/microsoft/aad/msal4j/AuthorizationResponseHandler.java

@@ -102,7 +102,7 @@ private void send302Response(HttpExchange httpExchange, String redirectUri) thro
     private void send200Response(HttpExchange httpExchange, String response) throws IOException {
         httpExchange.sendResponseHeaders(200, response.length());
         OutputStream os = httpExchange.getResponseBody();
-        os.write(response.getBytes());
+        os.write(response.getBytes("UTF-8"));
         os.close();
     }
 
@@ -117,6 +117,6 @@ private String getErrorResponseMessage() {
         if (systemBrowserOptions == null || systemBrowserOptions.htmlMessageError() == null) {
             return DEFAULT_FAILURE_MESSAGE;
         }
-        return systemBrowserOptions().htmlMessageSuccess();
+        return systemBrowserOptions().htmlMessageError();
     }
 }

src/main/java/com/microsoft/aad/msal4j/ClientAuthenticationPost.java

@@ -3,10 +3,7 @@
 
 package com.microsoft.aad.msal4j;
 
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 import com.nimbusds.oauth2.sdk.SerializeException;
 import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
@@ -22,6 +19,11 @@ protected ClientAuthenticationPost(ClientAuthenticationMethod method,
         super(method, clientID);
     }
 
+    @Override
+    public Set<String> getFormParameterNames() {
+        return Collections.unmodifiableSet(new HashSet(Arrays.asList("client_assertion", "client_assertion_type", "client_id")));
+    }
+
     Map<String, List<String>> toParameters() {
 
         Map<String, List<String>> params = new HashMap<>();

src/main/java/com/microsoft/aad/msal4j/CustomJWTAuthentication.java

@@ -12,11 +12,7 @@
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.util.URLUtils;
 
-import java.net.URLEncoder;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 public class CustomJWTAuthentication extends ClientAuthentication {
     private ClientAssertion clientAssertion;
@@ -26,6 +22,12 @@ protected CustomJWTAuthentication(ClientAuthenticationMethod method, ClientAsser
         this.clientAssertion = clientAssertion;
     }
 
+    @Override
+    public Set<String> getFormParameterNames() {
+        return Collections.unmodifiableSet(new HashSet(Arrays.asList("client_assertion", "client_assertion_type", "client_id")));
+
+    }
+
     @Override
     public void applyTo(HTTPRequest httpRequest) {
         if (httpRequest.getMethod() != HTTPRequest.Method.POST) {

src/main/java/com/microsoft/aad/msal4j/IAuthenticationResult.java

@@ -3,10 +3,12 @@
 
 package com.microsoft.aad.msal4j;
 
+import java.io.Serializable;
+
 /**
  * Interface representing the results of token acquisition operation.
  */
-public interface IAuthenticationResult {
+public interface IAuthenticationResult extends Serializable {
 
     /**
      * @return access token

src/main/java/com/microsoft/aad/msal4j/IdToken.java

@@ -10,7 +10,9 @@
 import java.util.HashMap;
 import java.util.Map;
 
-class IdToken {
+import java.io.Serializable;
+
+class IdToken implements Serializable {
 
     static final String ISSUER = "iss";
     static final String SUBJECT = "sub";

src/main/java/com/microsoft/aad/msal4j/IllegalArgumentExceptionMessages.java

@@ -7,6 +7,8 @@ class IllegalArgumentExceptionMessages {
 
     final static String AUTHORITY_URI_EMPTY_PATH_SEGMENT = "Authority Uri should not have empty path segments";
 
+    final static String AUTHORITY_URI_MISSING_PATH_SEGMENT = "Authority Uri must have at least one path segment. This is usually 'common' or the application's tenant id.";
+
     final static String AUTHORITY_URI_EMPTY_PATH = "Authority Uri should have at least one segment in the path";
 
 }

src/main/java/com/microsoft/aad/msal4j/Prompt.java

@@ -36,7 +36,12 @@ public enum Prompt {
     /**
      * An administrator should be prompted to consent on behalf of all users in their organization.
      */
-    ADMIN_CONSENT("admin_consent");
+    ADMIN_CONSENT("admin_consent"),
+
+    /**
+     * User will not be shown an interactive prompt
+     */
+    NONE("none");
 
     private String prompt;
 

src/main/java/com/microsoft/aad/msal4j/SilentRequest.java

@@ -28,7 +28,7 @@ class SilentRequest extends MsalRequest {
         this.assertion = assertion;
         this.requestAuthority = StringHelper.isBlank(parameters.authorityUrl()) ?
                 application.authenticationAuthority :
-                Authority.createAuthority(new URL(parameters.authorityUrl()));
+                Authority.createAuthority(new URL(Authority.enforceTrailingSlash(parameters.authorityUrl())));
 
         if (parameters.forceRefresh()) {
             application.getServiceBundle().getServerSideTelemetry().getCurrentRequest().cacheInfo(

src/main/java/com/microsoft/aad/msal4j/TokenCache.java

@@ -584,7 +584,6 @@ AuthenticationResult getCachedAuthenticationResult(
             String clientId) {
 
         AuthenticationResult.AuthenticationResultBuilder builder = AuthenticationResult.builder();
-        builder.environment(authority.host());
 
         Set<String> environmentAliases = AadInstanceDiscoveryProvider.getAliases(account.environment());
 
@@ -622,11 +621,14 @@ AuthenticationResult getCachedAuthenticationResult(
 
                 if (atCacheEntity.isPresent()) {
                     builder.
+                            environment(atCacheEntity.get().environment).
                             accessToken(atCacheEntity.get().secret).
                             expiresOn(Long.parseLong(atCacheEntity.get().expiresOn()));
                     if (atCacheEntity.get().refreshOn() != null) {
                         builder.refreshOn(Long.parseLong(atCacheEntity.get().refreshOn()));
                     }
+                } else {
+                    builder.environment(authority.host());
                 }
                 idTokenCacheEntity.ifPresent(tokenCacheEntity -> builder.idToken(tokenCacheEntity.secret));
                 rtCacheEntity.ifPresent(refreshTokenCacheEntity ->

src/main/java/com/microsoft/aad/msal4j/TokenRequestExecutor.java

@@ -16,11 +16,7 @@
 
 import java.io.IOException;
 import java.net.MalformedURLException;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 
 @Getter(AccessLevel.PACKAGE)
 class TokenRequestExecutor {
@@ -71,8 +67,14 @@ OAuthHttpRequest createOauthHttpRequest() throws SerializeException, MalformedUR
         }
 
         oauthHttpRequest.setQuery(URLUtils.serializeParameters(params));
-
+      
         if (msalRequest.application().clientAuthentication() != null) {
+
+            Map<String, List<String>> queryParameters = oauthHttpRequest.getQueryParameters();
+            String clientID = msalRequest.application().clientId();
+            queryParameters.put("client_id", Arrays.asList(clientID));
+            oauthHttpRequest.setQuery(URLUtils.serializeParameters(queryParameters));
+
             // If the client application has a client assertion to apply to the request, check if a new client assertion
             //  was supplied as a request parameter. If so, use the request's assertion instead of the application's
             if (msalRequest instanceof ClientCredentialRequest && ((ClientCredentialRequest) msalRequest).parameters.clientCredential() != null) {

src/samples/msal-b2c-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.11.3</version>
+			<version>1.12.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>

src/samples/msal-obo-sample/pom.xml

@@ -23,7 +23,7 @@
         <dependency>
             <groupId>com.microsoft.azure</groupId>
             <artifactId>msal4j</artifactId>
-            <version>1.11.3</version>
+            <version>1.12.0</version>
         </dependency>
         <dependency>
             <groupId>com.nimbusds</groupId>

src/samples/msal-web-sample/pom.xml

@@ -23,7 +23,7 @@
 		<dependency>
 			<groupId>com.microsoft.azure</groupId>
 			<artifactId>msal4j</artifactId>
-			<version>1.11.3</version>
+			<version>1.12.0</version>
 		</dependency>
 		<dependency>
 			<groupId>com.nimbusds</groupId>

src/test/java/com/microsoft/aad/msal4j/AuthorityTest.java

@@ -158,7 +158,6 @@ public void testDoStaticInstanceDiscovery_ValidateFalse_TrustedAuthority()
     @DataProvider(name = "authoritiesWithEmptyPath")
     public static Object[][] createData() {
         return new Object[][]{{"https://login.microsoftonline.com/"},
-                {"https://login.microsoftonline.com//"},
                 {"https://login.microsoftonline.com//tenant"},
                 {"https://login.microsoftonline.com////tenant//path1"}};
     }