Added a guard for public client refreshing through credential

Author: 4gust

apps/internal/base/base.go

@@ -367,8 +367,10 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
 					// If the token is not same, we don't need to refresh it.
 					// Which means it refreshed.
 					if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken {
-						if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
-							return b.AuthResultFromToken(ctx, authParams, tr)
+						if silent.RequestType == accesstokens.ATConfidential {
+							if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
+								return b.AuthResultFromToken(ctx, authParams, tr)
+							}
 						}
 					}
 				}

apps/public/public_test.go

@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
+	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/base"
 	internalTime "github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/json/types/time"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/mock"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/internal/oauth/fake"
@@ -1046,3 +1047,56 @@ func getNewClientWithMockedResponses(
 
 	return client, nil
 }
+
+func TestAcquireTokenSilentHomeTenantAliases1(t *testing.T) {
+	accessToken := "*"
+	homeTenant := "home-tenant"
+	clientInfo := base64.RawStdEncoding.EncodeToString([]byte(
+		fmt.Sprintf(`{"uid":"uid","utid":"%s"}`, homeTenant),
+	))
+	lmo := "login.microsoftonline.com"
+	originalTime := base.Now
+	defer func() {
+		base.Now = originalTime
+	}()
+	for _, alias := range []string{"common", "organizations"} {
+		mockClient := mock.NewClient()
+		mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, alias)))
+		mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 100)))
+		mockClient.AppendResponse(mock.WithBody(mock.GetInstanceDiscoveryBody(lmo, homeTenant)))
+
+		client, err := New("client-id", WithAuthority(fmt.Sprintf(authorityFmt, lmo, alias)), WithHTTPClient(mockClient))
+		if err != nil {
+			t.Fatal(err)
+		}
+		// the auth flow isn't important, we just need to populate the cache
+		ar, err := client.AcquireTokenByAuthCode(context.Background(), "code", "https://localhost", tokenScope)
+		if err != nil {
+			t.Fatal(err)
+		}
+		if ar.AccessToken != accessToken {
+			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
+		}
+		account := ar.Account
+		ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if ar.AccessToken != accessToken {
+			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
+		}
+		// moving time forward to expire the current token
+		fixedTime := time.Now().Add(time.Duration(36001) * time.Second)
+		base.Now = func() time.Time {
+			return fixedTime
+		}
+		// calling the acquire token again
+		ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
+		if err != nil {
+			t.Fatal(err)
+		}
+		if ar.AccessToken != accessToken {
+			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
+		}
+	}
+}