Merge pull request #98 from microsoft/fix/delegated-token-caching

Fix caching access tokens for delegated permissions

src/Oauth/ApplicationPermissionTrait.php

@@ -32,7 +32,7 @@ abstract public function getTenantId(): string;
 
     /**
      * Set the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      * @param AccessToken|null $accessToken
      * @return void
@@ -44,7 +44,7 @@ public function setCacheKey(?AccessToken $accessToken = null): void
 
     /**
      * Return the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      * @return string|null
      */

src/Oauth/DelegatedPermissionTrait.php

@@ -11,7 +11,6 @@
 
 use League\OAuth2\Client\Token\AccessToken;
 
-
 trait DelegatedPermissionTrait
 {
     use CAEConfigurationTrait;
@@ -33,28 +32,22 @@ abstract public function getTenantId(): string;
 
     /**
      * Set the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      * @param AccessToken|null $accessToken
      * @return void
      */
     public function setCacheKey(?AccessToken $accessToken = null): void
     {
         if ($accessToken && $accessToken->getToken()) {
-            $tokenParts = explode('.', $accessToken->getToken());
-            if (count($tokenParts) == 3) {
-                $payload = json_decode(base64_decode($tokenParts[1]), true);
-                if (is_array($payload) && array_key_exists('sub', $payload)) {
-                    $subject = $payload['sub'];
-                    $this->cacheKey = ($subject) ? "{$this->getTenantId()}-{$this->getClientId()}-{$subject}" : null;
-                }
-            }
+            $uniqueIdentifier = password_hash($accessToken->getToken(), PASSWORD_DEFAULT);
+            $this->cacheKey = "{$this->getTenantId()}-{$this->getClientId()}-{$uniqueIdentifier}";
         }
     }
 
     /**
      * Return the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      * @return string|null
      */

src/Oauth/TokenRequestContext.php

@@ -48,7 +48,7 @@ public function getTenantId(): string;
 
     /**
      * Set the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      * @param AccessToken|null $accessToken
      * @return void
@@ -57,7 +57,7 @@ public function setCacheKey(?AccessToken $accessToken = null): void;
 
     /**
      * Return the identity of the user/application. This is used as the unique cache key
-     * For delegated permissions the key is {tenantId}-{clientId}-{userId}
+     * For delegated permissions the key is {tenantId}-{clientId}-{accessTokenHash}
      * For application permissions, they key is {tenantId}-{clientId}
      *
      * @return string|null

tests/Cache/InMemoryAccessTokenCacheTest.php

@@ -4,6 +4,7 @@
 
 use League\OAuth2\Client\Token\AccessToken;
 use Microsoft\Kiota\Authentication\Cache\InMemoryAccessTokenCache;
+use Microsoft\Kiota\Authentication\Oauth\AuthorizationCodeContext;
 use Microsoft\Kiota\Authentication\Oauth\ClientCredentialContext;
 use Microsoft\Kiota\Authentication\Oauth\TokenRequestContext;
 use PHPUnit\Framework\TestCase;
@@ -58,4 +59,15 @@ public function testWithTokenAddsMultipleTokensToCache() {
         $this->assertInstanceOf(AccessToken::class, $cache->getTokenWithContext($this->testTokenRequestContext));
         $this->assertInstanceOf(AccessToken::class, $cache->getTokenWithContext($secondContext));
     }
+
+    public function testCacheKeyIsSetForNonJWTToken() {
+        $accessToken = $this->createMock(AccessToken::class);
+        $accessToken->method('getToken')->willReturn('token');
+
+        $cache = new InMemoryAccessTokenCache();
+        $delegatedTokenRequestContext = new AuthorizationCodeContext("tenantId", "clientId", "clientSecret", "redirectUri", "code");
+        $cache->withToken($delegatedTokenRequestContext, $accessToken);
+
+        $this->assertNotEmpty($delegatedTokenRequestContext->getCacheKey());
+    }
 }