Merge branch 'hotfix/1.7.42-hotfix' into hotfix/1.7.43-hotfix

Author: antrix1989

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h

@@ -36,6 +36,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) MSIDProviderType providerType;
 @property (nonatomic, nullable) NSString *oidcScope;
 @property (nonatomic, nullable) NSDictionary *extraQueryParameters;
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) BOOL instanceAware;
 @property (nonatomic, nullable) NSDictionary *enrollmentIds;
 @property (nonatomic, nullable) NSDictionary *mamResources;
@@ -48,6 +49,8 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
+@property (nonatomic) BOOL ignoreScopeValidation;
+
 
 + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
      withParameters:(MSIDRequestParameters *)parameters

IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m

@@ -66,6 +66,8 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
     request.skipValidateResultAccount = parameters.skipValidateResultAccount;
     request.forceRefresh = parameters.forceRefresh;
     request.platformSequence = parameters.platformSequence;
+    request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;
+    request.ignoreScopeValidation = parameters.ignoreScopeValidation;
     return YES;
 }
 
@@ -153,6 +155,7 @@ - (NSDictionary *)jsonDictionary
     json[MSID_CLIENT_SKU_KEY] = self.clientSku;
     json[MSID_SKIP_VALIDATE_RESULT_ACCOUNT_KEY] = [@(self.skipValidateResultAccount) stringValue];
     json[MSID_FORCE_REFRESH_KEY] = [@(self.forceRefresh) stringValue];
+    
     return json;
 }
 

IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.m

@@ -71,15 +71,15 @@ - (NSDictionary *)jsonDictionary
     }
 
     __auto_type accountJson = [NSMutableDictionary new];
-    accountJson[@"userName"] = tokenResponse.idTokenObj.username;
+    accountJson[@"userName"] = tokenResponse.accountUpn;
     accountJson[@"id"] = tokenResponse.accountIdentifier;
 
     response[@"account"] = accountJson;
     response[@"state"] = self.state;
 
     __auto_type propertiesJson = [NSMutableDictionary new];
     // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson.
-    propertiesJson[@"UPN"] = tokenResponse.idTokenObj.username;
+    propertiesJson[@"UPN"] = accountJson[@"userName"];
     response[@"properties"] = propertiesJson;
 
     return response;

IdentityCore/src/oauth2/MSIDOauth2Factory.m

@@ -375,7 +375,7 @@ - (BOOL)fillAccount:(MSIDAccount *)account
        fromResponse:(MSIDTokenResponse *)response
       configuration:(MSIDConfiguration *)configuration
 {
-    NSString *homeAccountId = response.idTokenObj.userId;
+    NSString *homeAccountId = response.idTokenObj.userId ?: [response accountIdentifier];
 
     if (!homeAccountId)
     {

IdentityCore/src/oauth2/MSIDTokenResponse.h

@@ -91,6 +91,8 @@
 
 @property (nonatomic, readonly, nullable) NSString *accountIdentifier;
 
+@property (nonatomic, readonly, nullable) NSString *accountUpn;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;

IdentityCore/src/oauth2/MSIDTokenResponse.m

@@ -131,6 +131,11 @@ - (NSString *)accountIdentifier
     return self.idTokenObj.uniqueId;
 }
 
+- (NSString *)accountUpn
+{
+    return self.idTokenObj.username;
+}
+
 #pragma mark - Protected
 
 - (MSIDIdTokenClaims *)tokenClaimsFromRawIdToken:(NSString *)rawIdToken error:(NSError *__autoreleasing*)error

IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.h

@@ -37,6 +37,7 @@
 @property (nonatomic, nullable) MSIDClientInfo *clientInfo;
 @property (nonatomic, nullable) NSString *familyId;
 @property (nonatomic, nullable) NSString *suberror;
+/// UPN of the user.
 @property (nonatomic, nullable) NSString *additionalUserId;
 
 // Custom properties that ADAL/MSAL handles

IdentityCore/src/oauth2/aad_base/MSIDAADTokenResponse.m

@@ -79,6 +79,11 @@ - (NSString *)accountIdentifier
     return self.clientInfo.accountIdentifier;
 }
 
+- (NSString *)accountUpn
+{
+    return [super accountUpn] ?: self.additionalUserId;
+}
+
 #pragma mark - MSIDJsonSerializable
 
 - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error

IdentityCore/src/parameters/MSIDRequestParameters.h

@@ -54,6 +54,7 @@
 @property (nonatomic) NSString *oidcScope;
 @property (nonatomic) MSIDAccountIdentifier *accountIdentifier;
 @property (nonatomic) BOOL validateAuthority;
+@property (nonatomic) BOOL ignoreScopeValidation;
 @property (nonatomic) NSString *nonce;
 @property (nonatomic) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
@@ -67,6 +68,8 @@
 @property (nonatomic) NSDictionary *extraTokenRequestParameters;
 // Additional URL query parameters that will be added to both token and authorize requests
 @property (nonatomic) NSDictionary *extraURLQueryParameters;
+// Currently used only in broker to enable/disable EQP filtering.
+@property (nonatomic) BOOL allowAnyExtraURLQueryParameters;
 @property (nonatomic) NSUInteger tokenExpirationBuffer;
 @property (nonatomic) BOOL extendedLifetimeEnabled;
 @property (nonatomic) BOOL instanceAware;

IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.h

@@ -68,6 +68,7 @@
 - (BOOL)validateTokenResult:(nonnull MSIDTokenResult *)tokenResult
               configuration:(nonnull MSIDConfiguration *)configuration
                   oidcScope:(nullable NSString *)oidcScope
+             validateScopes:(BOOL)validateScopes
               correlationID:(nonnull NSUUID *)correlationID
                       error:(NSError * _Nullable __autoreleasing * _Nullable)error;