Merge pull request #1014 from AzureAD/release/1.6.7

Release/1.6.7

Author: ameyapat

.travis.yml

@@ -683,8 +683,8 @@
 		96F94A3B208184790034676C /* MSIDOAuth2EmbeddedWebviewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 96F94A38208184790034676C /* MSIDOAuth2EmbeddedWebviewController.m */; };
 		A0410E0825E81C5D004D80FD /* MSIDThrottlingModel429Test.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E0725E81C5D004D80FD /* MSIDThrottlingModel429Test.m */; };
 		A0410E0925E81C5D004D80FD /* MSIDThrottlingModel429Test.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E0725E81C5D004D80FD /* MSIDThrottlingModel429Test.m */; };
-		A0410E1A25E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E1925E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m */; };
-		A0410E1B25E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E1925E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m */; };
+		A0410E1A25E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E1925E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m */; };
+		A0410E1B25E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E1925E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m */; };
 		A0410E5025E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E4F25E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m */; };
 		A0410E5125E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m in Sources */ = {isa = PBXBuildFile; fileRef = A0410E4F25E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m */; };
 		A057456225A669B90098E469 /* MSIDThrottlingCacheRecord.h in Headers */ = {isa = PBXBuildFile; fileRef = E7B67215257EA84B0053773F /* MSIDThrottlingCacheRecord.h */; };
@@ -707,8 +707,8 @@
 		A0C7DE8525D46D7000F5B5B6 /* MSIDThrottlingModelFactory.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DE8325D46D7000F5B5B6 /* MSIDThrottlingModelFactory.m */; };
 		A0C7DEC325D4C8B600F5B5B6 /* MSIDThrottlingModel429.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DEC225D4C8B600F5B5B6 /* MSIDThrottlingModel429.m */; };
 		A0C7DEC425D4C8B600F5B5B6 /* MSIDThrottlingModel429.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DEC225D4C8B600F5B5B6 /* MSIDThrottlingModel429.m */; };
-		A0C7DED225D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m */; };
-		A0C7DED325D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m */; };
+		A0C7DED225D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m */; };
+		A0C7DED325D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */ = {isa = PBXBuildFile; fileRef = A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m */; };
 		A0E540BD25CB62270016E167 /* MSIDThrottlingService.m in Sources */ = {isa = PBXBuildFile; fileRef = A057458325A789DC0098E469 /* MSIDThrottlingService.m */; };
 		A0E5419625CDC44B0016E167 /* MSIDThrottlingMetaData.h in Headers */ = {isa = PBXBuildFile; fileRef = A0E5419525CDC44B0016E167 /* MSIDThrottlingMetaData.h */; };
 		A0E541B025CDC5F10016E167 /* MSIDThrottlingMetaData.m in Sources */ = {isa = PBXBuildFile; fileRef = A0E541AF25CDC5F10016E167 /* MSIDThrottlingMetaData.m */; };
@@ -2327,7 +2327,7 @@
 		96F94A37208184790034676C /* MSIDOAuth2EmbeddedWebviewController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDOAuth2EmbeddedWebviewController.h; sourceTree = "<group>"; };
 		96F94A38208184790034676C /* MSIDOAuth2EmbeddedWebviewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDOAuth2EmbeddedWebviewController.m; sourceTree = "<group>"; };
 		A0410E0725E81C5D004D80FD /* MSIDThrottlingModel429Test.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = MSIDThrottlingModel429Test.m; path = throttling/MSIDThrottlingModel429Test.m; sourceTree = "<group>"; };
-		A0410E1925E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = MSIDThrottlingModelInteractionRequireTest.m; path = throttling/MSIDThrottlingModelInteractionRequireTest.m; sourceTree = "<group>"; };
+		A0410E1925E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = MSIDThrottlingModelNonRecoverableServerError.m; path = throttling/MSIDThrottlingModelNonRecoverableServerError.m; sourceTree = "<group>"; };
 		A0410E4F25E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = MSIDThrottlingMetaDataTest.m; path = throttling/MSIDThrottlingMetaDataTest.m; sourceTree = "<group>"; };
 		A057458325A789DC0098E469 /* MSIDThrottlingService.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingService.m; sourceTree = "<group>"; };
 		A07EB426259D0BF300783943 /* MSIDThrottlingService.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingService.h; sourceTree = "<group>"; };
@@ -2349,11 +2349,11 @@
 		A0C7DE3425D451DF00F5B5B6 /* MSIDThrottlingModelBase.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingModelBase.h; sourceTree = "<group>"; };
 		A0C7DE4325D4522300F5B5B6 /* MSIDThrottlingModelFactory.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingModelFactory.h; sourceTree = "<group>"; };
 		A0C7DE5D25D4523800F5B5B6 /* MSIDThrottlingModel429.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingModel429.h; sourceTree = "<group>"; };
-		A0C7DE5E25D4524D00F5B5B6 /* MSIDThrottlingModelInteractionRequire.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingModelInteractionRequire.h; sourceTree = "<group>"; };
+		A0C7DE5E25D4524D00F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingModelNonRecoverableServerError.h; sourceTree = "<group>"; };
 		A0C7DE7425D465CD00F5B5B6 /* MSIDThrottlingModelBase.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingModelBase.m; sourceTree = "<group>"; };
 		A0C7DE8325D46D7000F5B5B6 /* MSIDThrottlingModelFactory.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingModelFactory.m; sourceTree = "<group>"; };
 		A0C7DEC225D4C8B600F5B5B6 /* MSIDThrottlingModel429.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingModel429.m; sourceTree = "<group>"; };
-		A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingModelInteractionRequire.m; sourceTree = "<group>"; };
+		A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingModelNonRecoverableServerError.m; sourceTree = "<group>"; };
 		A0E5419525CDC44B0016E167 /* MSIDThrottlingMetaData.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingMetaData.h; sourceTree = "<group>"; };
 		A0E541AF25CDC5F10016E167 /* MSIDThrottlingMetaData.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDThrottlingMetaData.m; sourceTree = "<group>"; };
 		A0E541D325CDDAB30016E167 /* MSIDThrottlingMetaDataCache.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDThrottlingMetaDataCache.h; sourceTree = "<group>"; };
@@ -3873,8 +3873,8 @@
 				A0C7DE8325D46D7000F5B5B6 /* MSIDThrottlingModelFactory.m */,
 				A0C7DE5D25D4523800F5B5B6 /* MSIDThrottlingModel429.h */,
 				A0C7DEC225D4C8B600F5B5B6 /* MSIDThrottlingModel429.m */,
-				A0C7DE5E25D4524D00F5B5B6 /* MSIDThrottlingModelInteractionRequire.h */,
-				A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m */,
+				A0C7DE5E25D4524D00F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.h */,
+				A0C7DED125D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m */,
 			);
 			path = model;
 			sourceTree = "<group>";
@@ -4965,7 +4965,7 @@
 			isa = PBXGroup;
 			children = (
 				A0410E4F25E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m */,
-				A0410E1925E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m */,
+				A0410E1925E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m */,
 				A0410E0725E81C5D004D80FD /* MSIDThrottlingModel429Test.m */,
 				A08D0A4724A8841400C9193D /* MSIDAuthenticationSchemeTest.m */,
 				A08D09DF24A85A1D00C9193D /* MSIDAADRefreshTokenGrantRequestTest.m */,
@@ -6300,7 +6300,7 @@
 				B27893732470BA5B00627C28 /* MSIDAssymetricKeychainGeneratorTests.m in Sources */,
 				23B3A4552187BA79009070B2 /* MSIDIntuneEnrollmentIdsCacheTests.m in Sources */,
 				B2936F7420ABEFC10050C585 /* MSIDAccessTokenTests.m in Sources */,
-				A0410E1A25E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m in Sources */,
+				A0410E1A25E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */,
 				B20657CF1FC92B8F00412B7D /* MSIDTelemetryUIEventTests.m in Sources */,
 				232C657621376755002A41FE /* MSIDDRSDiscoveryResponseSerializerTests.m in Sources */,
 				23419F5D23973AAD00EA78C5 /* MSIDBrokerOperationRequestTests.m in Sources */,
@@ -6629,7 +6629,7 @@
 				96C998F120B638F60053A2D9 /* MSIDWebviewSession.m in Sources */,
 				96891A982190F15E00D7F437 /* MSIDWPJChallengeHandler.m in Sources */,
 				B26CEADB23652795009E6E54 /* MSIDMacACLKeychainAccessor.m in Sources */,
-				A0C7DED325D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m in Sources */,
+				A0C7DED325D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */,
 				96090D9A20E59B2000E42B37 /* MSIDNotifications.m in Sources */,
 				23D2049521D1C274009B5975 /* MSIDTokenResponseSerializer.m in Sources */,
 				96F94A2920816B870034676C /* MSIDWebOAuth2AuthCodeResponse.m in Sources */,
@@ -6728,7 +6728,7 @@
 				A0410E0925E81C5D004D80FD /* MSIDThrottlingModel429Test.m in Sources */,
 				B2DD4B2F20A8D7DE0047A66E /* MSIDCacheKeyTests.m in Sources */,
 				B2DD5B7B20461F5E0084313F /* MSIDAccountCacheItemTests.m in Sources */,
-				A0410E1B25E87E1A004D80FD /* MSIDThrottlingModelInteractionRequireTest.m in Sources */,
+				A0410E1B25E87E1A004D80FD /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */,
 				606B108C20D084B600B34224 /* MSIDAADV1WebviewFactoryTests.m in Sources */,
 				96CD652A20C885E2004813EE /* MSIDWebviewFactoryTests.m in Sources */,
 				239DF9C220E04BC9002D428B /* MSIDB2CAuthorityTests.m in Sources */,
@@ -7144,7 +7144,7 @@
 				B20657BE1FC9254800412B7D /* MSIDTelemetryCacheEvent.m in Sources */,
 				58B81F7D24AD0E7A00E8799E /* MSIDWebResponseOperationFactory.m in Sources */,
 				E70C49F1258D662F00A7A07E /* MSIDLRUCache.m in Sources */,
-				A0C7DED225D4CB2800F5B5B6 /* MSIDThrottlingModelInteractionRequire.m in Sources */,
+				A0C7DED225D4CB2800F5B5B6 /* MSIDThrottlingModelNonRecoverableServerError.m in Sources */,
 				A0E541EE25CDDAFD0016E167 /* MSIDThrottlingMetaDataCache.m in Sources */,
 				96F94A3A208184790034676C /* MSIDOAuth2EmbeddedWebviewController.m in Sources */,
 				B2E2A93E2392F91100BA2EA3 /* MSIDInteractiveTokenRequestParameters.m in Sources */,

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -75,4 +75,4 @@ extern NSString * _Nonnull const MSID_MSAL_BROKER_MESSAGE_VERSION;
 extern NSString * _Nonnull const MSID_BROKER_SDK_CAPABILITIES_KEY;
 extern NSString * _Nonnull const MSID_BROKER_SDK_SSO_EXTENSION_CAPABILITY;
 extern NSString * _Nonnull const MSID_ADDITIONAL_EXTENSION_DATA_KEY;
-
+extern NSString * _Nonnull const MSID_SSO_NONCE_QUERY_PARAM_KEY;

IdentityCore/src/MSIDBrokerConstants.h

@@ -71,3 +71,4 @@
 NSString *const MSID_BROKER_SDK_SSO_EXTENSION_CAPABILITY = @"sso_extension";
 
 NSString *const MSID_ADDITIONAL_EXTENSION_DATA_KEY = @"additional_extension_data";
+NSString *const MSID_SSO_NONCE_QUERY_PARAM_KEY = @"sso_nonce";

IdentityCore/src/MSIDBrokerConstants.m

@@ -241,7 +241,12 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode)
 
     MSIDErrorBrokerApplicationTokenReadFailed      =   -51813,
 
-    MSIDErrorBrokerNotAvailable                    =   -51814
+    MSIDErrorBrokerNotAvailable                    =   -51814,
+    
+    // Throttling errors
+    MSIDErrorThrottleCacheNoRecord = -51900,
+    MSIDErrorThrottleCacheInvalidSignature = -51901,
+
 };
 
 extern NSError * _Nonnull MSIDCreateError(NSString * _Nonnull domain, NSInteger code, NSString * _Nullable errorDescription, NSString * _Nullable oauthError, NSString * _Nullable subError, NSError * _Nullable underlyingError, NSUUID * _Nullable correlationId, NSDictionary * _Nullable additionalUserInfo, BOOL logErrorDescription);

IdentityCore/src/MSIDError.h

@@ -25,21 +25,21 @@
 
 @implementation MSIDDefaultAccountCacheQuery
 
-- (NSString *)account
+- (id)init
 {
-    if (self.homeAccountId && self.environment)
+    self = [super init];
+    if (self != nil)
     {
-        return [super account];
+        self.accountType = MSIDAccountTypeMSSTS;
     }
-
-    return nil;
+    return self;
 }
 
-- (NSNumber *)type
+- (NSString *)account
 {
-    if (self.accountType != MSIDAccountTypeOther)
+    if (self.homeAccountId && self.environment)
     {
-        return [super type];
+        return [super account];
     }
 
     return nil;

IdentityCore/src/cache/key/MSIDDefaultAccountCacheQuery.m

@@ -78,7 +78,11 @@ - (void)acquireToken:(MSIDRequestCompletionBlock)completionBlock
 
     MSIDRequestCompletionBlock completionBlockWrapper = ^(MSIDTokenResult * _Nullable result, NSError * _Nullable error)
     {
-        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Interactive flow finished. Result %@, error: %ld error domain: %@", _PII_NULLIFY(result), (long)error.code, error.domain);
+        NSString *ssoNonce = [error.userInfo valueForKey:MSID_SSO_NONCE_QUERY_PARAM_KEY];
+        if ([NSString msidIsStringNilOrBlank:ssoNonce])
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Interactive flow finished. Result %@, error: %ld error domain: %@", _PII_NULLIFY(result), (long)error.code, error.domain);
+        }
         if (!error)
         {
             /**

IdentityCore/src/controllers/MSIDLocalInteractiveController.m

@@ -42,6 +42,7 @@
 #import "MSIDBrokerInvocationOptions.h"
 #import "MSIDBrokerKeyProvider.h"
 #import "MSIDMainThreadUtil.h"
+#import "NSString+MSIDExtensions.h"
 
 static MSIDBrokerInteractiveController *s_currentExecutingController;
 
@@ -287,8 +288,8 @@ + (BOOL)completeAcquireToken:(nullable NSURL *)resultURL
            sourceApplication:(nullable NSString *)sourceApplication
        brokerResponseHandler:(nonnull MSIDBrokerResponseHandler *)responseHandler
 {
-    // sourceApplication could be nil, we want to return early if we know for sure response is not from broker
-    if (sourceApplication && ![self isResponseFromBroker:sourceApplication])
+    // sourceApplication could be nil or empty, we want to return early if we know for sure response is not from broker
+    if (![NSString msidIsStringNilOrBlank:sourceApplication] && ![self isResponseFromBroker:sourceApplication])
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelWarning,nil, @"Asked to handle non broker response. Skipping request.");
         return NO;

IdentityCore/src/controllers/broker/ios/MSIDBrokerInteractiveController.m

@@ -123,6 +123,17 @@ - (MSIDWebviewResponse *)oAuthResponseWithURL:(NSURL *)url
 #if AD_BROKER
     MSIDCBAWebAADAuthResponse *cbaResponse = [[MSIDCBAWebAADAuthResponse alloc] initWithURL:url context:context error:nil];
     if (cbaResponse) return cbaResponse;
+    
+    if ([url.absoluteString containsString:[NSString stringWithFormat:@"%@=", MSID_SSO_NONCE_QUERY_PARAM_KEY]])
+    {
+        NSString *ssoNonce = [[url msidQueryParameters] valueForKey:MSID_SSO_NONCE_QUERY_PARAM_KEY];
+        if (![NSString msidIsStringNilOrBlank:ssoNonce] && error)
+        {
+            NSDictionary *userInfo = @{MSID_SSO_NONCE_QUERY_PARAM_KEY : ssoNonce};
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorAuthorizationFailed, @"Nonce in JWT headers is likely expired, received SSO nonce redirect response.", nil, nil, nil, context.correlationId, userInfo, NO);
+            return nil;
+        }
+    }
 #endif
 
     // Try to create a WPJ response

IdentityCore/src/oauth2/aad_base/MSIDAADWebviewFactory.m

@@ -29,6 +29,7 @@
 #import "MSIDAuthority.h"
 
 static NSUInteger kDefaultPRTRefreshInterval = 10800;
+static NSString *kMinSupportedPRTVersion = @"3.0";
 
 @implementation MSIDPrimaryRefreshToken
 
@@ -51,6 +52,13 @@ - (instancetype)initWithTokenCacheItem:(MSIDCredentialCacheItem *)tokenCacheItem
         }
 
         _prtProtocolVersion = [jsonDictionary msidObjectForKey:MSID_PRT_PROTOCOL_VERSION_CACHE_KEY ofClass:[NSString class]];
+        
+        if ([_prtProtocolVersion floatValue] < [kMinSupportedPRTVersion floatValue])
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"Upgrading PRT from version %@ to min required version %@", _prtProtocolVersion, kMinSupportedPRTVersion);
+            _prtProtocolVersion = kMinSupportedPRTVersion;
+        }
+        
         _expiresOn = tokenCacheItem.expiresOn;
         _cachedAt = tokenCacheItem.cachedAt;
         _expiryInterval = [tokenCacheItem.expiryInterval integerValue];