Store flag to disable FRT in requestContext instead of msidConfiguration.

Author: juan-arias

IdentityCore/src/MSIDBasicContext.h

@@ -32,6 +32,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic, nullable) NSString *logComponent;
 @property (nonatomic, nullable) NSString *telemetryRequestId;
 @property (nonatomic, nullable) NSDictionary *appRequestMetadata;
+@property (nonatomic, readwrite) BOOL disableFRT;
 
 @end
 

IdentityCore/src/MSIDRequestContext.h

@@ -29,5 +29,11 @@
 - (NSString *)logComponent;
 - (NSString *)telemetryRequestId;
 - (NSDictionary *)appRequestMetadata;
+/**
+ Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disablle this feature themselves.
+ Enabled by default, also configured to be enabled/disabled remotely by Microsoft.
+ */
+//- (BOOL)disableFRT;
+@property (nonatomic, readwrite) BOOL disableFRT;
 
 @end

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h

@@ -197,8 +197,7 @@
 /*
  Check if support FRT has been enabled
  */
-- (BOOL)checkFRTEnabled:(nonnull MSIDConfiguration *)configuration
-                context:(nullable id<MSIDRequestContext>)context
+- (BOOL)checkFRTEnabled:(nullable id<MSIDRequestContext>)context
                   error:(NSError * _Nullable __autoreleasing * _Nullable)error;
 
 /*

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m

@@ -385,7 +385,7 @@ - (BOOL)removeCredential:(nonnull MSIDCredentialCacheItem *)credential
 
     BOOL result = [_dataSource removeTokensWithKey:key context:context error:error];
 
-    if (result && credential.credentialType == MSIDRefreshTokenType)
+    if (result && (credential.credentialType == MSIDRefreshTokenType || credential.credentialType == MSIDFamilyRefreshTokenType))
     {
         [_dataSource saveWipeInfoWithContext:context error:nil];
     }
@@ -559,12 +559,11 @@ - (BOOL)removeAppMetadata:(nonnull MSIDAppMetadataCacheItem *)appMetadata
     return cacheItems;
 }
 
-- (BOOL)checkFRTEnabled:(nonnull MSIDConfiguration *)configuration
-                context:(nullable id<MSIDRequestContext>)context
+- (BOOL)checkFRTEnabled:(nullable id<MSIDRequestContext>)context
                   error:(NSError * _Nullable __autoreleasing * _Nullable)error
 {
 
-    if (configuration.disableFRT)
+    if (context.disableFRT)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT disabled by MSAL client app, returning NO");
         return NO;
@@ -579,7 +578,7 @@ - (BOOL)checkFRTEnabled:(nonnull MSIDConfiguration *)configuration
     if (readError)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to retrieve FRT cache entry, error: %@", readError);
-        configuration.disableFRT = YES;
+        context.disableFRT = YES;
         if (error)
         {
             *error = readError;
@@ -590,15 +589,15 @@ - (BOOL)checkFRTEnabled:(nonnull MSIDConfiguration *)configuration
     if (![jsonObjects count])
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"No FRT cache entry found, returning NO");
-        configuration.disableFRT = YES;
+        context.disableFRT = YES;
         return NO;
     }
 
     NSDictionary *dict = [jsonObjects[0] jsonDictionary];
     if (!dict)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to deserialize FRT cache entry, returning NO");
-        configuration.disableFRT = YES;
+        context.disableFRT = YES;
         return NO;
     }
 
@@ -609,7 +608,7 @@ - (BOOL)checkFRTEnabled:(nonnull MSIDConfiguration *)configuration
     }
 
     MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"FRT is disabled by the following apps: %@", dict[MSID_USE_SINGLE_FRT_APPS_DISABLED_KEY]);
-    configuration.disableFRT = YES;
+    context.disableFRT = YES;
     return NO;
 }
 

IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m

@@ -131,8 +131,8 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
                                          context:(id<MSIDRequestContext>)context
                                            error:(NSError *__autoreleasing *)error
 {
-    BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:configuration context:context error:error];
-    if (*error)
+    BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:error];
+    if (error)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT.");
     }
@@ -152,10 +152,9 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
     // This will happen the first time the app starts using a single family refresh token.
     if (credentialType == MSIDFamilyRefreshTokenType)
     {
-        credentialType = MSIDRefreshTokenType;
         refreshToken =  [self getRefreshableTokenWithAccount:accountIdentifier
                                                     familyId:familyId
-                                              credentialType:credentialType
+                                              credentialType:MSIDRefreshTokenType
                                                configuration:configuration
                                                      context:context
                                                        error:error];
@@ -811,6 +810,25 @@ - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token
                               context:(id<MSIDRequestContext>)context
                                 error:(NSError *__autoreleasing*)error
 {
+    BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:error];
+    if (error)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT.");
+    }
+    
+    MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
+    
+    BOOL result = [self validateAndRemoveRefreshableToken:token
+                                           credentialType:credentialType
+                                                  context:context
+                                                    error:error];
+    
+    // If family refresh token is not enabled, return list of regular refresh tokens
+    if (!frtEnabled)
+    {
+        return result;
+    }
+    
     return [self validateAndRemoveRefreshableToken:token
                                     credentialType:MSIDRefreshTokenType
                                            context:context
@@ -832,7 +850,10 @@ - (BOOL)validateAndRemoveRefreshableToken:(MSIDRefreshToken *)token
                                   context:(id<MSIDRequestContext>)context
                                     error:(NSError *__autoreleasing*)error
 {
-    if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType) return NO;
+    if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType && credentialType != MSIDFamilyRefreshTokenType)
+    {
+        return NO;
+    }
 
     if (!token || [NSString msidIsStringNilOrBlank:token.refreshToken])
     {
@@ -975,7 +996,7 @@ - (BOOL)saveRefreshTokenWithConfiguration:(MSIDConfiguration *)configuration
     {
         // Check if FRT is enabled, this will update the configuration object, and then use it to decide if
         // we should save the token as FRT or legacy RT (with familyId, if it contains that value).
-        BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:configuration context:context error:error];
+        BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:error];
         if (*error)
         {
             MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not saving as new FRT.");
@@ -1042,7 +1063,7 @@ - (BOOL)removeToken:(MSIDBaseToken *)token
     CONDITIONAL_START_CACHE_EVENT(event, MSID_TELEMETRY_EVENT_TOKEN_CACHE_DELETE, context);
     BOOL result = [_accountCredentialCache removeCredential:token.tokenCacheItem context:context error:error];
 
-    if (result && token.credentialType == MSIDRefreshTokenType)
+    if (result && (token.credentialType == MSIDRefreshTokenType || token.credentialType == MSIDFamilyRefreshTokenType))
     {
         [_accountCredentialCache saveWipeInfoWithContext:context error:nil];
     }
@@ -1107,7 +1128,7 @@ - (MSIDBaseToken *)getTokenWithEnvironment:(NSString *)environment
         return resultTokens[0];
     }
 
-    if (cacheQuery.credentialType == MSIDRefreshTokenType)
+    if (cacheQuery.credentialType == MSIDRefreshTokenType || cacheQuery.credentialType == MSIDFamilyRefreshTokenType)
     {
         NSError *wipeError = nil;
         CONDITIONAL_STOP_FAILED_CACHE_EVENT(event, [_accountCredentialCache wipeInfoWithContext:context error:&wipeError], context);
@@ -1254,10 +1275,51 @@ - (BOOL)saveAccount:(MSIDAccount *)account
                                    accountCredentialCache:(MSIDAccountCredentialCache *)accountCredentialCache
                                                   context:(id<MSIDRequestContext>)context
                                                     error:(NSError *__autoreleasing*)error
+{
+    BOOL frtEnabled = [_accountCredentialCache checkFRTEnabled:context error:error];
+    if (*error)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT.");
+    }
+    
+    MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
+    
+    NSSet<NSString *> *firstSet = [self homeAccountIdsFromRTsWithAuthority:authority
+                                                                  clientId:clientId
+                                                                  familyId:familyId
+                                                            credentialType:credentialType
+                                                    accountCredentialCache:accountCredentialCache
+                                                                   context:context
+                                                                     error:error];
+    
+    // If family refresh token is not enabled, return list of regular refresh tokens
+    if (!frtEnabled)
+    {
+        return firstSet;
+    }
+    
+    NSSet<NSString *> *secondSet = [self homeAccountIdsFromRTsWithAuthority:authority
+                                                                   clientId:clientId
+                                                                   familyId:familyId
+                                                             credentialType:MSIDRefreshTokenType
+                                                     accountCredentialCache:accountCredentialCache
+                                                                    context:context
+                                                                      error:error];
+    
+    return [firstSet setByAddingObjectsFromSet:secondSet];
+}
+
+- (NSSet<NSString *> *)homeAccountIdsFromRTsWithAuthority:(MSIDAuthority *)authority
+                                                 clientId:(NSString *)clientId
+                                                 familyId:(NSString *)familyId
+                                           credentialType:(MSIDCredentialType)credentialType
+                                   accountCredentialCache:(MSIDAccountCredentialCache *)accountCredentialCache
+                                                  context:(id<MSIDRequestContext>)context
+                                                    error:(NSError *__autoreleasing*)error
 {
     // Retrieve refresh tokens in cache, and return account ids for those refresh tokens
     MSIDDefaultCredentialCacheQuery *refreshTokenQuery = [MSIDDefaultCredentialCacheQuery new];
-    refreshTokenQuery.credentialType = MSIDRefreshTokenType;
+    refreshTokenQuery.credentialType = credentialType;
     refreshTokenQuery.clientId = clientId;
     refreshTokenQuery.familyId = familyId;
     refreshTokenQuery.environmentAliases = [authority defaultCacheEnvironmentAliases];

IdentityCore/src/configuration/MSIDConfiguration.h

@@ -32,7 +32,6 @@ extern NSString * const MSID_SCOPE_JSON_KEY;
 extern NSString * const MSID_TOKEN_TYPE_JSON_KEY;
 extern NSString * const MSID_NESTED_AUTH_BROKER_CLIENT_ID_JSON_KEY;
 extern NSString * const MSID_NESTED_AUTH_BROKER_REDIRECT_URI_JSON_KEY;
-extern NSString * const MSID_FRT_DISABLED_JSON_KEY;
 
 @interface MSIDConfiguration : NSObject <NSCopying, MSIDJsonSerializable>
 
@@ -47,9 +46,6 @@ extern NSString * const MSID_FRT_DISABLED_JSON_KEY;
 @property (atomic, readwrite) NSString *nestedAuthBrokerClientId;
 @property (atomic, readwrite) NSString *nestedAuthBrokerRedirectUri;
 
-// Family refresh token enabled/disabled
-@property (atomic, readwrite) BOOL disableFRT;
-
 @property (atomic, readwrite) NSString *applicationIdentifier;
 
 @property (atomic, readonly) NSString *resource;

IdentityCore/src/configuration/MSIDConfiguration.m

@@ -36,7 +36,6 @@
 NSString *const MSID_TOKEN_TYPE_JSON_KEY = @"token_type";
 NSString *const MSID_NESTED_AUTH_BROKER_CLIENT_ID_JSON_KEY = @"brk_client_id";
 NSString *const MSID_NESTED_AUTH_BROKER_REDIRECT_URI_JSON_KEY = @"brk_redirect_uri";
-NSString *const MSID_FRT_DISABLED_JSON_KEY = @"frt_disabled";
 
 @interface MSIDConfiguration()
 
@@ -61,7 +60,6 @@ - (instancetype)copyWithZone:(NSZone*)zone
     configuration.authScheme = [_authScheme copyWithZone:zone];
     configuration.nestedAuthBrokerClientId = [_nestedAuthBrokerClientId copyWithZone:zone];
     configuration.nestedAuthBrokerRedirectUri = [_nestedAuthBrokerRedirectUri copyWithZone:zone];
-    configuration.disableFRT = _disableFRT;
     return configuration;
 }
 
@@ -188,12 +186,6 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
     MSIDAuthenticationScheme *authScheme = (MSIDAuthenticationScheme *)[MSIDJsonSerializableFactory createFromJSONDictionary:json classTypeJSONKey:MSID_TOKEN_TYPE_JSON_KEY assertKindOfClass:MSIDAuthenticationScheme.class error:nil];
     if (authScheme) config.authScheme = authScheme;
 
-    // If json contains an entry for frt_disabled, set it. Otherwise it will default to NO
-    if (json[MSID_FRT_DISABLED_JSON_KEY])
-    {
-        config.disableFRT = [json msidBoolObjectForKey:MSID_FRT_DISABLED_JSON_KEY];
-    }
-    
     return config;
 }
 
@@ -227,7 +219,6 @@ - (NSDictionary *)jsonDictionary
     // Nested auth protocol
     json[MSID_NESTED_AUTH_BROKER_REDIRECT_URI_JSON_KEY] = self.nestedAuthBrokerRedirectUri;
     json[MSID_NESTED_AUTH_BROKER_CLIENT_ID_JSON_KEY] = self.nestedAuthBrokerClientId;
-    json[MSID_FRT_DISABLED_JSON_KEY] = [@(self.disableFRT) stringValue];
 
     NSDictionary *authSchemeJson = [self.authScheme jsonDictionary];
     if (!authSchemeJson)

IdentityCore/src/parameters/MSIDRequestParameters.h

@@ -60,11 +60,6 @@
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
 @property (nonatomic) BOOL bypassRedirectURIValidation;
-/**
- Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disablle this feature themselves.
- Enabled by default, also configured to be enabled/disabled remotely by Microsoft.
- */
-@property (nonatomic) BOOL disableFRT;
 
 // Telemetry metadata
 @property (nonatomic) NSString *platformSequence;
@@ -96,6 +91,11 @@
 @property (nonatomic) NSString *telemetryRequestId;
 @property (nonatomic) NSDictionary *appRequestMetadata;
 @property (nonatomic) NSString *telemetryApiId;
+/**
+ Temporal property to disable Family Refresh Token. This will be removed in future, added to allow 1P apps to disablle this feature themselves.
+ Enabled by default, also configured to be enabled/disabled remotely by Microsoft.
+ */
+@property (nonatomic, readwrite) BOOL disableFRT;
 
 #pragma mark Conditional access
 @property (nonatomic) MSIDClaimsRequest *claimsRequest;

IdentityCore/src/parameters/MSIDRequestParameters.m

@@ -242,12 +242,6 @@ - (void)setAuthScheme:(MSIDAuthenticationScheme *)authScheme
     [self updateMSIDConfiguration];
 }
 
-- (void)setDisableFRT:(BOOL)disableFRT
-{
-    _disableFRT = disableFRT;
-    [self updateMSIDConfiguration];
-}
-
 - (void)updateMSIDConfiguration
 {
     MSIDAuthority *authority = self.cloudAuthority ? self.cloudAuthority : self.authority;
@@ -262,7 +256,6 @@ - (void)updateMSIDConfiguration
     config.applicationIdentifier = [MSIDIntuneApplicationStateManager intuneApplicationIdentifierForAuthority:authority
                                                                                                 appIdentifier:self.intuneApplicationIdentifier];
     config.authScheme = self.authScheme;
-    config.disableFRT = self.disableFRT;
     _msidConfiguration = config;
 }
 
@@ -372,6 +365,7 @@ - (instancetype)copyWithZone:(NSZone*)zone
     parameters->_clientId = [_clientId copyWithZone:zone];
     parameters->_nestedAuthBrokerClientId = [_nestedAuthBrokerClientId copyWithZone:zone];
     parameters->_nestedAuthBrokerRedirectUri = [_nestedAuthBrokerRedirectUri copyWithZone:zone];
+    parameters->_disableFRT = _disableFRT;
     parameters->_target = [_target copyWithZone:zone];
     parameters->_oidcScope = [_oidcScope copyWithZone:zone];
     parameters->_accountIdentifier = [_accountIdentifier copyWithZone:zone];

IdentityCore/src/requests/MSIDInteractiveTokenRequest.m

@@ -158,8 +158,8 @@ - (void)updateCustomHeadersForFRTSupportIfNeeded
             customHeaders[MSID_WEBAUTH_REFRESH_TOKEN_KEY] = refreshToken;
         }
 
-        // MSIDConfiguration.disableFRT could have been set to YES when checking the useSingleFRT keychain item, so we need to check again here
-        if (!self.requestParameters.msidConfiguration.disableFRT)
+        // self.requestParameters.disableFRT could have been set to YES while checking the useSingleFRT keychain item, so we need to check again here
+        if (!self.requestParameters.disableFRT)
         {
             MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Added ignore sso to custom headers for webview");
             customHeaders[MSID_WEBAUTH_IGNORE_SSO_KEY] = @"1";