Merge Hotfix/1.7.44 (#1456)

antrix1989 · web-flow · commit f6048060f96b · 2024-12-19T16:56:26.000-08:00
* Add support of "lookup" mode in broker (#1450) * Add support of "lookup" mode in broker. * Fix tests. * modified: changelog.txt * Support web_page_uri. * modified: changelog.txt * Update changelog. * modified: changelog.txt
diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h
@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) MSIDProviderType providerType;
 @property (nonatomic, nullable) NSString *oidcScope;
 @property (nonatomic, nullable) NSDictionary *extraQueryParameters;
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) BOOL instanceAware;
 @property (nonatomic, nullable) NSDictionary *enrollmentIds;
 @property (nonatomic, nullable) NSDictionary *mamResources;
@@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
+@property (nonatomic) BOOL ignoreScopeValidation;
+
 
 + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
      withParameters:(MSIDRequestParameters *)parameters
diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m
@@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
     request.skipValidateResultAccount = parameters.skipValidateResultAccount;
     request.forceRefresh = parameters.forceRefresh;
     request.platformSequence = parameters.platformSequence;
+    request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;
+    request.ignoreScopeValidation = parameters.ignoreScopeValidation;
     return YES;
 }
 
@@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary
     json[MSID_CLIENT_SKU_KEY] = self.clientSku;
     json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue];
     json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue];
+    
     return json;
 }
 
diff --git a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m
@@ -71,15 +71,15 @@ - (NSDictionary *)jsonDictionary
     }
     
     __auto_type accountJson = [NSMutableDictionary new];
-    accountJson[@"userName"] = tokenResponse.idTokenObj.username;
+    accountJson[@"userName"] = tokenResponse.accountUpn;
     accountJson[@"id"] = tokenResponse.accountIdentifier;
     
     response[@"account"] = accountJson;
     response[@"state"] = self.state;
     
     __auto_type propertiesJson = [NSMutableDictionary new];
     // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson.
-    propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username;
+    propertiesJson[@"UPN"] = accountJson[@"userName"];
     response[@"properties"] = propertiesJson;
     
     return response;
diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m
@@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account
        fromResponse:(MSIDTokenResponse *)response
       configuration:(MSIDConfiguration *)configuration
 {
-    NSString *homeAccountId = response.idTokenObj.userId;
+    NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier];
 
     if (!homeAccountId)
     {
diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.h b/IdentityCore/src/oauth2/MSIDTokenResponse.h
@@ -91,6 +91,8 @@
 
 @property (nonatomic, readonly, nullable) NSString *accountIdentifier;
 
+@property (nonatomic, readonly, nullable) NSString *accountUpn;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;
diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.m b/IdentityCore/src/oauth2/MSIDTokenResponse.m
@@ -131,6 +131,11 @@ - (NSString *)accountIdentifier
     return self.idTokenObj.uniqueId;
 }
 
+- (NSString *)accountUpn
+{
+    return self.idTokenObj.username;
+}
+
 #pragma mark - Protected
 
 - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error
diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h
@@ -37,6 +37,7 @@
 @property (nonatomic, nullable) MSIDClientInfo *clientInfo;
 @property (nonatomic, nullable) NSString *familyId;
 @property (nonatomic, nullable) NSString *suberror;
+/// UPN of the user.
 @property (nonatomic, nullable) NSString *additionalUserId;
 
 // Custom properties that ADAL/MSAL handles
diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m
@@ -79,6 +79,11 @@ - (NSString *)accountIdentifier
     return self.clientInfo.accountIdentifier;
 }
 
+- (NSString *)accountUpn
+{
+    return [super accountUpn] ?: self.additionalUserId;
+}
+
 #pragma mark - MSIDJsonSerializable
 
 - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error
diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h
@@ -54,6 +54,7 @@
 @property (nonatomic) NSString *oidcScope;
 @property (nonatomic) MSIDAccountIdentifier *accountIdentifier;
 @property (nonatomic) BOOL validateAuthority;
+@property (nonatomic) BOOL ignoreScopeValidation;
 @property (nonatomic) NSString *nonce;
 @property (nonatomic) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
@@ -67,6 +68,8 @@
 @property (nonatomic) NSDictionary *extraTokenRequestParameters;
 // Additional URL query parameters that will be added to both token and authorize requests
 @property (nonatomic) NSDictionary *extraURLQueryParameters;
+// Currently used only in broker to enable/disable EQP filtering.
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) NSUInteger tokenExpirationBuffer;
 @property (nonatomic) BOOL extendedLifetimeEnabled;
 @property (nonatomic) BOOL instanceAware;
diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h
@@ -68,6 +68,7 @@
 - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult
               configuration:(nonnull MSIDConfiguration *)configuration
                   oidcScope:(nullable NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(nonnull NSUUID *)correlationID
                       error:(NSError * _Nullable __autoreleasing * _Nullable)error;
 
diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m
@@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes
 - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(__unused NSUUID *)correlationID
                       error:(__unused NSError *__autoreleasing*)error
 {
@@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:configuration
                                        oidcScope:oidcScope
+                                  validateScopes:YES
                                    correlationID:correlationID
                                            error:error];
 
@@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:parameters.msidConfiguration
                                        oidcScope:parameters.oidcScope
+                                  validateScopes:!parameters.ignoreScopeValidation
                                    correlationID:parameters.correlationId
                                            error:error];
 
diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m
@@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {
diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m
@@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(MSIDConfiguration *)configuration
                   oidcScope:(NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {
@@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
     {
         return YES;
     }
+    
+    if (!validateScopes) return YES;
 
     NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes;
     NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet;
diff --git a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m
@@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError
     [self.validator validateTokenResult:result
                           configuration:configuration
                               oidcScope:defaultOidcScope
+                         validateScopes:YES
                           correlationID:correlationID
                                   error:&error];
     
@@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
     
@@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
     
@@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult
     BOOL validated = [self.validator validateTokenResult:result
                                         configuration:configuration
                                             oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                         correlationID:correlationID
                                                 error:&error];
     
diff --git a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m
@@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError
     BOOL result = [self.validator validateTokenResult:testResult
                                         configuration:[MSIDConfiguration new]
                                             oidcScope:nil
+                                       validateScopes:YES
                                         correlationID:[NSUUID new]
                                                 error:&error];
     
diff --git a/changelog.txt b/changelog.txt
@@ -1,9 +1,16 @@
+Version 1.7.44
+* Merge 1.7.42-hotfix
+
 Version 1.7.43
 * Support web_page_uri #1440
 * Save error received from ESTS, and return it to the client on silent broker calls (#1438)
 * XPC CommonCore Minor change to support broker XPC changes (#1436)
 * Assign completion block before perform request (#1434)
 
+Version 1.7.42-hotfix
+* Add support of "lookup" mode in broker #1450
+* Support web_page_uri #1440
+
 Version 1.7.42
 * Support extra query parameters on signout (#1243)
 * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427)

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request`
`66`	`66`	`request.skipValidateResultAccount = parameters.skipValidateResultAccount;`
`67`	`67`	`request.forceRefresh = parameters.forceRefresh;`
`68`	`68`	`request.platformSequence = parameters.platformSequence;`
	`69`	`+ request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;`
	`70`	`+ request.ignoreScopeValidation = parameters.ignoreScopeValidation;`
`69`	`71`	`return YES;`
`70`	`72`	`}`
`71`	`73`
`@@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary`
`153`	`155`	`json[MSID_CLIENT_SKU_KEY] = self.clientSku;`
`154`	`156`	`json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue];`
`155`	`157`	`json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue];`
	`158`	`+`
`156`	`159`	`return json;`
`157`	`160`	`}`
`158`	`161`
Original file line number	Diff line number	Diff line change
`@@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account`
`375`	`375`	`fromResponse:(MSIDTokenResponse *)response`
`376`	`376`	`configuration:(MSIDConfiguration *)configuration`
`377`	`377`	`{`
`378`		`- NSString *homeAccountId = response.idTokenObj.userId;`
	`378`	`+ NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier];`
`379`	`379`
`380`	`380`	`if (!homeAccountId)`
`381`	`381`	`{`
Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator`
`37`	`37`	`- (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult`
`38`	`38`	`configuration:(__unused MSIDConfiguration *)configuration`
`39`	`39`	`oidcScope:(__unused NSString *)oidcScope`
	`40`	`+ validateScopes:(__unused BOOL)validateScopes`
`40`	`41`	`correlationID:(NSUUID *)correlationID`
`41`	`42`	`error:(NSError __autoreleasing)error`
`42`	`43`	`{`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator`
`35`	`35`	`- (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult`
`36`	`36`	`configuration:(MSIDConfiguration *)configuration`
`37`	`37`	`oidcScope:(NSString *)oidcScope`
	`38`	`+ validateScopes:(BOOL)validateScopes`
`38`	`39`	`correlationID:(NSUUID *)correlationID`
`39`	`40`	`error:(NSError __autoreleasing)error`
`40`	`41`	`{`
`@@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult`
`47`	`48`	`{`
`48`	`49`	`return YES;`
`49`	`50`	`}`
	`51`	`+`
	`52`	`+ if (!validateScopes) return YES;`
`50`	`53`
`51`	`54`	`NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes;`
`52`	`55`	`NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet;`