refreshing token when refresh_on is present and added test

4gust · 4gust · commit 4d33507cfa80 · 2025-09-09T17:32:00.000+01:00
diff --git a/apps/internal/base/base.go b/apps/internal/base/base.go
@@ -367,10 +367,17 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen
 					// If the token is not same, we don't need to refresh it.
 					// Which means it refreshed.
 					if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken {
-						if silent.RequestType == accesstokens.ATConfidential {
+						switch silent.RequestType {
+						case accesstokens.ATConfidential:
 							if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {
 								return b.AuthResultFromToken(ctx, authParams, tr)
 							}
+						case accesstokens.ATPublic:
+							token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken)
+							if err != nil {
+								return ar, err
+							}
+							return b.AuthResultFromToken(ctx, authParams, token)
 						}
 					}
 				}
diff --git a/apps/public/public_test.go b/apps/public/public_test.go
@@ -1059,44 +1059,44 @@ func TestAcquireTokenSilentHomeTenantAliases1(t *testing.T) {
 	defer func() {
 		base.Now = originalTime
 	}()
-	for _, alias := range []string{"common", "organizations"} {
-		mockClient := mock.NewClient()
-		mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, alias)))
-		mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 100)))
-		mockClient.AppendResponse(mock.WithBody(mock.GetInstanceDiscoveryBody(lmo, homeTenant)))
+	mockClient := mock.NewClient()
+	mockClient.AppendResponse(mock.WithBody(mock.GetTenantDiscoveryBody(lmo, "common")))
+	mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody(accessToken, mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))
+	mockClient.AppendResponse(mock.WithBody(mock.GetInstanceDiscoveryBody(lmo, homeTenant)))
+	mockClient.AppendResponse(mock.WithBody(mock.GetAccessTokenBody("accessToken", mock.GetIDToken(homeTenant, fmt.Sprintf(authorityFmt, lmo, homeTenant)), "rt", clientInfo, 36000, 1000)))
 
-		client, err := New("client-id", WithAuthority(fmt.Sprintf(authorityFmt, lmo, alias)), WithHTTPClient(mockClient))
-		if err != nil {
-			t.Fatal(err)
-		}
-		// the auth flow isn't important, we just need to populate the cache
-		ar, err := client.AcquireTokenByAuthCode(context.Background(), "code", "https://localhost", tokenScope)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if ar.AccessToken != accessToken {
-			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
-		}
-		account := ar.Account
-		ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
-		if err != nil {
-			t.Fatal(err)
-		}
-		if ar.AccessToken != accessToken {
-			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
-		}
-		// moving time forward to expire the current token
-		fixedTime := time.Now().Add(time.Duration(36001) * time.Second)
-		base.Now = func() time.Time {
-			return fixedTime
-		}
-		// calling the acquire token again
-		ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
-		if err != nil {
-			t.Fatal(err)
-		}
-		if ar.AccessToken != accessToken {
-			t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
-		}
+	client, err := New("common", WithAuthority(fmt.Sprintf(authorityFmt, lmo, "common")), WithHTTPClient(mockClient))
+	if err != nil {
+		t.Fatal(err)
 	}
+	// the auth flow isn't important, we just need to populate the cache
+	ar, err := client.AcquireTokenByAuthCode(context.Background(), "code", "https://localhost", tokenScope)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ar.AccessToken != accessToken {
+		t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
+	}
+	account := ar.Account
+	ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ar.AccessToken != accessToken {
+		t.Fatalf("expected %q, got %q", accessToken, ar.AccessToken)
+	}
+	// moving time forward to expire the current token
+	fixedTime := time.Now().Add(time.Duration(36001) * time.Second)
+	base.Now = func() time.Time {
+		return fixedTime
+	}
+	// calling the acquire token again
+	ar, err = client.AcquireTokenSilent(context.Background(), tokenScope, WithSilentAccount(account))
+	if err != nil {
+		t.Fatal(err)
+	}
+	if ar.AccessToken != "accessToken" {
+		t.Fatalf("expected %q, got %q", "accessToken", ar.AccessToken)
+	}
+
 }

Original file line number	Diff line number	Diff line change
`@@ -367,10 +367,17 @@ func (b Client) AcquireTokenSilent(ctx context.Context, silent AcquireTokenSilen`
`367`	`367`	`// If the token is not same, we don't need to refresh it.`
`368`	`368`	`// Which means it refreshed.`
`369`	`369`	`if str, err := m.Read(ctx, authParams); err == nil && str.AccessToken.Secret == ar.AccessToken {`
`370`		`- if silent.RequestType == accesstokens.ATConfidential {`
	`370`	`+ switch silent.RequestType {`
	`371`	`+ case accesstokens.ATConfidential:`
`371`	`372`	`if tr, er := b.Token.Credential(ctx, authParams, silent.Credential); er == nil {`
`372`	`373`	`return b.AuthResultFromToken(ctx, authParams, tr)`
`373`	`374`	`}`
	`375`	`+ case accesstokens.ATPublic:`
	`376`	`+ token, err := b.Token.Refresh(ctx, silent.RequestType, authParams, silent.Credential, storageTokenResponse.RefreshToken)`
	`377`	`+ if err != nil {`
	`378`	`+ return ar, err`
	`379`	`+ }`
	`380`	`+ return b.AuthResultFromToken(ctx, authParams, token)`
`374`	`381`	`}`
`375`	`382`	`}`
`376`	`383`	`}`