AzureAD · juan-arias · Apr 23, 2025 · Jan 4, 2025 · Jan 6, 2025 · Jan 7, 2025
@@ -1768,6 +1768,9 @@
 		B41163B929BAC9BF00E64619 /* MSIDWKNavigationActionMock.m in Sources */ = {isa = PBXBuildFile; fileRef = B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */; };
 		B41163BA29BAC9BF00E64619 /* MSIDWKNavigationActionMock.m in Sources */ = {isa = PBXBuildFile; fileRef = B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */; };
 		B41163BC29BAC9EE00E64619 /* MSIDWKNavigationActionMock.h in Headers */ = {isa = PBXBuildFile; fileRef = B41163BB29BAC9DE00E64619 /* MSIDWKNavigationActionMock.h */; };
+		B42C16012CE7E54800553316 /* MSIDFamilyRefreshToken.h in Headers */ = {isa = PBXBuildFile; fileRef = B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */; };
+		B42C16032CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */; };
+		B42C16042CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */; };
 		B431B5232AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */; };
 		B431B5242AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */; };
 		B431B5262AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B431B5252AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m */; };
@@ -3224,6 +3227,8 @@
 		B41163B529BAC20000E64619 /* MSIDAADOAuthEmbeddedWebviewControllerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDAADOAuthEmbeddedWebviewControllerTests.m; sourceTree = "<group>"; };
 		B41163B829BAC9BF00E64619 /* MSIDWKNavigationActionMock.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDWKNavigationActionMock.m; sourceTree = "<group>"; };
 		B41163BB29BAC9DE00E64619 /* MSIDWKNavigationActionMock.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDWKNavigationActionMock.h; sourceTree = "<group>"; };
+		B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDFamilyRefreshToken.h; sourceTree = "<group>"; };
+		B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDFamilyRefreshToken.m; sourceTree = "<group>"; };
 		B431B5222AF040450020CD3D /* MSIDBrokerOperationPasskeyAssertionRequestTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationPasskeyAssertionRequestTests.m; sourceTree = "<group>"; };
 		B431B5252AF05B3F0020CD3D /* MSIDBrokerOperationPasskeyCredentialRequestTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationPasskeyCredentialRequestTests.m; sourceTree = "<group>"; };
 		B431B5282AF05C890020CD3D /* MSIDBrokerOperationGetPasskeyAssertionResponseTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationGetPasskeyAssertionResponseTests.m; sourceTree = "<group>"; };
@@ -4785,6 +4790,8 @@
 				B2DD4B2520A7D67C0047A66E /* MSIDLegacyRefreshToken.m */,
 				60F7BE8921DA4DFC00F1BBA1 /* MSIDPrimaryRefreshToken.h */,
 				60F7BE8A21DA4E2900F1BBA1 /* MSIDPrimaryRefreshToken.m */,
+				B42C16002CE7E53800553316 /* MSIDFamilyRefreshToken.h */,
+				B42C16022CE7E54C00553316 /* MSIDFamilyRefreshToken.m */,
 			);
 			path = token;
 			sourceTree = "<group>";
@@ -6243,6 +6250,7 @@
 				B2C7089221991CED00D917B8 /* MSIDAADV1BrokerResponse.h in Headers */,
 				239E3BBE23E1004F00F7A50A /* MSIDClientSDKType.h in Headers */,
 				B286B9822389DC13007833AD /* MSIDBrokerOperationInteractiveTokenRequest.h in Headers */,
+				B42C16012CE7E54800553316 /* MSIDFamilyRefreshToken.h in Headers */,
 				B2C708B1219A615100D917B8 /* MSIDLegacyBrokerResponseHandler.h in Headers */,
 				B286B9BC2389DDF3007833AD /* MSIDAADAuthorityValidationRequest.h in Headers */,
 				B2936F8720AD17370050C585 /* MSIDOauth2Factory+Internal.h in Headers */,
@@ -7136,6 +7144,7 @@
 				B214C3A51FE855290070C4F2 /* MSIDDefaultTokenCacheAccessor.m in Sources */,
 				60F7BEA321DA69A000F1BBA1 /* MSIDPrimaryRefreshToken.m in Sources */,
 				D62600141FBD380500EE4487 /* NSString+MSIDExtensions.m in Sources */,
+				B42C16032CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */,
 				B210F4331FDDE7EB005A8F76 /* MSIDTokenResponse.m in Sources */,
 				B2964BE3205103920000BC95 /* MSIDTokenFilteringHelper.m in Sources */,
 				B210F4391FDDEA23005A8F76 /* MSIDAADV1TokenResponse.m in Sources */,
@@ -8022,6 +8031,7 @@
 				239222B5243D3791009736C4 /* MSIDCurrentRequestTelemetry.m in Sources */,
 				B23ECEEB1FF2F56A0015FC1D /* MSIDAADTokenResponse.m in Sources */,
 				B28D90AB218FD1F800E230D6 /* MSIDDefaultTokenResponseValidator.m in Sources */,
+				B42C16042CE7E55200553316 /* MSIDFamilyRefreshToken.m in Sources */,
 				23985AB42391BA1100942308 /* MSIDTokenResponseHandler.m in Sources */,
 				B28BDA80217E964B003E5670 /* MSIDB2CTokenResponse.m in Sources */,
 				600D19BC20964D8C0004CD43 /* MSIDWorkPlaceJoinUtil.m in Sources */,

diff --git a/IdentityCore/src/MSIDBasicContext.h b/IdentityCore/src/MSIDBasicContext.h
@@ -32,6 +32,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *logComponent;
 @property (nonatomic, nullable) NSString *telemetryRequestId;
 @property (nonatomic, nullable) NSDictionary *appRequestMetadata;
+@property (nonatomic, readwrite) BOOL disableFRT;
 
 @end
 

@@ -122,6 +122,8 @@ extern NSString * _Nonnull const MSID_DEVICE_MODEL_KEY;//E.g. iPhone 5S
 extern NSString * _Nonnull const MSID_APP_NAME_KEY;
 extern NSString * _Nonnull const MSID_APP_VER_KEY;
 extern NSString * _Nonnull const MSID_CCS_HINT_KEY;
+extern NSString * _Nonnull const MSID_WEBAUTH_IGNORE_SSO_KEY;
+extern NSString * _Nonnull const MSID_WEBAUTH_REFRESH_TOKEN_KEY;
 
 extern NSString * _Nonnull const MSID_DEFAULT_FAMILY_ID;
 extern NSString * _Nonnull const MSID_ADAL_SDK_NAME;
@@ -149,6 +151,9 @@ extern NSString * _Nonnull const MSID_POP_TOKEN_KEY_LABEL;
 extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN;
 extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION;
 
+extern NSString * _Nonnull const MSID_USE_SINGLE_FRT_KEYCHAIN;
+extern NSString * _Nonnull const MSID_USE_SINGLE_FRT_KEY;
+
 extern NSString * _Nonnull const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY;
 
 extern NSString * _Nonnull const MSID_PREFERRED_AUTH_METHOD_KEY;
@@ -171,6 +176,27 @@ typedef NS_ENUM(NSInteger, MSIDPlatformSequenceIndex)
     MSIDPlatformSequenceIndexLast = MSIDPlatformSequenceIndexBrowserCore,
 };
 
+typedef NS_ENUM(NSInteger, MSIDIsFRTEnabledStatus)
+{
+    // FRT has not been explicitly enabled with keychain item
+    MSIDIsFRTEnabledStatusNotEnabled = 0,
+
+    // FRT is enabled
+    MSIDIsFRTEnabledStatusActive,
+
+    // Client app has disabled FRT through MSIDRequestParameters or was disabled previuosly by keychain item
+    MSIDIsFRTEnabledStatusDisabledByClientApp,
+
+    // There was an error reading keychain item
+    MSIDIsFRTEnabledStatusDisabledByKeychainError,
+
+    // There was an error deserializing keychain item
+    MSIDIsFRTEnabledStatusDisabledByDeserializationError,
+
+    // FRT has been disabled with keychain item
+    MSIDIsFRTEnabledStatusDisabledByKeychainItem
+};
+
 extern NSString * _Nonnull const MSID_BROWSER_RESPONSE_SWITCH_BROWSER;
 extern NSString * _Nonnull const MSID_BROWSER_RESPONSE_SWITCH_BROWSER_RESUME;
 

@@ -33,6 +33,8 @@
 NSString *const MSID_APP_NAME_KEY                  = @"x-app-name";
 NSString *const MSID_APP_VER_KEY                   = @"x-app-ver";
 NSString *const MSID_CCS_HINT_KEY                  = @"X-AnchorMailbox";
+NSString *const MSID_WEBAUTH_IGNORE_SSO_KEY        = @"x-ms-sso-Ignore-SSO";
+NSString *const MSID_WEBAUTH_REFRESH_TOKEN_KEY     = @"x-ms-sso-RefreshToken";
 
 NSString *const MSID_DEFAULT_FAMILY_ID             = @"1";
 NSString *const MSID_ADAL_SDK_NAME                 = @"adal-objc";
@@ -60,6 +62,9 @@
 NSString *const MSID_THROTTLING_METADATA_KEYCHAIN = @"com.microsoft.identity.throttling.metadata";
 NSString *const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION = @"Ver1";
 
+NSString *const MSID_USE_SINGLE_FRT_KEYCHAIN          = @"useSingleFRT";
+NSString *const MSID_USE_SINGLE_FRT_KEY               = @"use_single_frt";
+
 NSString *const MSID_SHARED_MODE_CURRENT_ACCOUNT_CHANGED_NOTIFICATION_KEY = @"SHARED_MODE_CURRENT_ACCOUNT_CHANGED";
 
 NSString *const MSID_PREFERRED_AUTH_METHOD_KEY     = @"pc";

@@ -156,6 +156,7 @@ extern NSString *const MSID_LEGACY_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_PRT_TOKEN_CACHE_TYPE;
+extern NSString *const MSID_FRT_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_CACHE_ITEM_TYPE;
 extern NSString *const MSID_APP_METADATA_CACHE_TYPE;

@@ -150,6 +150,7 @@
 NSString *const MSID_ID_TOKEN_CACHE_TYPE                 = @"IdToken";
 NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE          = @"V1IdToken";
 NSString *const MSID_PRT_TOKEN_CACHE_TYPE                = @"PrimaryRefreshToken";
+NSString *const MSID_FRT_TOKEN_CACHE_TYPE                = @"FamilyRefreshToken";
 NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE            = @"token";
 NSString *const MSID_GENERAL_CACHE_ITEM_TYPE             = @"general_cache_item";
 NSString *const MSID_APP_METADATA_CACHE_TYPE             = @"appmetadata";

diff --git a/IdentityCore/src/MSIDRequestContext.h b/IdentityCore/src/MSIDRequestContext.h
@@ -29,5 +29,10 @@
 - (NSString *)logComponent;
 - (NSString *)telemetryRequestId;
 - (NSDictionary *)appRequestMetadata;
+/**
+ Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disablle this feature themselves.
+ Enabled by default, also configured to be enabled/disabled remotely by Microsoft.
+ */
+@property (nonatomic, readwrite) BOOL disableFRT;
 
 @end
@@ -25,6 +25,7 @@
 #import "MSIDCredentialType.h"
 #import "MSIDAccountType.h"
 #import "MSIDExtendedTokenCacheDataSource.h"
+#import "MSIDConstants.h"
 
 @class MSIDAccountCacheItem;
 @class MSIDAppMetadataCacheItem;
@@ -34,6 +35,7 @@
 @class MSIDDefaultAccountCacheQuery;
 @class MSIDDefaultCredentialCacheKey;
 @class MSIDDefaultCredentialCacheQuery;
+@class MSIDConfiguration;
 @protocol MSIDRequestContext;
 @protocol MSIDExtendedTokenCacheDataSource;
 
@@ -193,4 +195,10 @@
                                                                          context:(nullable id<MSIDRequestContext>)context
                                                                            error:(NSError * _Nullable __autoreleasing * _Nullable)error;
 
+/*
+ Check if support FRT has been enabled
+ */
+- (MSIDIsFRTEnabledStatus)checkFRTEnabled:(nullable id<MSIDRequestContext>)context
+                                    error:(NSError * _Nullable __autoreleasing * _Nullable)error;
+
 @end
@@ -36,6 +36,10 @@
 #import "MSIDAppMetadataCacheKey.h"
 #import "MSIDAppMetadataCacheQuery.h"
 #import "MSIDExtendedTokenCacheDataSource.h"
+#import "MSIDConfiguration.h"
+#import "MSIDConstants.h"
+#import "MSIDJsonObject.h"
+#import "MSIDFlightManager.h"
 
 @interface MSIDAccountCredentialCache()
 {
@@ -382,7 +386,7 @@ - (BOOL)removeCredential:(nonnull MSIDCredentialCacheItem *)credential
 
     BOOL result = [_dataSource removeTokensWithKey:key context:context error:error];
 
-    if (result && credential.credentialType == MSIDRefreshTokenType)
+    if (result && (credential.credentialType == MSIDRefreshTokenType || credential.credentialType == MSIDFamilyRefreshTokenType))
     {
         [_dataSource saveWipeInfoWithContext:context error:nil];
     }
@@ -556,4 +560,159 @@ - (BOOL)removeAppMetadata:(nonnull MSIDAppMetadataCacheItem *)appMetadata
     return cacheItems;
 }
 
+- (MSIDIsFRTEnabledStatus)checkFRTEnabled:(nullable id<MSIDRequestContext>)context
+                                    error:(NSError * _Nullable __autoreleasing * _Nullable)error
+{
+    // This block will be used to check feature flags and update FRT settings if needed, depending on the current status
+    // of the keychain item, avoiding an unnecessary read or update if status is the same
+    MSIDIsFRTEnabledStatus (^checkFeatureFlagsAndReturn)(MSIDIsFRTEnabledStatus) = ^MSIDIsFRTEnabledStatus(MSIDIsFRTEnabledStatus status) {
+
+        // Check if FRT is enabled by feature flight
+        MSIDFlightManager *flightManager = [MSIDFlightManager sharedInstance];
+        BOOL flagEnableFRT = [flightManager boolForKey:@"enable_client_sfrt_by_tenant_id"]; // TODO: Replace this by the constant from the other branch, and remove the hardcoded YES
+        BOOL flagDisableAllFRT = [flightManager boolForKey:@"disable_client_sfrt_for_all"];
+        BOOL shouldEnableFRT = flagEnableFRT && !flagDisableAllFRT;
+
+        switch (status)
+        {
+                // No entry in cache
+            case MSIDIsFRTEnabledStatusNotEnabled:
+                if (shouldEnableFRT)
+                {
+                    [self updateFRTSettings:YES context:context error:nil];
+                    return MSIDIsFRTEnabledStatusActive;
+                }
+                break;
+
+                // Deserialization error, try to enable/disable if needed
+            case MSIDIsFRTEnabledStatusDisabledByDeserializationError:
+                if (shouldEnableFRT)
+                {
+                    [self updateFRTSettings:YES context:context error:nil];
+                    return MSIDIsFRTEnabledStatusActive;
+                }
+                else if (flagDisableAllFRT)
+                {
+                    [self updateFRTSettings:NO context:context error:nil];
+                    return MSIDIsFRTEnabledStatusDisabledByKeychainItem;
+                }
+                break;
+
+                // FRT is currently enabled, check to see if should be disabled
+            case MSIDIsFRTEnabledStatusActive:
+                if (flagDisableAllFRT)
+                {
+                    [self updateFRTSettings:NO context:context error:nil];
+                    return MSIDIsFRTEnabledStatusDisabledByKeychainItem;
+                }
+                break;
+
+            // FRT is disabled, check to see if should be enabled
+            case MSIDIsFRTEnabledStatusDisabledByKeychainItem:
+                if (shouldEnableFRT)
+                {
+                    [self updateFRTSettings:YES context:context error:nil];
+                    return MSIDIsFRTEnabledStatusActive;
+                }
+                break;
+
+                // Error reading keychain item, do not update settings
+            case MSIDIsFRTEnabledStatusDisabledByKeychainError:
+                break;
+
+                // Feature is disabled by client app, do nothing with keychain item
+            case MSIDIsFRTEnabledStatusDisabledByClientApp:
+                break;
+        }
+
+        return status;
+    };
+
+    // Check if FRT is disabled by client
+    if (context.disableFRT)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT disabled by MSAL client app, returning NO");
+        return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByClientApp);
+    }
+
+    NSError *readError = nil;
+    NSArray<MSIDJsonObject *> *jsonObjects = [_dataSource jsonObjectsWithKey:[MSIDAccountCredentialCache checkFRTCacheKey]
+                                                                  serializer:[MSIDCacheItemJsonSerializer new]
+                                                                     context:context
+                                                                       error:&readError];
+
+    if (readError)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to retrieve FRT cache entry, error: %@", readError);
+        if (error)
+        {
+            *error = readError;
+        }
+        return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByKeychainError);
+    }
+
+    if (![jsonObjects count])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"No FRT cache entry found, returning NO");
+        return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusNotEnabled);
+    }
+
+    NSDictionary *dict = [jsonObjects[0] jsonDictionary];
+    if (!dict || ![dict isKindOfClass:[NSDictionary class]] || [dict objectForKey:MSID_USE_SINGLE_FRT_KEY] == nil)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to deserialize FRT cache entry, returning NO");
+        return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByDeserializationError);
+    }
+
+    id useFRT = dict[MSID_USE_SINGLE_FRT_KEY];
+    if(([useFRT isKindOfClass:[NSNumber class]] || [useFRT isKindOfClass:[NSString class]]) && [useFRT boolValue])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT is enabled");
+        return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusActive);
+    }
+
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT is disabled");
+    return checkFeatureFlagsAndReturn(MSIDIsFRTEnabledStatusDisabledByKeychainItem);
+}
+
+- (void)updateFRTSettings:(BOOL)enableFRT
+                  context:(nullable id<MSIDRequestContext>)context
+                    error:(NSError * _Nullable __autoreleasing * _Nullable)error
+{
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Updating UseSingleFRT Item with enableFRT:%@", enableFRT ? @"YES" : @"NO");
+
+    NSDictionary *settings = @{MSID_USE_SINGLE_FRT_KEY: @(enableFRT)};
+
+    NSError *saveError = nil;
+    MSIDJsonObject *jsonObject = [[MSIDJsonObject alloc] initWithJSONDictionary:settings error:&saveError];
+
+    [_dataSource saveJsonObject:jsonObject
+                     serializer:[MSIDCacheItemJsonSerializer new]
+                            key:[MSIDAccountCredentialCache checkFRTCacheKey]
+                        context:context
+                          error:&saveError];
+
+    if (saveError)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to save FRT cache entry, error: %@", saveError);
+        if (error)
+        {
+            *error = saveError;
+        }
+    }
+}
+
++ (MSIDCacheKey *)checkFRTCacheKey
+{
+    static MSIDCacheKey *cacheKey = nil;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        cacheKey = [[MSIDCacheKey alloc] initWithAccount:MSID_USE_SINGLE_FRT_KEYCHAIN
+                                                 service:MSID_USE_SINGLE_FRT_KEYCHAIN
+                                                 generic:nil
+                                                    type:nil];
+    });
+    return cacheKey;
+}
+
 @end