Skip to content

Use single FRT #1470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 27 commits into from
Apr 23, 2025
Merged

Use single FRT #1470

merged 27 commits into from
Apr 23, 2025

Conversation

juan-arias
Copy link
Member

Proposed changes

Update the use of family refresh tokens, and instead use a single family refresh token.

Type of change

  • Feature work
  • Bug fix
  • Documentation
  • Engineering change
  • Test
  • Logging/Telemetry

Risk

  • High – Errors could cause MAJOR regression of many scenarios. (Example: new large features or high level infrastructure changes)
  • Medium – Errors could cause regression of 1 or more scenarios. (Example: somewhat complex bug fixes, small new features)
  • Small – No issues are expected. (Example: Very small bug fixes, string changes, or configuration settings changes)

Additional information

@juan-arias
Use a single FRT if configured and enabled
b7ac9d4
@juan-arias
Remove not used file
7250799
@juan-arias
Allow MSAL apps to disable single FRT
63a1fa9
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
034c23a
@juan-arias
Send refresh token to web view to prevent password prompts when inter…
c22fe16 
…action is required
@juan-arias
Add extra logs, don't send extra custom headers when using broker
3aa7008
@juan-arias
Store flag to disable FRT in requestContext instead of msidConfigurat…
2e732d1 
…ion.
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
0e2175f
@juan-arias
Return reason why FRT is enabled or not.
340f3d3
@juan-arias
Clean commented code
748fed2
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
9adf79b 
# Conflicts:
#	IdentityCore/src/MSIDConstants.h
#	IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.m
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
357ac47
@juan-arias
Refactor SFRT code to now handle activation/deactivation from a featu…
3c5a825 
…re flight sent by broker
@juan-arias
Add server side telemetry
cee6ee5
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
2f5fb2f
@juan-arias
Update changelog
248c3b1
@juan-arias
Fix build error
477991e
@juan-arias
Fix build error
006c43d
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
c443a0b
@juan-arias juan-arias marked this pull request as ready for review March 20, 2025 21:20
@juan-arias juan-arias requested a review from a team as a code owner March 20, 2025 21:20
kaisong1990
kaisong1990 reviewed Mar 20, 2025
View reviewed changes
kaisong1990
kaisong1990 reviewed Mar 25, 2025
View reviewed changes
antrix1989
antrix1989 reviewed Apr 8, 2025
View reviewed changes
antrix1989
antrix1989 reviewed Apr 8, 2025
View reviewed changes
antrix1989
antrix1989 reviewed Apr 8, 2025
View reviewed changes
IdentityCore/src/MSIDConstants.m
@@ -60,6 +62,11 @@
NSString *const MSID_THROTTLING_METADATA_KEYCHAIN = @"com.microsoft.identity.throttling.metadata";
NSString *const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION = @"Ver1";

NSString *const MSID_USE_SINGLE_FRT_KEYCHAIN = @"useSingleFRT";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we also update "buttler" app to read this new keychain?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I will update it

antrix1989
antrix1989 reviewed Apr 8, 2025
View reviewed changes
IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m Outdated
@@ -241,7 +275,21 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac

if (refreshToken)
{
MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by home account id", credentialType == MSIDPrimaryRefreshTokenType ? @"primary " : @"");
NSString *credentialTypeString = nil;
if (credentialType == MSIDPrimaryRefreshTokenType)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we read this directly from refreshToken? i.e:

[refreshToken credentialTypeString]

We will be able to reuse it in another places too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated with existing method [MSIDCredentialTypeHelpers credentialTypeAsString:credentialType]

kaisong1990
kaisong1990 reviewed Apr 18, 2025
View reviewed changes
Copy link
Contributor

@kaisong1990 kaisong1990 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @juan-arias is there a rollout plan and can we make sure the single FRT is one when running MSAL and Broker automations?

@kaisong1990
Copy link
Contributor

Please double check by having this feature on and run against the automation pipeline

@juan-arias
Merge branch 'dev' into jarias/use-single-frt
68ba038 
# Conflicts:
#	changelog.txt
@juan-arias
Address comments
ca247b9
@juan-arias
Do not use context variable to allow client MSAL disable FRT feature;…
244693c 
… use method from MSIDAccountCredentialCache instead. Update usage and tests.
@juan-arias
Merge branch 'dev' into jarias/use-single-frt
1d6a7b1 
# Conflicts:
#	changelog.txt
@juan-arias
Copy link
Member Author

MSAL C++ errors are happening because of the new enum MSIDFamilyRefreshTokenType, I've let them know about this.

@juan-arias juan-arias merged commit 4e4b19a into dev Apr 23, 2025
16 of 18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antrix1989 antrix1989 antrix1989 approved these changes

@kaisong1990 kaisong1990 kaisong1990 approved these changes

@hieunguyenmsft hieunguyenmsft Awaiting requested review from hieunguyenmsft hieunguyenmsft is a code owner automatically assigned from AzureAD/appleidentityteam

@fidelianawar fidelianawar Awaiting requested review from fidelianawar fidelianawar is a code owner automatically assigned from AzureAD/appleidentityteam

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@juan-arias @kaisong1990 @antrix1989