Library version used
1.15.0
Java version
21.0.2
Scenario
ConfidentialClient - web site (AcquireTokenByAuthCode)
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Supplying a SSLSocketFactory to the ConfidentialClientApplication builder has no effect.
I traced this down to the DefaultHttpClient's handling of SSL connections:
It currently checks if the connection is an instance of HttpURLConnection, but since HttpsURLConnection extends HttpURLConnection it's always true and the else is never executed.
if (connection instanceof HttpURLConnection) {
return (HttpURLConnection) connection;
} else {
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
if (sslSocketFactory != null) {
httpsConnection.setSSLSocketFactory(sslSocketFactory);
}
return httpsConnection;
}https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClient.java#L93-L103
I suggest changing this to:
if (connection instanceof HttpsURLConnection) {
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
if (sslSocketFactory != null) {
httpsConnection.setSSLSocketFactory(sslSocketFactory);
}
return httpsConnection;
} else {
return (HttpURLConnection) connection;
}Relevant code snippets
No response
Expected behavior
The supplied SSLSocketFactory should be set on the HttpsUrlConnection httpsConnection.setSSLSocketFactory(sslSocketFactory); or setting the default ssl handing externally.
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
Currently the only workaround is to supply your own http client, with the logic fixed.
Library version used
1.15.0
Java version
21.0.2
Scenario
ConfidentialClient - web site (AcquireTokenByAuthCode)
Is this a new or an existing app?
This is a new app or experiment
Issue description and reproduction steps
Supplying a SSLSocketFactory to the ConfidentialClientApplication builder has no effect.
I traced this down to the DefaultHttpClient's handling of SSL connections:
It currently checks if the connection is an instance of
HttpURLConnection, but sinceHttpsURLConnectionextendsHttpURLConnectionit's always true and the else is never executed.https://github.com/AzureAD/microsoft-authentication-library-for-java/blob/dev/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/DefaultHttpClient.java#L93-L103
I suggest changing this to:
Relevant code snippets
No response
Expected behavior
The supplied SSLSocketFactory should be set on the HttpsUrlConnection
httpsConnection.setSSLSocketFactory(sslSocketFactory);or setting the default ssl handing externally.Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
Currently the only workaround is to supply your own http client, with the logic fixed.