Merge branch 'dev' into antonioalwan/15_add_temp_tests_adj

* dev:
  Merge Hotfix/1.7.44 (#1456) (#1459)
  dummy change to trigger pipeline
  Update API
  Increase waiting time
  wait inorder
  MSA Automation support

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h

@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) MSIDProviderType providerType;
 @property (nonatomic, nullable) NSString *oidcScope;
 @property (nonatomic, nullable) NSDictionary *extraQueryParameters;
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) BOOL instanceAware;
 @property (nonatomic, nullable) NSDictionary *enrollmentIds;
 @property (nonatomic, nullable) NSDictionary *mamResources;
@@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
+@property (nonatomic) BOOL ignoreScopeValidation;
+
 
 + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
      withParameters:(MSIDRequestParameters *)parameters

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m

@@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
     request.skipValidateResultAccount = parameters.skipValidateResultAccount;
     request.forceRefresh = parameters.forceRefresh;
     request.platformSequence = parameters.platformSequence;
+    request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;
+    request.ignoreScopeValidation = parameters.ignoreScopeValidation;
     return YES;
 }
 
@@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary
     json[MSID_CLIENT_SKU_KEY] = self.clientSku;
     json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue];
     json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue];
+
     return json;
 }
 

IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m

@@ -71,15 +71,15 @@ - (NSDictionary *)jsonDictionary
     }
 
     __auto_type accountJson = [NSMutableDictionary new];
-    accountJson[@"userName"] = tokenResponse.idTokenObj.username;
+    accountJson[@"userName"] = tokenResponse.accountUpn;
     accountJson[@"id"] = tokenResponse.accountIdentifier;
 
     response[@"account"] = accountJson;
     response[@"state"] = self.state;
 
     __auto_type propertiesJson = [NSMutableDictionary new];
     // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson.
-    propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username;
+    propertiesJson[@"UPN"] = accountJson[@"userName"];
     response[@"properties"] = propertiesJson;
 
     return response;

IdentityCore/src/oauth2/MSIDOauth2Factory.m

@@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account
        fromResponse:(MSIDTokenResponse *)response
       configuration:(MSIDConfiguration *)configuration
 {
-    NSString *homeAccountId = response.idTokenObj.userId;
+    NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier];
 
     if (!homeAccountId)
     {

IdentityCore/src/oauth2/MSIDTokenResponse.h

@@ -91,6 +91,8 @@
 
 @property (nonatomic, readonly, nullable) NSString *accountIdentifier;
 
+@property (nonatomic, readonly, nullable) NSString *accountUpn;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;

IdentityCore/src/oauth2/MSIDTokenResponse.m

@@ -131,6 +131,11 @@ - (NSString *)accountIdentifier
     return self.idTokenObj.uniqueId;
 }
 
+- (NSString *)accountUpn
+{
+    return self.idTokenObj.username;
+}
+
 #pragma mark - Protected
 
 - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error

IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h

@@ -37,6 +37,7 @@
 @property (nonatomic, nullable) MSIDClientInfo *clientInfo;
 @property (nonatomic, nullable) NSString *familyId;
 @property (nonatomic, nullable) NSString *suberror;
+/// UPN of the user.
 @property (nonatomic, nullable) NSString *additionalUserId;
 
 // Custom properties that ADAL/MSAL handles

IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m

@@ -79,6 +79,11 @@ - (NSString *)accountIdentifier
     return self.clientInfo.accountIdentifier;
 }
 
+- (NSString *)accountUpn
+{
+    return [super accountUpn] ?: self.additionalUserId;
+}
+
 #pragma mark - MSIDJsonSerializable
 
 - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error

IdentityCore/src/parameters/MSIDRequestParameters.h

@@ -54,6 +54,7 @@
 @property (nonatomic) NSString *oidcScope;
 @property (nonatomic) MSIDAccountIdentifier *accountIdentifier;
 @property (nonatomic) BOOL validateAuthority;
+@property (nonatomic) BOOL ignoreScopeValidation;
 @property (nonatomic) NSString *nonce;
 @property (nonatomic) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
@@ -67,6 +68,8 @@
 @property (nonatomic) NSDictionary *extraTokenRequestParameters;
 // Additional URL query parameters that will be added to both token and authorize requests
 @property (nonatomic) NSDictionary *extraURLQueryParameters;
+// Currently used only in broker to enable/disable EQP filtering.
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) NSUInteger tokenExpirationBuffer;
 @property (nonatomic) BOOL extendedLifetimeEnabled;
 @property (nonatomic) BOOL instanceAware;

IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h

@@ -68,6 +68,7 @@
 - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult
               configuration:(nonnull MSIDConfiguration *)configuration
                   oidcScope:(nullable NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(nonnull NSUUID *)correlationID
                       error:(NSError * _Nullable __autoreleasing * _Nullable)error;
 

IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m

@@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes
 - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(__unused NSUUID *)correlationID
                       error:(__unused NSError *__autoreleasing*)error
 {
@@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:configuration
                                        oidcScope:oidcScope
+                                  validateScopes:YES
                                    correlationID:correlationID
                                            error:error];
 
@@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:parameters.msidConfiguration
                                        oidcScope:parameters.oidcScope
+                                  validateScopes:!parameters.ignoreScopeValidation
                                    correlationID:parameters.correlationId
                                            error:error];
 

IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m

@@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {

IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m

@@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(MSIDConfiguration *)configuration
                   oidcScope:(NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {
@@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
     {
         return YES;
     }
+
+    if (!validateScopes) return YES;
 
     NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes;
     NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet;

IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m

@@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError
     [self.validator validateTokenResult:result
                           configuration:configuration
                               oidcScope:defaultOidcScope
+                         validateScopes:YES
                           correlationID:correlationID
                                   error:&error];
 
@@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
 
@@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
 
@@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult
     BOOL validated = [self.validator validateTokenResult:result
                                         configuration:configuration
                                             oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                         correlationID:correlationID
                                                 error:&error];
 

IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m

@@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError
     BOOL result = [self.validator validateTokenResult:testResult
                                         configuration:[MSIDConfiguration new]
                                             oidcScope:nil
+                                       validateScopes:YES
                                         correlationID:[NSUUID new]
                                                 error:&error];
 

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.h

@@ -86,6 +86,7 @@ typedef NS_ENUM(NSInteger, MSIDAutomationWPJSSOExtensionSecureStorage)
 @property (nonatomic) BOOL corruptSessionKey;
 @property (nonatomic) BOOL useSafariUserAgent;
 @property (nonatomic) BOOL disableCertBasedAuth;
+@property (nonatomic) BOOL isMSAAccount;
 
 @property (nonatomic) MSIDAutomationWPJRegistrationAPIMode registrationMode;
 @property (nonatomic) NSString *wpjRegistrationTenantId;

IdentityCore/tests/automation/shared/MSIDAutomationTestRequest.m

@@ -53,6 +53,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json
         _brokerEnabled = [json[@"brokerEnabled"] boolValue];
         _clientCapabilities = json[@"client_capabilities"];
         _refreshToken = json[@"refresh_token"];
+        _isMSAAccount = [json[@"isMSAAccount"] boolValue];
 
 #if TARGET_OS_IPHONE
         NSString *webviewTypeString = json[@"webviewtype"];
@@ -138,6 +139,7 @@ - (NSDictionary *)jsonDictionary
     json[@"corrupt_session_key"] = @(_corruptSessionKey);
     json[@"use_safari_ua"] = @(_useSafariUserAgent);
     json[@"disable_cert_based_auth"] = @(_disableCertBasedAuth);
+    json[@"isMSAAccount"] = @(_isMSAAccount);
 
     NSString *webviewType = nil;
 

IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.h

@@ -39,6 +39,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) NSString *homeObjectId;
 @property (nonatomic) NSString *homeTenantId;
 @property (nonatomic) NSString *environment;
+@property (nonatomic) NSString *oneAuthAccountId;
 
 @end
 

IdentityCore/tests/automation/shared/MSIDAutomationUserInformation.m

@@ -39,6 +39,7 @@ - (NSDictionary *)jsonDictionary
     json[@"home_tenant_id"] = self.homeTenantId;
     json[@"environment"] = self.environment;
     json[@"legacyAccountId"] = self.legacyAccountId;
+    json[@"oneAuthAccountId"] = self.oneAuthAccountId;
     return json;
 }
 
@@ -59,6 +60,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(__unused NSEr
         _homeTenantId = json[@"home_tenant_id"];
         _environment = json[@"environment"];
         _legacyAccountId = json[@"legacyAccountId"];
+        _oneAuthAccountId = json[@"oneAuthAccountId"];
     }
 
     return self;

IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m

@@ -314,22 +314,29 @@ - (void)enterPassword:(NSString *)password app:(XCUIApplication *)application is
     // Enter password
     XCUIElement *passwordSecureTextField = [application.secureTextFields elementBoundByIndex:0];
     // This is explicitly to check the new screen where to ask user to signin with the following 2 options. This caused several automation failures
-    // 1. Use my password
-    // 2. Sign in to an orgnization
-    XCUIElement *useMyPasswordButton = application.buttons[@"Use my password"];
-    XCUIElement *currentElement = [self waitForEitherElements:passwordSecureTextField and:useMyPasswordButton];
-    if (currentElement.elementType == XCUIElementTypeButton)
+
+    XCTWaiterResult result = [self waitForElementsAndContinueIfNotAppear:passwordSecureTextField];
+    if (result == XCTWaiterResultCompleted)
     {
-        [currentElement tap];
-        [self enterPassword:password
-                        app:application
-                  isMainApp:isMainApp];
-        return;
+        [self tapElementAndWaitForKeyboardToAppear:passwordSecureTextField app:application];
+        NSString *passwordString = [NSString stringWithFormat:@"%@\n", password];
+        [self enterText:passwordSecureTextField isMainApp:isMainApp text:passwordString];
+    }
+    else
+    {
+        // 1. Use my password
+        // 2. Sign in to an orgnization
+        XCUIElement *useMyPasswordButton = application.buttons[@"Use my password"];
+        result = [self waitForElementsAndContinueIfNotAppear:useMyPasswordButton];
+        if (result == XCTWaiterResultCompleted)
+        {
+            [useMyPasswordButton tap];
+            [self enterPassword:password
+                            app:application
+                      isMainApp:isMainApp];
+        }
     }
 
-    [self tapElementAndWaitForKeyboardToAppear:passwordSecureTextField app:application];
-    NSString *passwordString = [NSString stringWithFormat:@"%@\n", password];
-    [self enterText:passwordSecureTextField isMainApp:isMainApp text:passwordString];
 }
 
 - (void)adfsEnterPassword:(XCUIApplication *)application
@@ -487,6 +494,14 @@ - (XCUIElement *)waitForEitherElements:(XCUIElement *)object1 and:(XCUIElement *
     return object1.exists ? object1 : object2;
 }
 
+- (XCTWaiterResult)waitForElementsAndContinueIfNotAppear:(XCUIElement *)object
+{
+    NSPredicate *existsPredicate = [NSPredicate predicateWithFormat:@"%@.exists == 1" argumentArray:@[object]];
+
+    XCTestExpectation *expectation = [[XCTNSPredicateExpectation alloc] initWithPredicate:existsPredicate object:object];
+    return [XCTWaiter waitForExpectations:@[expectation] timeout:30.0f enforceOrder:YES];
+}
+
 - (void)tapElementAndWaitForKeyboardToAppear:(XCUIElement *)element
 {
     [self tapElementAndWaitForKeyboardToAppear:element app:[XCUIApplication new]];

azure_pipelines/msal_submodule_check.yaml

@@ -108,6 +108,7 @@ jobs:
       targetType: 'inline'
       script: |
         rm -rf $(Agent.BuildDirectory)/s/build/status.txt
+        
   - task: PublishTestResults@2
     condition: always()
     displayName: Publish Test Report

changelog.txt

@@ -1,12 +1,19 @@
 Version TBD
 * Make hashed ups in logs case insensitive (#1446)
 
+Version 1.7.44
+* Merge 1.7.42-hotfix
+
 Version 1.7.43
 * Support web_page_uri #1440
 * Save error received from ESTS, and return it to the client on silent broker calls (#1438)
 * XPC CommonCore Minor change to support broker XPC changes (#1436)
 * Assign completion block before perform request (#1434)
 
+Version 1.7.42-hotfix
+* Add support of "lookup" mode in broker #1450
+* Support web_page_uri #1440
+
 Version 1.7.42
 * Support extra query parameters on signout (#1243)
 * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427)