From 9e61b67b61350686fc789213a2a07b2932ffd9e2 Mon Sep 17 00:00:00 2001 From: Sergei Demchenko Date: Wed, 11 Dec 2024 14:30:08 -0800 Subject: [PATCH 1/3] Add support of "lookup" mode in broker (#1450) * Add support of "lookup" mode in broker. * Fix tests. * modified: changelog.txt --- .../request/token_request/MSIDBrokerOperationTokenRequest.h | 3 +++ .../request/token_request/MSIDBrokerOperationTokenRequest.m | 3 +++ .../MSIDBrowserNativeMessageGetTokenResponse.m | 4 ++-- IdentityCore/src/oauth2/MSIDOauth2Factory.m | 2 +- IdentityCore/src/oauth2/MSIDTokenResponse.h | 2 ++ IdentityCore/src/oauth2/MSIDTokenResponse.m | 5 +++++ IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h | 1 + IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m | 5 +++++ IdentityCore/src/parameters/MSIDRequestParameters.h | 3 +++ IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h | 1 + IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m | 3 +++ .../src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m | 1 + .../requests/sdk/msal/MSIDDefaultTokenResponseValidator.m | 3 +++ IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m | 4 ++++ IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m | 1 + changelog.txt | 3 +++ 16 files changed, 41 insertions(+), 3 deletions(-) diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h index adaf19afb..dfb37597f 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h @@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic) MSIDProviderType providerType; @property (nonatomic, nullable) NSString *oidcScope; @property (nonatomic, nullable) NSDictionary *extraQueryParameters; +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) BOOL instanceAware; @property (nonatomic, nullable) NSDictionary *enrollmentIds; @property (nonatomic, nullable) NSDictionary *mamResources; @@ -47,6 +48,8 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @property (nonatomic) BOOL forceRefresh; +@property (nonatomic) BOOL ignoreScopeValidation; + + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request withParameters:(MSIDRequestParameters *)parameters diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m index cca25f497..dce4d24fe 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m @@ -65,6 +65,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request request.skipValidateResultAccount = parameters.skipValidateResultAccount; request.forceRefresh = parameters.forceRefresh; request.platformSequence = parameters.platformSequence; + request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters; + request.ignoreScopeValidation = parameters.ignoreScopeValidation; return YES; } @@ -149,6 +151,7 @@ - (NSDictionary *)jsonDictionary json[MSID_CLIENT_SKU_KEY] = self.clientSku; json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue]; json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue]; + return json; } diff --git a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m index 6d6020154..11c230562 100644 --- a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m +++ b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m @@ -71,7 +71,7 @@ - (NSDictionary *)jsonDictionary } __auto_type accountJson = [NSMutableDictionary new]; - accountJson[@"userName"] = tokenResponse.idTokenObj.username; + accountJson[@"userName"] = tokenResponse.accountUpn; accountJson[@"id"] = tokenResponse.accountIdentifier; response[@"account"] = accountJson; @@ -79,7 +79,7 @@ - (NSDictionary *)jsonDictionary __auto_type propertiesJson = [NSMutableDictionary new]; // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson. - propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username; + propertiesJson[@"UPN"] = accountJson[@"userName"]; response[@"properties"] = propertiesJson; return response; diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m index c630f6036..5a87870e0 100644 --- a/IdentityCore/src/oauth2/MSIDOauth2Factory.m +++ b/IdentityCore/src/oauth2/MSIDOauth2Factory.m @@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account fromResponse:(MSIDTokenResponse *)response configuration:(MSIDConfiguration *)configuration { - NSString *homeAccountId = response.idTokenObj.userId; + NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier]; if (!homeAccountId) { diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.h b/IdentityCore/src/oauth2/MSIDTokenResponse.h index f229c49e6..a45f0ae9a 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.h +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.h @@ -91,6 +91,8 @@ @property (nonatomic, readonly, nullable) NSString *accountIdentifier; +@property (nonatomic, readonly, nullable) NSString *accountUpn; + - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json refreshToken:(nullable MSIDBaseToken *)token error:(NSError * _Nullable __autoreleasing *_Nullable)error; diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.m b/IdentityCore/src/oauth2/MSIDTokenResponse.m index 3c17270e7..52c4fe814 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.m +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.m @@ -131,6 +131,11 @@ - (NSString *)accountIdentifier return self.idTokenObj.uniqueId; } +- (NSString *)accountUpn +{ + return self.idTokenObj.username; +} + #pragma mark - Protected - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h index 1e9463aa9..31ee60eb0 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h @@ -37,6 +37,7 @@ @property (nonatomic, nullable) MSIDClientInfo *clientInfo; @property (nonatomic, nullable) NSString *familyId; @property (nonatomic, nullable) NSString *suberror; +/// UPN of the user. @property (nonatomic, nullable) NSString *additionalUserId; // Custom properties that ADAL/MSAL handles diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m index 0f6af0008..69670aedc 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m @@ -79,6 +79,11 @@ - (NSString *)accountIdentifier return self.clientInfo.accountIdentifier; } +- (NSString *)accountUpn +{ + return [super accountUpn] ?: self.additionalUserId; +} + #pragma mark - MSIDJsonSerializable - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 5eb29a1f6..e4eb0b280 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -53,6 +53,7 @@ @property (nonatomic) NSString *oidcScope; @property (nonatomic) MSIDAccountIdentifier *accountIdentifier; @property (nonatomic) BOOL validateAuthority; +@property (nonatomic) BOOL ignoreScopeValidation; @property (nonatomic) NSString *nonce; @property (nonatomic) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @@ -66,6 +67,8 @@ @property (nonatomic) NSDictionary *extraTokenRequestParameters; // Additional URL query parameters that will be added to both token and authorize requests @property (nonatomic) NSDictionary *extraURLQueryParameters; +// Currently used only in broker to enable/disable EQP filtering. +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) NSUInteger tokenExpirationBuffer; @property (nonatomic) BOOL extendedLifetimeEnabled; @property (nonatomic) BOOL instanceAware; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h index 4c7c53c76..10f495607 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h @@ -68,6 +68,7 @@ - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult configuration:(nonnull MSIDConfiguration *)configuration oidcScope:(nullable NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(nonnull NSUUID *)correlationID error:(NSError * _Nullable __autoreleasing * _Nullable)error; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m index 1c260e395..622aa6de8 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m @@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(__unused NSUUID *)correlationID error:(__unused NSError *__autoreleasing*)error { @@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR BOOL resultValid = [self validateTokenResult:tokenResult configuration:configuration oidcScope:oidcScope + validateScopes:YES correlationID:correlationID error:error]; @@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp BOOL resultValid = [self validateTokenResult:tokenResult configuration:parameters.msidConfiguration oidcScope:parameters.oidcScope + validateScopes:!parameters.ignoreScopeValidation correlationID:parameters.correlationId error:error]; diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m index 9940c4f82..9c9b21088 100644 --- a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m @@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m index 41ebca0cc..96a795b12 100644 --- a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m @@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(MSIDConfiguration *)configuration oidcScope:(NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { @@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult { return YES; } + + if (!validateScopes) return YES; NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes; NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet; diff --git a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m index 995c1c67c..337ecb4a9 100644 --- a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m @@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; diff --git a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m index c6ae18042..e1c15a710 100644 --- a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m @@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError BOOL result = [self.validator validateTokenResult:testResult configuration:[MSIDConfiguration new] oidcScope:nil + validateScopes:YES correlationID:[NSUUID new] error:&error]; diff --git a/changelog.txt b/changelog.txt index 8e3e17bf9..c1f37bf26 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,6 @@ +Version 1.7.42-hotfix +* Add support of "lookup" mode in broker #1450 + Version 1.7.42 * Support extra query parameters on signout (#1243) * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427) From d0b8cf8c06e595fc125621b16883af9fb1882344 Mon Sep 17 00:00:00 2001 From: Sergey Demchenko Date: Thu, 7 Nov 2024 15:51:58 -0800 Subject: [PATCH 2/3] Support web_page_uri. --- .../request/token_request/MSIDBrokerOperationTokenRequest.h | 1 + .../request/token_request/MSIDBrokerOperationTokenRequest.m | 4 ++++ IdentityCore/src/parameters/MSIDRequestParameters.h | 1 + 3 files changed, 6 insertions(+) diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h index dfb37597f..d4dc1198c 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h @@ -44,6 +44,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) MSIDClaimsRequest *claimsRequest; @property (nonatomic) NSDate *requestSentDate; @property (nonatomic) NSString *nonce; +@property (nonatomic) NSString *webPageUri; @property (nonatomic, nullable) NSString *accountHomeTenantId; @property (nonatomic, nullable) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m index dce4d24fe..ea0f98fe0 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m @@ -61,6 +61,7 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request request.claimsRequest = parameters.claimsRequest; request.requestSentDate = requestSentDate; request.nonce = parameters.nonce; + request.webPageUri = parameters.webPageUri; request.clientSku = parameters.clientSku; request.skipValidateResultAccount = parameters.skipValidateResultAccount; request.forceRefresh = parameters.forceRefresh; @@ -81,6 +82,8 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au _configuration = [[MSIDConfiguration alloc] initWithJSONDictionary:json error:error]; if (!_configuration) return nil; + _webPageUri = [json msidStringObjectForKey:@"web_page_uri"]; + _providerType = MSIDProviderTypeFromString([json msidStringObjectForKey:MSID_PROVIDER_TYPE_JSON_KEY]); _oidcScope = [json msidStringObjectForKey:MSID_BROKER_EXTRA_OIDC_SCOPES_KEY]; @@ -137,6 +140,7 @@ - (NSDictionary *)jsonDictionary } [json addEntriesFromDictionary:configurationJson]; + json[@"web_page_uri"] = self.webPageUri; json[MSID_PROVIDER_TYPE_JSON_KEY] = MSIDProviderTypeToString(self.providerType); json[MSID_BROKER_EXTRA_OIDC_SCOPES_KEY] = self.oidcScope; json[MSID_BROKER_EXTRA_QUERY_PARAM_KEY] = [self.extraQueryParameters msidWWWFormURLEncode]; diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index e4eb0b280..93425a3a5 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -48,6 +48,7 @@ @property (nonatomic) MSIDAuthority *providedAuthority; @property (nonatomic) MSIDAuthority *cloudAuthority; @property (nonatomic) NSString *redirectUri; +@property (nonatomic) NSString *webPageUri; @property (nonatomic) NSString *clientId; @property (nonatomic) NSString *target; @property (nonatomic) NSString *oidcScope; From b7df792acd1dbacac5bacb7edb5996eb30a25001 Mon Sep 17 00:00:00 2001 From: Sergey Demchenko Date: Wed, 11 Dec 2024 15:28:16 -0800 Subject: [PATCH 3/3] modified: changelog.txt --- changelog.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/changelog.txt b/changelog.txt index c1f37bf26..7c5e4e600 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,6 @@ Version 1.7.42-hotfix * Add support of "lookup" mode in broker #1450 +* Support web_page_uri #1440 Version 1.7.42 * Support extra query parameters on signout (#1243)