Add .WithForceRefresh support for silent broker flows (#4458)

* update

* ForceRefresh + WAM test (#4459)

ForceRefresh + WAM test (#4459)

---------

Co-authored-by: Bogdan Gavril <[email protected]>

src/client/Microsoft.Identity.Client/Platforms/Features/RuntimeBroker/RuntimeBroker.cs

@@ -312,6 +312,21 @@ public async Task<MsalTokenResponse> AcquireTokenSilentAsync(
                         var errorMessage = "Could not acquire token silently.";
                         msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
                     }
+
+                    if (acquireTokenSilentParameters.ForceRefresh && !string.IsNullOrEmpty(msalTokenResponse.AccessToken))
+                    {
+                        authParams.AccessTokenToRenew = msalTokenResponse.AccessToken;
+
+                        using (NativeInterop.AuthResult result = await s_lazyCore.Value.AcquireTokenSilentlyAsync(
+                        authParams,
+                        authenticationRequestParameters.CorrelationId.ToString("D"),
+                        readAccountResult.Account,
+                        cancellationToken).ConfigureAwait(false))
+                        {
+                            var errorMessage = "Could not acquire token silently with AccessTokenToRenew option.";
+                            msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
+                        }
+                    }
                 }
             }
 
@@ -343,6 +358,21 @@ public async Task<MsalTokenResponse> AcquireTokenSilentDefaultUserAsync(
                     var errorMessage = "Could not acquire token silently for the default user.";
                     msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
                 }
+
+                if (acquireTokenSilentParameters.ForceRefresh && !string.IsNullOrEmpty(msalTokenResponse.AccessToken))
+                {
+                    authParams.AccessTokenToRenew = msalTokenResponse.AccessToken;
+
+                    using (NativeInterop.AuthResult result = await s_lazyCore.Value.SignInSilentlyAsync(
+                       authParams,
+                       authenticationRequestParameters.CorrelationId.ToString("D"),
+                       cancellationToken).ConfigureAwait(false))
+                    {
+                        var errorMessage = "Could not acquire token silently for the default user.";
+                        msalTokenResponse = WamAdapters.HandleResponse(result, authenticationRequestParameters, _logger, errorMessage);
+                    }
+                }
+
             }
 
             return msalTokenResponse;

tests/Microsoft.Identity.Test.Integration.netfx/HeadlessTests/RuntimeBrokerTests.cs

@@ -169,8 +169,7 @@ public async Task WamSilentAuthLoginHintNoAccontInCacheAsync()
             }
         }
 
-        [RunOn(TargetFrameworks.NetCore)]
-        [ExpectedException(typeof(MsalUiRequiredException))]
+        [RunOn(TargetFrameworks.NetCore)]        
         public async Task WamUsernamePasswordRequestAsync()
         {
             var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
@@ -215,8 +214,59 @@ public async Task WamUsernamePasswordRequestAsync()
 
             Assert.IsNotNull(accounts);
 
-            // this should throw MsalUiRequiredException
-            result = await pca.AcquireTokenSilent(scopes, account).ExecuteAsync().ConfigureAwait(false);
+            await AssertException.TaskThrowsAsync<MsalUiRequiredException>(
+               () => pca.AcquireTokenSilent(scopes, account).ExecuteAsync())
+                .ConfigureAwait(false);
+        }
+
+        [TestMethod]
+        public async Task WamUsernamePasswordWithForceRefreshAsync()
+        {
+            var labResponse = await LabUserHelper.GetDefaultUserAsync().ConfigureAwait(false);
+            string[] scopes = { "User.Read" };
+            string[] expectedScopes = { "email", "offline_access", "openid", "profile", "User.Read" };
+
+            IntPtr intPtr = GetForegroundWindow();
+            Func<IntPtr> windowHandleProvider = () => intPtr;
+
+            IPublicClientApplication pca = PublicClientApplicationBuilder
+               .Create(labResponse.App.AppId)
+               .WithParentActivityOrWindow(windowHandleProvider)
+               .WithAuthority(labResponse.Lab.Authority, "organizations")
+               .WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows))
+               .Build();
+
+            // Acquire token using username password
+            var result = await pca.AcquireTokenByUsernamePassword(
+                scopes, 
+                labResponse.User.Upn, 
+                labResponse.User.GetOrFetchPassword())
+                .ExecuteAsync()
+                .ConfigureAwait(false);
+
+            DateTimeOffset ropcTokenExpiration = result.ExpiresOn;
+            string ropcToken = result.AccessToken;
+
+            MsalAssert.AssertAuthResult(result, TokenSource.Broker, labResponse.Lab.TenantId, expectedScopes);
+            Assert.IsNotNull(result.AuthenticationResultMetadata.Telemetry);
+
+            // Get Accounts
+            var accounts = await pca.GetAccountsAsync().ConfigureAwait(false);            
+            var account = accounts.FirstOrDefault();
+            Assert.IsNotNull(account);
+
+            result = await pca.AcquireTokenSilent(scopes, account)
+                .ExecuteAsync().ConfigureAwait(false);
+
+            // This proves the token is from the cache
+            Assert.AreEqual(ropcToken, result.AccessToken);
+
+            result = await pca.AcquireTokenSilent(scopes, account)
+                .WithForceRefresh(true)
+               .ExecuteAsync().ConfigureAwait(false);
+
+            // This proves the token is not from the cache
+            Assert.AreNotEqual(ropcToken, result.AccessToken);
         }
 
         [RunOn(TargetFrameworks.NetCore)]