Merge Hotfix/1.7.44 (#1456) (#1459)

* Add support of "lookup" mode in broker (#1450) * Add support of "lookup" mode in broker. * Fix tests. * modified: changelog.txt * Support web_page_uri. * modified: changelog.txt * Update changelog. * modified: changelog.txt
AzureAD · Dec 20, 2024 · f75169d · f75169d
1 parent 056ed89
commit f75169d
Show file tree

Hide file tree

Showing 16 changed files with 45 additions and 3 deletions.
diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h
@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) MSIDProviderType providerType;
 @property (nonatomic, nullable) NSString *oidcScope;
 @property (nonatomic, nullable) NSDictionary *extraQueryParameters;
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) BOOL instanceAware;
 @property (nonatomic, nullable) NSDictionary *enrollmentIds;
 @property (nonatomic, nullable) NSDictionary *mamResources;
@@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
+@property (nonatomic) BOOL ignoreScopeValidation;
+
 
 + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
      withParameters:(MSIDRequestParameters *)parameters

diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m
@@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
     request.skipValidateResultAccount = parameters.skipValidateResultAccount;
     request.forceRefresh = parameters.forceRefresh;
     request.platformSequence = parameters.platformSequence;
+    request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;
+    request.ignoreScopeValidation = parameters.ignoreScopeValidation;
     return YES;
 }
 
@@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary
     json[MSID_CLIENT_SKU_KEY] = self.clientSku;
     json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue];
     json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue];
+
     return json;
 }
 

diff --git a/...ation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m b/...ation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m
@@ -71,15 +71,15 @@ - (NSDictionary *)jsonDictionary
     }
 
     __auto_type accountJson = [NSMutableDictionary new];
-    accountJson[@"userName"] = tokenResponse.idTokenObj.username;
+    accountJson[@"userName"] = tokenResponse.accountUpn;
     accountJson[@"id"] = tokenResponse.accountIdentifier;
 
     response[@"account"] = accountJson;
     response[@"state"] = self.state;
 
     __auto_type propertiesJson = [NSMutableDictionary new];
     // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson.
-    propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username;
+    propertiesJson[@"UPN"] = accountJson[@"userName"];
     response[@"properties"] = propertiesJson;
 
     return response;

diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m
@@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account
        fromResponse:(MSIDTokenResponse *)response
       configuration:(MSIDConfiguration *)configuration
 {
-    NSString *homeAccountId = response.idTokenObj.userId;
+    NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier];
 
     if (!homeAccountId)
     {

diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.h b/IdentityCore/src/oauth2/MSIDTokenResponse.h
@@ -91,6 +91,8 @@
 
 @property (nonatomic, readonly, nullable) NSString *accountIdentifier;
 
+@property (nonatomic, readonly, nullable) NSString *accountUpn;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;

diff --git a/IdentityCore/src/oauth2/MSIDTokenResponse.m b/IdentityCore/src/oauth2/MSIDTokenResponse.m
@@ -131,6 +131,11 @@ - (NSString *)accountIdentifier
     return self.idTokenObj.uniqueId;
 }
 
+- (NSString *)accountUpn
+{
+    return self.idTokenObj.username;
+}
+
 #pragma mark - Protected
 
 - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error

diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h
@@ -37,6 +37,7 @@
 @property (nonatomic, nullable) MSIDClientInfo *clientInfo;
 @property (nonatomic, nullable) NSString *familyId;
 @property (nonatomic, nullable) NSString *suberror;
+/// UPN of the user.
 @property (nonatomic, nullable) NSString *additionalUserId;
 
 // Custom properties that ADAL/MSAL handles

diff --git a/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m b/IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m
@@ -79,6 +79,11 @@ - (NSString *)accountIdentifier
     return self.clientInfo.accountIdentifier;
 }
 
+- (NSString *)accountUpn
+{
+    return [super accountUpn] ?: self.additionalUserId;
+}
+
 #pragma mark - MSIDJsonSerializable
 
 - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error

diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h
@@ -54,6 +54,7 @@
 @property (nonatomic) NSString *oidcScope;
 @property (nonatomic) MSIDAccountIdentifier *accountIdentifier;
 @property (nonatomic) BOOL validateAuthority;
+@property (nonatomic) BOOL ignoreScopeValidation;
 @property (nonatomic) NSString *nonce;
 @property (nonatomic) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
@@ -67,6 +68,8 @@
 @property (nonatomic) NSDictionary *extraTokenRequestParameters;
 // Additional URL query parameters that will be added to both token and authorize requests
 @property (nonatomic) NSDictionary *extraURLQueryParameters;
+// Currently used only in broker to enable/disable EQP filtering.
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) NSUInteger tokenExpirationBuffer;
 @property (nonatomic) BOOL extendedLifetimeEnabled;
 @property (nonatomic) BOOL instanceAware;

diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h
@@ -68,6 +68,7 @@
 - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult
               configuration:(nonnull MSIDConfiguration *)configuration
                   oidcScope:(nullable NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(nonnull NSUUID *)correlationID
                       error:(NSError * _Nullable __autoreleasing * _Nullable)error;
 

diff --git a/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m b/IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m
@@ -124,6 +124,7 @@ - (MSIDTokenResult *)createTokenResultFromResponse:(MSIDTokenResponse *)tokenRes
 - (BOOL)validateTokenResult:(__unused MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(__unused NSUUID *)correlationID
                       error:(__unused NSError *__autoreleasing*)error
 {
@@ -224,6 +225,7 @@ - (MSIDTokenResult *)validateAndSaveBrokerResponse:(MSIDBrokerResponse *)brokerR
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:configuration
                                        oidcScope:oidcScope
+                                  validateScopes:YES
                                    correlationID:correlationID
                                            error:error];
 
@@ -289,6 +291,7 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp
     BOOL resultValid = [self validateTokenResult:tokenResult
                                    configuration:parameters.msidConfiguration
                                        oidcScope:parameters.oidcScope
+                                  validateScopes:!parameters.ignoreScopeValidation
                                    correlationID:parameters.correlationId
                                            error:error];
 

diff --git a/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m b/IdentityCore/src/requests/sdk/adal/MSIDLegacyTokenResponseValidator.m
@@ -37,6 +37,7 @@ @implementation MSIDLegacyTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(__unused MSIDConfiguration *)configuration
                   oidcScope:(__unused NSString *)oidcScope
+             validateScopes:(__unused BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {

diff --git a/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m b/IdentityCore/src/requests/sdk/msal/MSIDDefaultTokenResponseValidator.m
@@ -35,6 +35,7 @@ @implementation MSIDDefaultTokenResponseValidator
 - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
               configuration:(MSIDConfiguration *)configuration
                   oidcScope:(NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(NSUUID *)correlationID
                       error:(NSError *__autoreleasing*)error
 {
@@ -47,6 +48,8 @@ - (BOOL)validateTokenResult:(MSIDTokenResult *)tokenResult
     {
         return YES;
     }
+
+    if (!validateScopes) return YES;
 
     NSOrderedSet *grantedScopes = tokenResult.accessToken.scopes;
     NSOrderedSet *normalizedGrantedScopes = grantedScopes.normalizedScopeSet;

diff --git a/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDDefaultTokenResponseValidatorTests.m
@@ -87,6 +87,7 @@ - (void)testValidateTokenResult_whenSomeScopesRejectedByServer_shouldReturnError
     [self.validator validateTokenResult:result
                           configuration:configuration
                               oidcScope:defaultOidcScope
+                         validateScopes:YES
                           correlationID:correlationID
                                   error:&error];
 
@@ -131,6 +132,7 @@ - (void)testValidateTokenResult_whenEmailScopesNotIncludedByServer_shouldReturnV
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
 
@@ -171,6 +173,7 @@ - (void)testValidateTokenResult_whenEmailScopesIncludedByServer_shouldReturnVali
     BOOL validated = [self.validator validateTokenResult:result
                                            configuration:configuration
                                                oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                            correlationID:correlationID
                                                    error:&error];
 
@@ -206,6 +209,7 @@ - (void)testValidateTokenResult_whenWithValidResponse_shouldReturnValidResult
     BOOL validated = [self.validator validateTokenResult:result
                                         configuration:configuration
                                             oidcScope:defaultOidcScope
+                                          validateScopes:YES
                                         correlationID:correlationID
                                                 error:&error];
 

diff --git a/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m b/IdentityCore/tests/MSIDLegacyTokenResponseValidatorTests.m
@@ -207,6 +207,7 @@ - (void)testValidateTokenResult_whenResultContainsAccount_shouldReturnNoError
     BOOL result = [self.validator validateTokenResult:testResult
                                         configuration:[MSIDConfiguration new]
                                             oidcScope:nil
+                                       validateScopes:YES
                                         correlationID:[NSUUID new]
                                                 error:&error];
 

diff --git a/changelog.txt b/changelog.txt
@@ -1,12 +1,19 @@
 Version TBD
 * Make hashed ups in logs case insensitive (#1446)
 
+Version 1.7.44
+* Merge 1.7.42-hotfix
+
 Version 1.7.43
 * Support web_page_uri #1440
 * Save error received from ESTS, and return it to the client on silent broker calls (#1438)
 * XPC CommonCore Minor change to support broker XPC changes (#1436)
 * Assign completion block before perform request (#1434)
 
+Version 1.7.42-hotfix
+* Add support of "lookup" mode in broker #1450
+* Support web_page_uri #1440
+
 Version 1.7.42
 * Support extra query parameters on signout (#1243)
 * Wrap ASAuthorizationProviderExtensionAuthorizationRequest methods (#1427)