diff --git a/IdentityCore/IdentityCore.xcodeproj/project.pbxproj b/IdentityCore/IdentityCore.xcodeproj/project.pbxproj index 06478fc05..cc502b57f 100644 --- a/IdentityCore/IdentityCore.xcodeproj/project.pbxproj +++ b/IdentityCore/IdentityCore.xcodeproj/project.pbxproj @@ -1772,6 +1772,9 @@ B41163B929BAC9BF00E64619 /* MSIDWKNavigationActionMock.m in Sources */ = {isa = PBXBuildFile; fileRef = B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */; }; B41163BA29BAC9BF00E64619 /* MSIDWKNavigationActionMock.m in Sources */ = {isa = PBXBuildFile; fileRef = B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */; }; B41163BC29BAC9EE00E64619 /* MSIDWKNavigationActionMock.h in Headers */ = {isa = PBXBuildFile; fileRef = B41163BB29BAC9DE00E64619 /* MSIDWKNavigationActionMock.h */; }; + B42C16012CE7E54800553316 /* MSIDFamilyRefreshToken.h in Headers */ = {isa = PBXBuildFile; fileRef = B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */; }; + B42C16032CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */; }; + B42C16042CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */; }; B431B5232AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */; }; B431B5242AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */; }; B431B5262AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5252AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m */; }; @@ -3236,6 +3239,8 @@ B41163B529BAC20000E64619 /* MSIDAADOAuthEmbeddedWebviewControllerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDAADOAuthEmbeddedWebviewControllerTests.m; sourceTree = ""; }; B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDWKNavigationActionMock.m; sourceTree = ""; }; B41163BB29BAC9DE00E64619 /* MSIDWKNavigationActionMock.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDWKNavigationActionMock.h; sourceTree = ""; }; + B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDFamilyRefreshToken.h; sourceTree = ""; }; + B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDFamilyRefreshToken.m; sourceTree = ""; }; B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationPasskeyAssertionRequestTests.m; sourceTree = ""; }; B431B5252AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationPasskeyCredentialRequestTests.m; sourceTree = ""; }; B431B5282AF05C890020CD3D /* MSIDBrokerOperationGetPasskeyAssertionResponseTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationGetPasskeyAssertionResponseTests.m; sourceTree = ""; }; @@ -4802,6 +4807,8 @@ B2DD4B2520A7D67C0047A66E /* MSIDLegacyRefreshToken.m */, 60F7BE8921DA4DFC00F1BBA1 /* MSIDPrimaryRefreshToken.h */, 60F7BE8A21DA4E2900F1BBA1 /* MSIDPrimaryRefreshToken.m */, + B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */, + B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */, ); path = token; sourceTree = ""; @@ -6265,6 +6272,7 @@ B2C7089221991CED00D917B8 /* MSIDAADV1BrokerResponse.h in Headers */, 239E3BBE23E1004F00F7A50A /* MSIDClientSDKType.h in Headers */, B286B9822389DC13007833AD /* MSIDBrokerOperationInteractiveTokenRequest.h in Headers */, + B42C16012CE7E54800553316 /* MSIDFamilyRefreshToken.h in Headers */, B2C708B1219A615100D917B8 /* MSIDLegacyBrokerResponseHandler.h in Headers */, B286B9BC2389DDF3007833AD /* MSIDAADAuthorityValidationRequest.h in Headers */, B2936F8720AD17370050C585 /* MSIDOauth2Factory+Internal.h in Headers */, @@ -7160,6 +7168,7 @@ B214C3A51FE855290070C4F2 /* MSIDDefaultTokenCacheAccessor.m in Sources */, 60F7BEA321DA69A000F1BBA1 /* MSIDPrimaryRefreshToken.m in Sources */, D62600141FBD380500EE4487 /* NSString+MSIDExtensions.m in Sources */, + B42C16032CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */, B210F4331FDDE7EB005A8F76 /* MSIDTokenResponse.m in Sources */, B2964BE3205103920000BC95 /* MSIDTokenFilteringHelper.m in Sources */, B210F4391FDDEA23005A8F76 /* MSIDAADV1TokenResponse.m in Sources */, @@ -8051,6 +8060,7 @@ 239222B5243D3791009736C4 /* MSIDCurrentRequestTelemetry.m in Sources */, B23ECEEB1FF2F56A0015FC1D /* MSIDAADTokenResponse.m in Sources */, B28D90AB218FD1F800E230D6 /* MSIDDefaultTokenResponseValidator.m in Sources */, + B42C16042CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */, 23985AB42391BA1100942308 /* MSIDTokenResponseHandler.m in Sources */, B28BDA80217E964B003E5670 /* MSIDB2CTokenResponse.m in Sources */, 600D19BC20964D8C0004CD43 /* MSIDWorkPlaceJoinUtil.m in Sources */, diff --git a/IdentityCore/src/MSIDBasicContext.h b/IdentityCore/src/MSIDBasicContext.h index 3a50bfc8b..419a280fc 100644 --- a/IdentityCore/src/MSIDBasicContext.h +++ b/IdentityCore/src/MSIDBasicContext.h @@ -32,6 +32,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) NSString *logComponent; @property (nonatomic, nullable) NSString *telemetryRequestId; @property (nonatomic, nullable) NSDictionary *appRequestMetadata; +@property (nonatomic) BOOL disableFRT; @end diff --git a/IdentityCore/src/MSIDConstants.h b/IdentityCore/src/MSIDConstants.h index e8ece2b60..ab9630bd6 100644 --- a/IdentityCore/src/MSIDConstants.h +++ b/IdentityCore/src/MSIDConstants.h @@ -122,6 +122,8 @@ extern NSString * _Nonnull const MSID_DEVICE_MODEL_KEY;//E.g. iPhone 5S extern NSString * _Nonnull const MSID_APP_NAME_KEY; extern NSString * _Nonnull const MSID_APP_VER_KEY; extern NSString * _Nonnull const MSID_CCS_HINT_KEY; +extern NSString * _Nonnull const MSID_WEBAUTH_IGNORE_SSO_KEY; +extern NSString * _Nonnull const MSID_WEBAUTH_REFRESH_TOKEN_KEY; extern NSString * _Nonnull const MSID_DEFAULT_FAMILY_ID; extern NSString * _Nonnull const MSID_ADAL_SDK_NAME; @@ -149,6 +151,9 @@ extern NSString * _Nonnull const MSID_POP_TOKEN_KEY_LABEL; extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN; extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION; +extern NSString * _Nonnull const MSID_USE_SINGLE_FRT_KEYCHAIN; +extern NSString * _Nonnull const MSID_USE_SINGLE_FRT_KEY; + extern NSString * _Nonnull const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY; extern NSString * _Nonnull const MSID_PREFERRED_AUTH_METHOD_KEY; @@ -171,6 +176,30 @@ typedef NS_ENUM(NSInteger, MSIDPlatformSequenceIndex) MSIDPlatformSequenceIndexLast = MSIDPlatformSequenceIndexBrowserCore, }; +typedef NS_ENUM(NSInteger, MSIDIsFRTEnabledStatus) +{ + // FRT has not been explicitly enabled with keychain item + MSIDIsFRTEnabledStatusNotEnabled = 0, + + // FRT is enabled + MSIDIsFRTEnabledStatusEnabled, + + // Client app has disabled FRT through MSIDRequestParameters or was disabled previuosly by keychain item + MSIDIsFRTEnabledStatusDisabledByClientApp, + + // There was an error reading keychain item + MSIDIsFRTEnabledStatusDisabledByKeychainError, + + // There was an error deserializing keychain item + MSIDIsFRTEnabledStatusDisabledByDeserializationError, + + // FRT has been disabled with keychain item + MSIDIsFRTEnabledStatusDisabledByKeychainItem +}; + +extern NSString * _Nonnull const MSID_FRT_STATUS_ENABLED; +extern NSString * _Nonnull const MSID_FRT_STATUS_DISABLED; + extern NSString * _Nonnull const MSID_BROWSER_RESPONSE_SWITCH_BROWSER; extern NSString * _Nonnull const MSID_BROWSER_RESPONSE_SWITCH_BROWSER_RESUME; diff --git a/IdentityCore/src/MSIDConstants.m b/IdentityCore/src/MSIDConstants.m index 5564e4de0..f6ecd15a1 100644 --- a/IdentityCore/src/MSIDConstants.m +++ b/IdentityCore/src/MSIDConstants.m @@ -33,6 +33,8 @@ NSString *const MSID_APP_NAME_KEY = @"x-app-name"; NSString *const MSID_APP_VER_KEY = @"x-app-ver"; NSString *const MSID_CCS_HINT_KEY = @"X-AnchorMailbox"; +NSString *const MSID_WEBAUTH_IGNORE_SSO_KEY = @"x-ms-sso-Ignore-SSO"; +NSString *const MSID_WEBAUTH_REFRESH_TOKEN_KEY = @"x-ms-sso-RefreshToken"; NSString *const MSID_DEFAULT_FAMILY_ID = @"1"; NSString *const MSID_ADAL_SDK_NAME = @"adal-objc"; @@ -60,6 +62,11 @@ NSString *const MSID_THROTTLING_METADATA_KEYCHAIN = @"com.microsoft.identity.throttling.metadata"; NSString *const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION = @"Ver1"; +NSString *const MSID_USE_SINGLE_FRT_KEYCHAIN = @"useSingleFRT"; +NSString *const MSID_USE_SINGLE_FRT_KEY = @"use_single_frt"; +NSString *const MSID_FRT_STATUS_ENABLED = @"on"; +NSString *const MSID_FRT_STATUS_DISABLED = @"off"; + NSString *const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY = @"SHARED_MODE_CURRENT_ACCOUNT_CHANGED"; NSString *const MSID_PREFERRED_AUTH_METHOD_KEY = @"pc"; diff --git a/IdentityCore/src/MSIDOAuth2Constants.h b/IdentityCore/src/MSIDOAuth2Constants.h index 96717b047..78e0c4483 100644 --- a/IdentityCore/src/MSIDOAuth2Constants.h +++ b/IdentityCore/src/MSIDOAuth2Constants.h @@ -156,6 +156,7 @@ extern NSString *const MSID_LEGACY_TOKEN_CACHE_TYPE; extern NSString *const MSID_ID_TOKEN_CACHE_TYPE; extern NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE; extern NSString *const MSID_PRT_TOKEN_CACHE_TYPE; +extern NSString *const MSID_FRT_TOKEN_CACHE_TYPE; extern NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE; extern NSString *const MSID_GENERAL_CACHE_ITEM_TYPE; extern NSString *const MSID_APP_METADATA_CACHE_TYPE; diff --git a/IdentityCore/src/MSIDOAuth2Constants.m b/IdentityCore/src/MSIDOAuth2Constants.m index d33e8d95c..0204fdfe4 100644 --- a/IdentityCore/src/MSIDOAuth2Constants.m +++ b/IdentityCore/src/MSIDOAuth2Constants.m @@ -150,6 +150,7 @@ NSString *const MSID_ID_TOKEN_CACHE_TYPE = @"IdToken"; NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE = @"V1IdToken"; NSString *const MSID_PRT_TOKEN_CACHE_TYPE = @"PrimaryRefreshToken"; +NSString *const MSID_FRT_TOKEN_CACHE_TYPE = @"FamilyRefreshToken"; NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE = @"token"; NSString *const MSID_GENERAL_CACHE_ITEM_TYPE = @"general_cache_item"; NSString *const MSID_APP_METADATA_CACHE_TYPE = @"appmetadata"; diff --git a/IdentityCore/src/MSIDRequestContext.h b/IdentityCore/src/MSIDRequestContext.h index f10a19b10..15aec7be5 100644 --- a/IdentityCore/src/MSIDRequestContext.h +++ b/IdentityCore/src/MSIDRequestContext.h @@ -29,5 +29,10 @@ - (NSString *)logComponent; - (NSString *)telemetryRequestId; - (NSDictionary *)appRequestMetadata; +/** + Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disable this feature themselves. + Enabled by default, also configured to be enabled/disabled remotely by Microsoft. + */ +@property (nonatomic, readwrite) BOOL disableFRT; @end diff --git a/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h b/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h index d7d55ffe6..81a310d18 100644 --- a/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h +++ b/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h @@ -25,6 +25,7 @@ #import "MSIDCredentialType.h" #import "MSIDAccountType.h" #import "MSIDExtendedTokenCacheDataSource.h" +#import "MSIDConstants.h" @class MSIDAccountCacheItem; @class MSIDAppMetadataCacheItem; @@ -34,6 +35,7 @@ @class MSIDDefaultAccountCacheQuery; @class MSIDDefaultCredentialCacheKey; @class MSIDDefaultCredentialCacheQuery; +@class MSIDConfiguration; @protocol MSIDRequestContext; @protocol MSIDExtendedTokenCacheDataSource; @@ -193,4 +195,10 @@ context:(nullable id)context error:(NSError * _Nullable __autoreleasing * _Nullable)error; +/* + Check if support FRT has been enabled + */ +- (MSIDIsFRTEnabledStatus)checkFRTEnabled:(nullable id)context + error:(NSError * _Nullable __autoreleasing * _Nullable)error; + @end diff --git a/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m b/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m index ed4e5a20f..8c9a605c3 100644 --- a/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m +++ b/IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m @@ -36,6 +36,10 @@ #import "MSIDAppMetadataCacheKey.h" #import "MSIDAppMetadataCacheQuery.h" #import "MSIDExtendedTokenCacheDataSource.h" +#import "MSIDConfiguration.h" +#import "MSIDConstants.h" +#import "MSIDJsonObject.h" +#import "MSIDFlightManager.h" @interface MSIDAccountCredentialCache() { @@ -382,7 +386,7 @@ - (BOOL)removeCredential:(nonnull MSIDCredentialCacheItem *)credential BOOL result = [_dataSource removeTokensWithKey:key context:context error:error]; - if (result && credential.credentialType == MSIDRefreshTokenType) + if (result && (credential.credentialType == MSIDRefreshTokenType || credential.credentialType == MSIDFamilyRefreshTokenType)) { [_dataSource saveWipeInfoWithContext:context error:nil]; } @@ -556,4 +560,183 @@ - (BOOL)removeAppMetadata:(nonnull MSIDAppMetadataCacheItem *)appMetadata return cacheItems; } +- (MSIDIsFRTEnabledStatus)checkFRTEnabled:(nullable id)context + error:(NSError * _Nullable __autoreleasing * _Nullable)error +{ + // This block will be used to check feature flags and update FRT settings if needed, depending on the current status + // of the keychain item, avoiding an unnecessary read or update if status is the same + MSIDIsFRTEnabledStatus (^checkFeatureFlagsAndReturn)(MSIDIsFRTEnabledStatus) = ^MSIDIsFRTEnabledStatus(MSIDIsFRTEnabledStatus status) + { + + // Check if FRT is enabled by feature flight, possible values: + // - MSID_FRT_STATUS_ENABLED => "on": FRT will be enabled + // - MSID_FRT_STATUS_DISABLED => "off": FRT will be disabled + // - nil, empty or any other value: no change to FRT + MSIDFlightManager *flightManager = [MSIDFlightManager sharedInstance]; + NSString *flagEnableFRT = [flightManager stringForKey:MSID_FLIGHT_CLIENT_SFRT_STATUS]; + BOOL shouldEnableFRT = [MSID_FRT_STATUS_ENABLED isEqualToString:flagEnableFRT]; + BOOL shouldDisableFRT = [MSID_FRT_STATUS_DISABLED isEqualToString:flagEnableFRT]; + + if ([NSString msidIsStringNilOrBlank:flagEnableFRT] || (!shouldEnableFRT && !shouldDisableFRT)) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"FRT flight set to keep current status: %ld", (long)status); + return status; + } + MSIDIsFRTEnabledStatus newStatus = status; + NSError *updateError = nil; + + switch (status) + { + // No entry in cache + case MSIDIsFRTEnabledStatusNotEnabled: + if (shouldEnableFRT) + { + [self updateFRTSettings:YES context:context error:&updateError]; + newStatus = MSIDIsFRTEnabledStatusEnabled; + } + break; + + // Deserialization error, try to enable/disable if needed + case MSIDIsFRTEnabledStatusDisabledByDeserializationError: + if (shouldEnableFRT) + { + [self updateFRTSettings:YES context:context error:&updateError]; + newStatus = MSIDIsFRTEnabledStatusEnabled; + } + else if (shouldDisableFRT) + { + [self updateFRTSettings:NO context:context error:&updateError]; + newStatus = MSIDIsFRTEnabledStatusDisabledByKeychainItem; + } + break; + + // FRT is currently enabled, check to see if should be disabled + case MSIDIsFRTEnabledStatusEnabled: + if (shouldDisableFRT) + { + [self updateFRTSettings:NO context:context error:&updateError]; + newStatus = MSIDIsFRTEnabledStatusDisabledByKeychainItem; + + if (updateError) + { + // Even if there was an error updating the item, we should still return Disabled so that the feature is not active. + status = MSIDIsFRTEnabledStatusDisabledByKeychainItem; + } + } + break; + + // FRT is disabled, check to see if should be enabled + case MSIDIsFRTEnabledStatusDisabledByKeychainItem: + if (shouldEnableFRT) + { + [self updateFRTSettings:YES context:context error:&updateError]; + newStatus = MSIDIsFRTEnabledStatusEnabled; + } + break; + + // Error reading keychain item, do not update settings + case MSIDIsFRTEnabledStatusDisabledByKeychainError: + break; + + // Feature is disabled by client app, do nothing with keychain item + case MSIDIsFRTEnabledStatusDisabledByClientApp: + break; + } + + if (updateError) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error when trying to update FRT settings, error: %@", updateError); + newStatus = status; + } + + return newStatus; + }; + + // Check if FRT is disabled by client + if (context.disableFRT) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT disabled by MSAL client app, returning NO"); + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByClientApp); + } + + NSError *readError = nil; + NSArray *jsonObjects = [_dataSource jsonObjectsWithKey:[MSIDAccountCredentialCache checkFRTCacheKey] + serializer:[MSIDCacheItemJsonSerializer new] + context:context + error:&readError]; + + if (readError) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to retrieve FRT cache entry, error: %@", readError); + if (error) + { + *error = readError; + } + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByKeychainError); + } + + if (![jsonObjects count]) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"No FRT cache entry found, returning NO"); + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusNotEnabled); + } + + NSDictionary *dict = [jsonObjects[0] jsonDictionary]; + if (!dict || ![dict isKindOfClass:[NSDictionary class]] || [dict objectForKey:MSID_USE_SINGLE_FRT_KEY] == nil) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to deserialize FRT cache entry, returning NO"); + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByDeserializationError); + } + + id useFRT = dict[MSID_USE_SINGLE_FRT_KEY]; + if(([useFRT isKindOfClass:[NSNumber class]] || [useFRT isKindOfClass:[NSString class]]) && [useFRT boolValue]) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT is enabled"); + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusEnabled); + } + + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT is disabled"); + return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByKeychainItem); +} + +- (void)updateFRTSettings:(BOOL)enableFRT + context:(nullable id)context + error:(NSError * _Nullable __autoreleasing * _Nullable)error +{ + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Updating UseSingleFRT Item with enableFRT:%@", enableFRT ? @"YES" : @"NO"); + + NSDictionary *settings = @{MSID_USE_SINGLE_FRT_KEY: @(enableFRT)}; + + NSError *saveError = nil; + MSIDJsonObject *jsonObject = [[MSIDJsonObject alloc] initWithJSONDictionary:settings error:&saveError]; + + [_dataSource saveJsonObject:jsonObject + serializer:[MSIDCacheItemJsonSerializer new] + key:[MSIDAccountCredentialCache checkFRTCacheKey] + context:context + error:&saveError]; + + if (saveError) + { + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to save FRT cache entry, error: %@", saveError); + if (error) + { + *error = saveError; + } + } +} + ++ (MSIDCacheKey *)checkFRTCacheKey +{ + static MSIDCacheKey *cacheKey = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + cacheKey = [[MSIDCacheKey alloc] initWithAccount:MSID_USE_SINGLE_FRT_KEYCHAIN + service:MSID_USE_SINGLE_FRT_KEYCHAIN + generic:nil + type:nil]; + }); + return cacheKey; +} + @end diff --git a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m index 57919600c..529636257 100644 --- a/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m +++ b/IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m @@ -46,6 +46,8 @@ #import "MSIDIntuneEnrollmentIdsCache.h" #import "MSIDAccountMetadataCacheAccessor.h" #import "MSIDAuthenticationScheme.h" +#import "MSIDFamilyRefreshToken.h" +#import "MSIDAADTokenRequestServerTelemetry.h" @interface MSIDDefaultTokenCacheAccessor() { @@ -130,14 +132,46 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun context:(id)context error:(NSError *__autoreleasing *)error { + NSError *frtError = nil; + MSIDIsFRTEnabledStatus frtStatus = [_accountCredentialCache checkFRTEnabled:context error:&frtError]; + BOOL frtEnabled = frtStatus == MSIDIsFRTEnabledStatusEnabled; + if (frtError) + { + if (error) *error = frtError; + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT."); + } + + MSIDAADTokenRequestServerTelemetry *serverTelemetry = [MSIDAADTokenRequestServerTelemetry new]; + NSString *telemetryMessage = [NSString stringWithFormat:@"sfrt%ld", frtStatus]; + + [serverTelemetry handleError:[[NSError alloc] initWithDomain:telemetryMessage code:0 userInfo:nil] + errorString:telemetryMessage + context:context]; + + MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType; + MSIDRefreshToken *refreshToken = [self getRefreshableTokenWithAccount:accountIdentifier familyId:familyId - credentialType:MSIDRefreshTokenType + credentialType:credentialType configuration:configuration context:context error:error]; if (refreshToken) return refreshToken; + + // If did not find a family refresh token, try to find a regular refresh token. + // This will happen the first time the app starts using a single family refresh token. + if (credentialType == MSIDFamilyRefreshTokenType) + { + refreshToken = [self getRefreshableTokenWithAccount:accountIdentifier + familyId:familyId + credentialType:MSIDRefreshTokenType + configuration:configuration + context:context + error:error]; + + if (refreshToken) return refreshToken; + } for (id accessor in _otherAccessors) { @@ -218,7 +252,7 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac context:(id)context error:(NSError *__autoreleasing *)error { - if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType) return nil; + if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType && credentialType != MSIDFamilyRefreshTokenType) return nil; // For nested auth, get the RT using the broker/hub's client id NSString *clientId = [configuration isNestedAuthProtocol] ? configuration.nestedAuthBrokerClientId : configuration.clientId; @@ -241,7 +275,21 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac if (refreshToken) { - MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by home account id", credentialType == MSIDPrimaryRefreshTokenType ? @"primary " : @""); + NSString *credentialTypeString = nil; + if (credentialType == MSIDPrimaryRefreshTokenType) + { + credentialTypeString = @"primary "; + } + else if (credentialType == MSIDFamilyRefreshTokenType) + { + credentialTypeString = @"single family "; + } + else + { + credentialTypeString = @""; + } + + MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by home account id", credentialTypeString); return refreshToken; } } @@ -260,7 +308,21 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac if (refreshToken) { - MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by legacy account id", credentialType == MSIDPrimaryRefreshTokenType ? @"primary " : @""); + NSString *credentialTypeString = nil; + if (credentialType == MSIDPrimaryRefreshTokenType) + { + credentialTypeString = @"primary "; + } + else if (credentialType == MSIDFamilyRefreshTokenType) + { + credentialTypeString = @"single family "; + } + else + { + credentialTypeString = @""; + } + + MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by legacy account id", credentialTypeString); return refreshToken; } } @@ -759,6 +821,27 @@ - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token context:(id)context error:(NSError *__autoreleasing*)error { + NSError *frtError = nil; + BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:&frtError] == MSIDIsFRTEnabledStatusEnabled; + if (frtError) + { + if (error) *error = frtError; + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT."); + } + + MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType; + + BOOL result = [self validateAndRemoveRefreshableToken:token + credentialType:credentialType + context:context + error:error]; + + // If family refresh token is not enabled, return list of regular refresh tokens + if (!frtEnabled) + { + return result; + } + return [self validateAndRemoveRefreshableToken:token credentialType:MSIDRefreshTokenType context:context @@ -780,7 +863,10 @@ - (BOOL)validateAndRemoveRefreshableToken:(MSIDRefreshToken *)token context:(id)context error:(NSError *__autoreleasing*)error { - if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType) return NO; + if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType && credentialType != MSIDFamilyRefreshTokenType) + { + return NO; + } if (!token || [NSString msidIsStringNilOrBlank:token.refreshToken]) { @@ -921,6 +1007,28 @@ - (BOOL)saveRefreshTokenWithConfiguration:(MSIDConfiguration *)configuration if (![NSString msidIsStringNilOrBlank:refreshToken.familyId]) { + NSError *frtError = nil; + // Check if FRT is enabled, this will update the configuration object, and then use it to decide if + // we should save the token as FRT or legacy RT (with familyId, if it contains that value). + BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:&frtError] == MSIDIsFRTEnabledStatusEnabled; + if (frtError) + { + if (error) *error = frtError; + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not saving as new FRT."); + } + + if (frtEnabled) + { + MSIDFamilyRefreshToken *frt = [[MSIDFamilyRefreshToken alloc] initWithRefreshToken:refreshToken]; + + MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, context, @"(Default accessor) Saving the new family refresh token %@", MSID_EUII_ONLY_LOG_MASKABLE(frt)); + + // Save FRT only once, with this model it is not necessary to have multiple copies of it. + return [self saveToken:frt + context:context + error:error]; + } + MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, context, @"(Default accessor) Saving family refresh token %@", MSID_EUII_ONLY_LOG_MASKABLE(refreshToken)); if (![self saveToken:refreshToken @@ -970,7 +1078,7 @@ - (BOOL)removeToken:(MSIDBaseToken *)token CONDITIONAL_START_CACHE_EVENT(event, MSID_TELEMETRY_EVENT_TOKEN_CACHE_DELETE, context); BOOL result = [_accountCredentialCache removeCredential:token.tokenCacheItem context:context error:error]; - if (result && token.credentialType == MSIDRefreshTokenType) + if (result && (token.credentialType == MSIDRefreshTokenType || token.credentialType == MSIDFamilyRefreshTokenType)) { [_accountCredentialCache saveWipeInfoWithContext:context error:nil]; } @@ -1035,7 +1143,7 @@ - (MSIDBaseToken *)getTokenWithEnvironment:(NSString *)environment return resultTokens[0]; } - if (cacheQuery.credentialType == MSIDRefreshTokenType) + if (cacheQuery.credentialType == MSIDRefreshTokenType || cacheQuery.credentialType == MSIDFamilyRefreshTokenType) { NSError *wipeError = nil; CONDITIONAL_STOP_FAILED_CACHE_EVENT(event, [_accountCredentialCache wipeInfoWithContext:context error:&wipeError], context); @@ -1182,10 +1290,53 @@ - (BOOL)saveAccount:(MSIDAccount *)account accountCredentialCache:(MSIDAccountCredentialCache *)accountCredentialCache context:(id)context error:(NSError *__autoreleasing*)error +{ + NSError *frtError = nil; + BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:&frtError] == MSIDIsFRTEnabledStatusEnabled; + if (frtError) + { + if (error) *error = frtError; + MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT."); + } + + MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType; + + NSSet *firstSet = [self homeAccountIdsFromRTsWithAuthority:authority + clientId:clientId + familyId:familyId + credentialType:credentialType + accountCredentialCache:accountCredentialCache + context:context + error:error]; + + // If family refresh token is not enabled, return list of regular refresh tokens + if (!frtEnabled) + { + return firstSet; + } + + NSSet *secondSet = [self homeAccountIdsFromRTsWithAuthority:authority + clientId:clientId + familyId:familyId + credentialType:MSIDRefreshTokenType + accountCredentialCache:accountCredentialCache + context:context + error:error]; + + return [firstSet setByAddingObjectsFromSet:secondSet]; +} + +- (NSSet *)homeAccountIdsFromRTsWithAuthority:(MSIDAuthority *)authority + clientId:(NSString *)clientId + familyId:(NSString *)familyId + credentialType:(MSIDCredentialType)credentialType + accountCredentialCache:(MSIDAccountCredentialCache *)accountCredentialCache + context:(id)context + error:(NSError *__autoreleasing*)error { // Retrieve refresh tokens in cache, and return account ids for those refresh tokens MSIDDefaultCredentialCacheQuery *refreshTokenQuery = [MSIDDefaultCredentialCacheQuery new]; - refreshTokenQuery.credentialType = MSIDRefreshTokenType; + refreshTokenQuery.credentialType = credentialType; refreshTokenQuery.clientId = clientId; refreshTokenQuery.familyId = familyId; refreshTokenQuery.environmentAliases = [authority defaultCacheEnvironmentAliases]; diff --git a/IdentityCore/src/cache/token/MSIDCredentialCacheItem+MSIDBaseToken.m b/IdentityCore/src/cache/token/MSIDCredentialCacheItem+MSIDBaseToken.m index e322b8908..af77eae36 100644 --- a/IdentityCore/src/cache/token/MSIDCredentialCacheItem+MSIDBaseToken.m +++ b/IdentityCore/src/cache/token/MSIDCredentialCacheItem+MSIDBaseToken.m @@ -31,6 +31,7 @@ #import "MSIDIdToken.h" #import "MSIDAADIdTokenClaimsFactory.h" #import "MSIDPrimaryRefreshToken.h" +#import "MSIDFamilyRefreshToken.h" #import "MSIDV1IdToken.h" #import "MSIDAccessTokenWithAuthScheme.h" @@ -68,6 +69,10 @@ - (MSIDBaseToken *)tokenWithType:(MSIDCredentialType)credentialType { return [[MSIDPrimaryRefreshToken alloc] initWithTokenCacheItem:self]; } + case MSIDFamilyRefreshTokenType: + { + return [[MSIDFamilyRefreshToken alloc] initWithTokenCacheItem:self]; + } default: return [[MSIDBaseToken alloc] initWithTokenCacheItem:self]; } diff --git a/IdentityCore/src/oauth2/token/MSIDCredentialType.h b/IdentityCore/src/oauth2/token/MSIDCredentialType.h index 4449832cb..1382bf9b6 100644 --- a/IdentityCore/src/oauth2/token/MSIDCredentialType.h +++ b/IdentityCore/src/oauth2/token/MSIDCredentialType.h @@ -33,6 +33,7 @@ typedef NS_ENUM(NSInteger, MSIDCredentialType) MSIDPrimaryRefreshTokenType = 5, MSIDLegacyIDTokenType = 6, MSIDAccessTokenWithAuthSchemeType = 7, + MSIDFamilyRefreshTokenType = 8, MSIDCredentialTypeLast }; diff --git a/IdentityCore/src/oauth2/token/MSIDCredentialType.m b/IdentityCore/src/oauth2/token/MSIDCredentialType.m index 4ce7b8886..420043737 100644 --- a/IdentityCore/src/oauth2/token/MSIDCredentialType.m +++ b/IdentityCore/src/oauth2/token/MSIDCredentialType.m @@ -46,6 +46,9 @@ + (NSString *)credentialTypeAsString:(MSIDCredentialType)type case MSIDPrimaryRefreshTokenType: return MSID_PRT_TOKEN_CACHE_TYPE; + case MSIDFamilyRefreshTokenType: + return MSID_FRT_TOKEN_CACHE_TYPE; + case MSIDLegacyIDTokenType: return MSID_LEGACY_ID_TOKEN_CACHE_TYPE; @@ -70,6 +73,7 @@ + (MSIDCredentialType)credentialTypeFromString:(NSString *)type [MSID_LEGACY_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDLegacySingleResourceTokenType), [MSID_ID_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDIDTokenType), [MSID_PRT_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDPrimaryRefreshTokenType), + [MSID_FRT_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDFamilyRefreshTokenType), [MSID_LEGACY_ID_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDLegacyIDTokenType), [MSID_GENERAL_TOKEN_CACHE_TYPE lowercaseString]: @(MSIDCredentialTypeOther), [MSID_ACCESS_TOKEN_WITH_AUTH_SCHEME_CACHE_TYPE lowercaseString]: @(MSIDAccessTokenWithAuthSchemeType), diff --git a/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.h b/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.h new file mode 100644 index 000000000..77ef03a03 --- /dev/null +++ b/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.h @@ -0,0 +1,32 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + + +#import "MSIDRefreshToken.h" + +@interface MSIDFamilyRefreshToken : MSIDRefreshToken + +- (instancetype)initWithRefreshToken:(MSIDRefreshToken *)refreshToken; + +@end diff --git a/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.m b/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.m new file mode 100644 index 000000000..40ace3607 --- /dev/null +++ b/IdentityCore/src/oauth2/token/MSIDFamilyRefreshToken.m @@ -0,0 +1,126 @@ +// +// Copyright (c) Microsoft Corporation. +// All rights reserved. +// +// This code is licensed under the MIT License. +// +// Permission is hereby granted, free of charge, to any person obtaining a copy +// of this software and associated documentation files(the "Software"), to deal +// in the Software without restriction, including without limitation the rights +// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell +// copies of the Software, and to permit persons to whom the Software is +// furnished to do so, subject to the following conditions : +// +// The above copyright notice and this permission notice shall be included in +// all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +// THE SOFTWARE. + +#import "MSIDFamilyRefreshToken.h" + +@implementation MSIDFamilyRefreshToken + +- (instancetype)initWithRefreshToken:(MSIDRefreshToken *)refreshToken +{ + if (refreshToken && [refreshToken isKindOfClass:[MSIDRefreshToken class]]) + { + MSIDFamilyRefreshToken *frt = [[MSIDFamilyRefreshToken alloc] init]; + + // MSIDRefreshToken properties + frt.refreshToken = refreshToken.refreshToken; + frt.familyId = refreshToken.familyId; + + // MSIDBaseToken properties + frt.storageEnvironment = refreshToken.storageEnvironment; + frt.environment = refreshToken.environment; + frt.realm = refreshToken.realm; + frt.clientId = refreshToken.clientId; + frt.additionalServerInfo = refreshToken.additionalServerInfo; + frt.accountIdentifier = refreshToken.accountIdentifier; + frt.speInfo = refreshToken.speInfo; + + self = frt; + } + + return self; +} + +#pragma mark - NSCopying + +- (id)copyWithZone:(NSZone *)zone +{ + MSIDFamilyRefreshToken *item = [super copyWithZone:zone]; + return item; +} + +#pragma mark - NSObject + +- (BOOL)isEqual:(id)object +{ + if (self == object) + { + return YES; + } + + if (![object isKindOfClass:MSIDFamilyRefreshToken.class]) + { + return NO; + } + + return [self isEqualToItem:(MSIDFamilyRefreshToken *)object]; +} + +- (NSUInteger)hash +{ + NSUInteger hash = [super hash]; + hash = hash * 31 + self.refreshToken.hash; + hash = hash * 31 + self.familyId.hash; + return hash; +} + +- (BOOL)isEqualToItem:(MSIDFamilyRefreshToken *)token +{ + if (!token) + { + return NO; + } + + BOOL result = [super isEqualToItem:token]; + result &= (!self.refreshToken && !token.refreshToken) || [self.refreshToken isEqualToString:token.refreshToken]; + result &= (!self.familyId && !token.familyId) || [self.familyId isEqualToString:token.familyId]; + return result; +} + +#pragma mark - Cache + +- (MSIDCredentialCacheItem *)tokenCacheItem +{ + MSIDCredentialCacheItem *cacheItem = [super tokenCacheItem]; + cacheItem.secret = self.refreshToken; + cacheItem.familyId = self.familyId; + cacheItem.realm = nil; + return cacheItem; +} + +#pragma mark - Token type + +- (MSIDCredentialType)credentialType +{ + return MSIDFamilyRefreshTokenType; +} + +#pragma mark - Description + +- (NSString *)description +{ + NSString *baseDescription = [super description]; + return [baseDescription stringByAppendingFormat:@"(family refresh token=%@, family ID=%@)", [_refreshToken msidSecretLoggingHash], _familyId]; +} + +@end diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 93425a3a5..b475291c4 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -91,6 +91,11 @@ @property (nonatomic) NSString *telemetryRequestId; @property (nonatomic) NSDictionary *appRequestMetadata; @property (nonatomic) NSString *telemetryApiId; +/** + Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disable this feature themselves. + Enabled by default, also configured to be enabled/disabled remotely by Microsoft. + */ +@property (nonatomic, readwrite) BOOL disableFRT; #pragma mark Conditional access @property (nonatomic) MSIDClaimsRequest *claimsRequest; diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.m b/IdentityCore/src/parameters/MSIDRequestParameters.m index 1f644ab38..eac345834 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.m +++ b/IdentityCore/src/parameters/MSIDRequestParameters.m @@ -365,6 +365,7 @@ - (instancetype)copyWithZone:(NSZone*)zone parameters->_clientId = [_clientId copyWithZone:zone]; parameters->_nestedAuthBrokerClientId = [_nestedAuthBrokerClientId copyWithZone:zone]; parameters->_nestedAuthBrokerRedirectUri = [_nestedAuthBrokerRedirectUri copyWithZone:zone]; + parameters->_disableFRT = _disableFRT; parameters->_target = [_target copyWithZone:zone]; parameters->_oidcScope = [_oidcScope copyWithZone:zone]; parameters->_accountIdentifier = [_accountIdentifier copyWithZone:zone]; diff --git a/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.h b/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.h index 2e8876c66..900b34732 100644 --- a/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.h +++ b/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.h @@ -44,6 +44,8 @@ NS_ASSUME_NONNULL_BEGIN - (void)getAuthCodeWithCompletion:(MSIDInteractiveAuthorizationCodeCompletionBlock)completionBlock; +- (void)updateCustomHeadersForFRTSupportIfNeeded; + @end NS_ASSUME_NONNULL_END diff --git a/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.m b/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.m index d1c4a4baf..814a4eb37 100644 --- a/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.m +++ b/IdentityCore/src/requests/MSIDInteractiveAuthorizationCodeRequest.m @@ -109,6 +109,8 @@ - (void)getAuthCodeWithCompletion:(MSIDInteractiveAuthorizationCodeCompletionBlo - (void)getAuthCodeWithCompletionImpl:(MSIDInteractiveAuthorizationCodeCompletionBlock)completionBlock { + [self updateCustomHeadersForFRTSupportIfNeeded]; + self.webViewConfiguration = [self.oauthFactory.webviewFactory authorizeWebRequestConfigurationWithRequestParameters:self.requestParameters]; __typeof__(self) __weak weakSelf = self; @@ -149,6 +151,13 @@ - (void)showWebComponentWithCompletion:(MSIDWebviewAuthCompletionHandler)complet } +- (void)updateCustomHeadersForFRTSupportIfNeeded +{ + // This is meant to be implemented by subclasses + NSAssert(NO, @"Abstract method."); + return; +} + #pragma mark - v2 code - (void)handleWebReponseV2:(MSIDWebviewResponse *)response error:(NSError *)error completionBlock:(MSIDInteractiveAuthorizationCodeCompletionBlock)completionBlock diff --git a/IdentityCore/src/requests/MSIDInteractiveTokenRequest.m b/IdentityCore/src/requests/MSIDInteractiveTokenRequest.m index e3e7e93e9..0590ae7ca 100644 --- a/IdentityCore/src/requests/MSIDInteractiveTokenRequest.m +++ b/IdentityCore/src/requests/MSIDInteractiveTokenRequest.m @@ -34,6 +34,8 @@ #import "MSIDAuthorizationCodeGrantRequest.h" #import "MSIDOauth2Factory.h" #import "MSIDAccountIdentifier.h" +#import "MSIDRefreshToken.h" +#import "MSIDConfiguration.h" #if TARGET_OS_IPHONE #import "MSIDAppExtensionUtil.h" @@ -132,6 +134,77 @@ - (void)acquireTokenWithCodeResult:(MSIDAuthorizationCodeResult *) __unused auth #endif } +- (void)updateCustomHeadersForFRTSupportIfNeeded +{ +#if !EXCLUDE_FROM_MSALCPP && !AD_BROKER + if (self.requestParameters.promptType != MSIDPromptTypeLogin && !self.requestParameters.disableFRT) + { + NSMutableDictionary *customHeaders = nil; + if (self.requestParameters.customWebviewHeaders) + { + customHeaders = [self.requestParameters.customWebviewHeaders mutableCopy]; + } + else + { + customHeaders = [NSMutableDictionary new]; + } + + NSString *refreshToken = nil; + refreshToken = [self getRefreshTokenForRequest]; + + if (![NSString msidIsStringNilOrBlank:refreshToken]) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Included refresh token to custom headers for webview"); + customHeaders[MSID_WEBAUTH_REFRESH_TOKEN_KEY] = refreshToken; + } + + // self.requestParameters.disableFRT could have been set to YES while checking the useSingleFRT keychain item, so we need to check again here + if (!self.requestParameters.disableFRT) + { + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Added ignore sso to custom headers for webview"); + customHeaders[MSID_WEBAUTH_IGNORE_SSO_KEY] = @"1"; + + self.requestParameters.customWebviewHeaders = customHeaders; + } + } +#endif +} + +- (NSString *)getRefreshTokenForRequest +{ +#if !EXCLUDE_FROM_MSALCPP + NSError *refreshTokenError = nil; + MSIDRefreshToken *refreshTokenItem = [self.tokenCache getRefreshTokenWithAccount:self.requestParameters.accountIdentifier + familyId:nil + configuration:self.requestParameters.msidConfiguration + context:self.requestParameters + error:&refreshTokenError]; + + // FRT is more likely to be valid as it gets refreshed if any app in the family uses it, so try to use the FRT instead (unless it already fot a family refresh token) + if (!refreshTokenItem || (refreshTokenItem.credentialType != MSIDFamilyRefreshTokenType && ![NSString msidIsStringNilOrBlank:[refreshTokenItem familyId]])) + { + NSError *msidFRTError = nil; + NSString *familyId = [NSString msidIsStringNilOrBlank:[refreshTokenItem familyId]] ? @"1" : [refreshTokenItem familyId]; + MSIDRefreshToken *frtItem = [self.tokenCache getRefreshTokenWithAccount:self.requestParameters.accountIdentifier + familyId:familyId + configuration:self.requestParameters.msidConfiguration + context:self.requestParameters + error:&msidFRTError]; + if (frtItem && !msidFRTError) + { + refreshTokenItem = frtItem; + refreshTokenError = nil; + } + } + + MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Retrieve refresh token from cache for web view: %@, error code: %ld", _PII_NULLIFY(refreshTokenItem), refreshTokenError.code); + + return [refreshTokenItem refreshToken]; +#else + return nil; +#endif +} + - (void)dealloc { #if TARGET_OS_IPHONE diff --git a/IdentityCore/src/requests/MSIDSilentTokenRequest.m b/IdentityCore/src/requests/MSIDSilentTokenRequest.m index cd5ade690..556c25c40 100644 --- a/IdentityCore/src/requests/MSIDSilentTokenRequest.m +++ b/IdentityCore/src/requests/MSIDSilentTokenRequest.m @@ -49,8 +49,8 @@ typedef NS_ENUM(NSInteger, MSIDRefreshTokenTypes) { - MSIDAppRefreshTokenType = 0, - MSIDFamilyRefreshTokenType + MSIDUseAppRefreshTokenType = 0, + MSIDUseFamilyRefreshTokenType }; @interface MSIDSilentTokenRequest() @@ -298,7 +298,7 @@ - (void)fetchCachedTokenAndCheckForFRTFirst:(BOOL)checkForFRT shouldComplete:(BO NSError *rtError = nil; MSIDBaseToken *refreshableToken = nil; NSString *contextMsg = checkForFRT ? @"family refresh token" : @"app refresh token"; - MSIDRefreshTokenTypes checkForTokenType = checkForFRT ? MSIDFamilyRefreshTokenType : MSIDAppRefreshTokenType; + MSIDRefreshTokenTypes checkForTokenType = checkForFRT ? MSIDUseFamilyRefreshTokenType : MSIDUseAppRefreshTokenType; MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Looking for %@...", contextMsg); if (checkForFRT) @@ -342,7 +342,7 @@ - (void)tryRefreshToken:(MSIDBaseToken *)refreshToken tokenType:(MSIDRefreshTokenTypes)tokenType completionBlock:(nonnull MSIDRequestCompletionBlock)completionBlock { - BOOL isTryingWithAppRefreshToken = tokenType == MSIDAppRefreshTokenType; + BOOL isTryingWithAppRefreshToken = tokenType == MSIDUseAppRefreshTokenType; MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, self.requestParameters, @"Trying to acquire access token using %@ for clientId %@, authority %@, account %@", (isTryingWithAppRefreshToken ? @"App Refresh Token" : @"Family Refresh Token"), self.requestParameters.authority, self.requestParameters.clientId, self.requestParameters.accountIdentifier.maskedHomeAccountId); // When using ART or FRT, it will go through the same method below, and handle differently within the completion block @@ -399,7 +399,7 @@ - (BOOL)handleErrorResponseForAppRefreshToken:(MSIDBaseToken @property (retain, nonatomic) NSString* telemetryRequestId; @property (retain, nonatomic) NSString* logComponent; @property (retain, nonatomic) NSDictionary* appRequestMetadata; +@property (nonatomic, readwrite) BOOL disableFRT; @end diff --git a/IdentityCore/tests/util/MSIDTestContext.h b/IdentityCore/tests/util/MSIDTestContext.h index eba143dac..7ed7d0421 100644 --- a/IdentityCore/tests/util/MSIDTestContext.h +++ b/IdentityCore/tests/util/MSIDTestContext.h @@ -29,5 +29,10 @@ @property (nonatomic) NSString *logComponent; @property (nonatomic) NSString *telemetryRequestId; @property (nonatomic) NSDictionary *appRequestMetadata; +/** + Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disable this feature themselves. + Enabled by default, also configured to be enabled/disabled remotely by Microsoft. + */ +@property (nonatomic, readwrite) BOOL disableFRT; @end diff --git a/changelog.txt b/changelog.txt index 16559dd93..c0a226f91 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,4 +1,7 @@ -Version TBD: +Version TBD +* Use a single family refresh token (#1470) + +Version TBD * Fix resume response handling in DUNA #1493 * Update supported contracts api #1492 * Add feature flags provider to be controlled from broker (#1489)