diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h index d7c0bd84d..d4dc1198c 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h @@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic) MSIDProviderType providerType; @property (nonatomic, nullable) NSString *oidcScope; @property (nonatomic, nullable) NSDictionary *extraQueryParameters; +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) BOOL instanceAware; @property (nonatomic, nullable) NSDictionary *enrollmentIds; @property (nonatomic, nullable) NSDictionary *mamResources; @@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, nullable) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @property (nonatomic) BOOL forceRefresh; +@property (nonatomic) BOOL ignoreScopeValidation; + + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request withParameters:(MSIDRequestParameters *)parameters diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m index df67d1b18..ea0f98fe0 100644 --- a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m +++ b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m @@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request request.skipValidateResultAccount = parameters.skipValidateResultAccount; request.forceRefresh = parameters.forceRefresh; request.platformSequence = parameters.platformSequence; + request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters; + request.ignoreScopeValidation = parameters.ignoreScopeValidation; return YES; } @@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary json[MSID_CLIENT_SKU_KEY] = self.clientSku; json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue]; json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue]; + return json; } diff --git a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m index 6d6020154..11c230562 100644 --- a/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m +++ b/IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m @@ -71,7 +71,7 @@ - (NSDictionary *)jsonDictionary } __auto_type accountJson = [NSMutableDictionary new]; - accountJson[@"userName"] = tokenResponse.idTokenObj.username; + accountJson[@"userName"] = tokenResponse.accountUpn; accountJson[@"id"] = tokenResponse.accountIdentifier; response[@"account"] = accountJson; @@ -79,7 +79,7 @@ - (NSDictionary *)jsonDictionary __auto_type propertiesJson = [NSMutableDictionary new]; // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson. - propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username; + propertiesJson[@"UPN"] = accountJson[@"userName"]; response[@"properties"] = propertiesJson; return response; diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m index c630f6036..5a87870e0 100644 --- a/IdentityCore/src/oauth2/MSIDOauth2Factory.m +++ b/IdentityCore/src/oauth2/MSIDOauth2Factory.m @@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account fromResponse:(MSIDTokenResponse *)response configuration:(MSIDConfiguration *)configuration { - NSString *homeAccountId = response.idTokenObj.userId; + NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier]; if (!homeAccountId) { diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.h b/IdentityCore/src/oauth2/MSIDTokenResponse.h index f229c49e6..a45f0ae9a 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.h +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.h @@ -91,6 +91,8 @@ @property (nonatomic, readonly, nullable) NSString *accountIdentifier; +@property (nonatomic, readonly, nullable) NSString *accountUpn; + - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json refreshToken:(nullable MSIDBaseToken *)token error:(NSError * _Nullable __autoreleasing *_Nullable)error; diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.m b/IdentityCore/src/oauth2/MSIDTokenResponse.m index 3c17270e7..52c4fe814 100644 --- a/IdentityCore/src/oauth2/MSIDTokenResponse.m +++ b/IdentityCore/src/oauth2/MSIDTokenResponse.m @@ -131,6 +131,11 @@ - (NSString *)accountIdentifier return self.idTokenObj.uniqueId; } +- (NSString *)accountUpn +{ + return self.idTokenObj.username; +} + #pragma mark - Protected - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h index 1e9463aa9..31ee60eb0 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h @@ -37,6 +37,7 @@ @property (nonatomic, nullable) MSIDClientInfo *clientInfo; @property (nonatomic, nullable) NSString *familyId; @property (nonatomic, nullable) NSString *suberror; +/// UPN of the user. @property (nonatomic, nullable) NSString *additionalUserId; // Custom properties that ADAL/MSAL handles diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m index 0f6af0008..69670aedc 100644 --- a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m +++ b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m @@ -79,6 +79,11 @@ - (NSString *)accountIdentifier return self.clientInfo.accountIdentifier; } +- (NSString *)accountUpn +{ + return [super accountUpn] ?: self.additionalUserId; +} + #pragma mark - MSIDJsonSerializable - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h index 5e4ef39f4..93425a3a5 100644 --- a/IdentityCore/src/parameters/MSIDRequestParameters.h +++ b/IdentityCore/src/parameters/MSIDRequestParameters.h @@ -54,6 +54,7 @@ @property (nonatomic) NSString *oidcScope; @property (nonatomic) MSIDAccountIdentifier *accountIdentifier; @property (nonatomic) BOOL validateAuthority; +@property (nonatomic) BOOL ignoreScopeValidation; @property (nonatomic) NSString *nonce; @property (nonatomic) NSString *clientSku; @property (nonatomic) BOOL skipValidateResultAccount; @@ -67,6 +68,8 @@ @property (nonatomic) NSDictionary *extraTokenRequestParameters; // Additional URL query parameters that will be added to both token and authorize requests @property (nonatomic) NSDictionary *extraURLQueryParameters; +// Currently used only in broker to enable/disable EQP filtering. +@property (nonatomic) BOOL allowAnyExtraURLQueryParameters; @property (nonatomic) NSUInteger tokenExpirationBuffer; @property (nonatomic) BOOL extendedLifetimeEnabled; @property (nonatomic) BOOL instanceAware; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h index 4c7c53c76..10f495607 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h @@ -68,6 +68,7 @@ - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult configuration:(nonnull MSIDConfiguration *)configuration oidcScope:(nullable NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(nonnull NSUUID *)correlationID error:(NSError * _Nullable __autoreleasing * _Nullable)error; diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m index 1c260e395..622aa6de8 100644 --- a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m @@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(__unused NSUUID *)correlationID error:(__unused NSError *__autoreleasing*)error { @@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR BOOL resultValid = [self validateTokenResult:tokenResult configuration:configuration oidcScope:oidcScope + validateScopes:YES correlationID:correlationID error:error]; @@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp BOOL resultValid = [self validateTokenResult:tokenResult configuration:parameters.msidConfiguration oidcScope:parameters.oidcScope + validateScopes:!parameters.ignoreScopeValidation correlationID:parameters.correlationId error:error]; diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m index 9940c4f82..9c9b21088 100644 --- a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m @@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(__unused MSIDConfiguration *)configuration oidcScope:(__unused NSString *)oidcScope + validateScopes:(__unused BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m index 41ebca0cc..96a795b12 100644 --- a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m +++ b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m @@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult configuration:(MSIDConfiguration *)configuration oidcScope:(NSString *)oidcScope + validateScopes:(BOOL)validateScopes correlationID:(NSUUID *)correlationID error:(NSError *__autoreleasing*)error { @@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult { return YES; } + + if (!validateScopes) return YES; NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes; NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet; diff --git a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m index 995c1c67c..337ecb4a9 100644 --- a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m @@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; @@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult BOOL validated = [self.validator validateTokenResult:result configuration:configuration oidcScope:defaultOidcScope + validateScopes:YES correlationID:correlationID error:&error]; diff --git a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m index c6ae18042..e1c15a710 100644 --- a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m +++ b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m @@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError BOOL result = [self.validator validateTokenResult:testResult configuration:[MSIDConfiguration new] oidcScope:nil + validateScopes:YES correlationID:[NSUUID new] error:&error]; diff --git a/changelog.txt b/changelog.txt index 6e9f447a5..4b23a0bc8 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,9 +1,16 @@ +Version 1.7.44 +* Merge 1.7.42-hotfix + Version 1.7.43 * Support web_page_uri #1440 * Save error received from ESTS, and return it to the client on silent broker calls (#1438) * XPC CommonCore Minor change to support broker XPC changes (#1436) * Assign completion block before perform request (#1434) +Version 1.7.42-hotfix +* Add support of "lookup" mode in broker #1450 +* Support web_page_uri #1440 + Version 1.7.42 * Support extra query parameters on signout (#1243) * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427)