From 92fd2b8aaf4512724f8a0ce71e2d05c8f39c474a Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Tue, 27 Sep 2022 13:10:59 +0100
Subject: [PATCH 1/2] Add more logging around client creds and claims

---
 .../KerberosSupplementalTicketManager.cs      | 32 +------------
 .../OAuth2/TokenClient.cs                     | 45 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/src/client/Microsoft.Identity.Client/Kerberos/KerberosSupplementalTicketManager.cs b/src/client/Microsoft.Identity.Client/Kerberos/KerberosSupplementalTicketManager.cs
index 91193758b6..82b651784a 100644
--- a/src/client/Microsoft.Identity.Client/Kerberos/KerberosSupplementalTicketManager.cs
+++ b/src/client/Microsoft.Identity.Client/Kerberos/KerberosSupplementalTicketManager.cs
@@ -176,37 +176,7 @@ public static byte[] GetKrbCred(KerberosSupplementalTicket ticket)
 
             return null;
         }
-
-        /// <summary>
-        /// Add Claims to body parameter for POST request.
-        /// </summary>
-        /// <param name="oAuth2Client"><see cref="OAuth2Client"/> object for Token request.</param>
-        /// <param name="requestParams"><see cref="AuthenticationRequestParameters"/> containing request parameters.</param>
-        internal static void AddKerberosTicketClaim(
-            OAuth2Client oAuth2Client,
-            AuthenticationRequestParameters requestParams)
-        {
-            string kerberosClaim = GetKerberosTicketClaim(
-                requestParams.RequestContext.ServiceBundle.Config.KerberosServicePrincipalName,
-                requestParams.RequestContext.ServiceBundle.Config.TicketContainer);
-
-            if (string.IsNullOrEmpty(kerberosClaim))
-            {
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, requestParams.ClaimsAndClientCapabilities);
-            }
-            else if (string.IsNullOrEmpty(requestParams.ClaimsAndClientCapabilities))
-            {
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, kerberosClaim);
-            }
-            else
-            {
-                var existingClaims = JsonHelper.ParseIntoJsonObject(requestParams.ClaimsAndClientCapabilities);
-                var mergedClaims = ClaimsHelper.MergeClaimsIntoCapabilityJson(kerberosClaim, existingClaims);
-
-                oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, JsonHelper.JsonObjectToString(mergedClaims));
-            }
-        }
-
+        
         /// <summary>
         /// Generate a Kerberos Ticket Claim string.
         /// </summary>
diff --git a/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs b/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
index 5d98b3dbc1..14971f0b6b 100644
--- a/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
+++ b/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
@@ -130,6 +130,9 @@ private async Task AddBodyParamsAndHeadersAsync(
 
             if (_serviceBundle.Config.ClientCredential != null)
             {
+                _requestParams.RequestContext.Logger.Verbose(
+                    "Before adding the client assertion / secret");
+
                 await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsync(
                     _oAuth2Client,
                     _requestParams.RequestContext.Logger,
@@ -138,6 +141,9 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
                     _requestParams.Authority.GetTokenEndpoint(),
                     _requestParams.SendX5C,
                     cancellationToken).ConfigureAwait(false);
+
+                _requestParams.RequestContext.Logger.Verbose(
+                    "After adding the client assertion / secret");
             }
 
             _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
@@ -145,7 +151,7 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
             // Add Kerberos Ticket claims if there's valid service principal name in Configuration.
             // Kerberos Ticket claim is only allowed at token request due to security issue.
             // It should not be included for authorize request.
-            KerberosSupplementalTicketManager.AddKerberosTicketClaim(_oAuth2Client, _requestParams);
+            AddClaims();
 
             foreach (var kvp in additionalBodyParameters)
             {
@@ -180,6 +186,43 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
             AddExtraHttpHeaders();
         }
 
+        /// <summary>
+        /// Add Claims, including ClientCapabilities, to body parameter for POST request.
+        /// </summary>
+        private void AddClaims()
+        {
+            string kerberosClaim = KerberosSupplementalTicketManager.GetKerberosTicketClaim(
+                _requestParams.RequestContext.ServiceBundle.Config.KerberosServicePrincipalName,
+                _requestParams.RequestContext.ServiceBundle.Config.TicketContainer);
+            string resolvedClaims;
+            if (string.IsNullOrEmpty(kerberosClaim))
+            {
+                resolvedClaims = _requestParams.ClaimsAndClientCapabilities;
+            }
+            else
+            {          
+                if (!string.IsNullOrEmpty(_requestParams.ClaimsAndClientCapabilities))
+                {
+                    var existingClaims = JsonHelper.ParseIntoJsonObject(_requestParams.ClaimsAndClientCapabilities);
+                    var mergedClaims = ClaimsHelper.MergeClaimsIntoCapabilityJson(kerberosClaim, existingClaims);
+
+                    resolvedClaims = JsonHelper.JsonObjectToString(mergedClaims);
+                    _requestParams.RequestContext.Logger.Verbose(
+                        $"Adding kerberos claim + Claims/ClientCapabilities to request: {resolvedClaims}");
+                }
+                else
+                {
+                    resolvedClaims = kerberosClaim;
+                    _requestParams.RequestContext.Logger.Verbose(
+                        $"Adding kerberos claim to request: {resolvedClaims}");
+                }
+            }
+
+            // no-op if resolvedClaims is null
+            _oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, resolvedClaims);
+        }
+
+
         private void AddExtraHttpHeaders()
         {
             if (_requestParams.ExtraHttpHeaders != null)

From 5875704f4b7045d5d24b6f22417c6b7f13dae7ba Mon Sep 17 00:00:00 2001
From: Bogdan Gavril <bogavril@microsoft.com>
Date: Fri, 30 Sep 2022 16:36:21 +0100
Subject: [PATCH 2/2] Update TokenClient.cs

---
 src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs b/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
index 14971f0b6b..2b1941c78c 100644
--- a/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
+++ b/src/client/Microsoft.Identity.Client/OAuth2/TokenClient.cs
@@ -131,7 +131,7 @@ private async Task AddBodyParamsAndHeadersAsync(
             if (_serviceBundle.Config.ClientCredential != null)
             {
                 _requestParams.RequestContext.Logger.Verbose(
-                    "Before adding the client assertion / secret");
+                    "[TokenClient] Before adding the client assertion / secret");
 
                 await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsync(
                     _oAuth2Client,
@@ -143,7 +143,7 @@ await _serviceBundle.Config.ClientCredential.AddConfidentialClientParametersAsyn
                     cancellationToken).ConfigureAwait(false);
 
                 _requestParams.RequestContext.Logger.Verbose(
-                    "After adding the client assertion / secret");
+                    "[TokenClient] After adding the client assertion / secret");
             }
 
             _oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);