Merge branch 'dev' into sedemche/browser_core_mats

antrix1989 · web-flow · commit 51f1bbcc9147 · 2025-08-28T10:04:00.000-07:00
diff --git a/IdentityCore/IdentityCore.xcodeproj/project.pbxproj b/IdentityCore/IdentityCore.xcodeproj/project.pbxproj
@@ -746,6 +746,9 @@
 		728209D026FEA0F600B5F018 /* MSIDKeyOperationUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209CF26FEA0F600B5F018 /* MSIDKeyOperationUtil.m */; };
 		728209D126FEA0F600B5F018 /* MSIDKeyOperationUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209CF26FEA0F600B5F018 /* MSIDKeyOperationUtil.m */; };
 		728209D62702AF8900B5F018 /* MSIDBackgroundTaskManagerTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209D32702AE9300B5F018 /* MSIDBackgroundTaskManagerTests.m */; };
+		728ABACC2E5A3B4E00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 728ABACB2E5A3B2800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.h */; };
+		728ABACE2E5A41A800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 728ABACD2E5A418F00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m */; };
+		728ABACF2E5A41A800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 728ABACD2E5A418F00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m */; };
 		728D9E4628245DD7001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.m in Sources */ = {isa = PBXBuildFile; fileRef = 728D9E4528245DD7001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.m */; };
 		728D9E4728245DD7001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.m in Sources */ = {isa = PBXBuildFile; fileRef = 728D9E4528245DD7001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.m */; };
 		728D9E492824A323001D990F /* MSIDPkeyAuthHelperTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 23CA0C5E220A68D400768729 /* MSIDPkeyAuthHelperTests.m */; };
@@ -2662,6 +2665,8 @@
 		728209CD26FEA0D800B5F018 /* MSIDKeyOperationUtil.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDKeyOperationUtil.h; sourceTree = "<group>"; };
 		728209CF26FEA0F600B5F018 /* MSIDKeyOperationUtil.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDKeyOperationUtil.m; sourceTree = "<group>"; };
 		728209D32702AE9300B5F018 /* MSIDBackgroundTaskManagerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBackgroundTaskManagerTests.m; sourceTree = "<group>"; };
+		728ABACB2E5A3B2800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "MSIDWPJKeyPairWithCert+TransportKey.h"; sourceTree = "<group>"; };
+		728ABACD2E5A418F00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "MSIDWPJKeyPairWithCert+TransportKey.m"; sourceTree = "<group>"; };
 		728D9E4528245DD7001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDTestSecureEnclaveKeyPairGenerator.m; sourceTree = "<group>"; };
 		728D9E4828247D4C001D990F /* MSIDTestSecureEnclaveKeyPairGenerator.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDTestSecureEnclaveKeyPairGenerator.h; sourceTree = "<group>"; };
 		729357E72DD810C70001D03C /* MSIDNonceTokenRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDNonceTokenRequest.h; sourceTree = "<group>"; };
@@ -5181,6 +5186,8 @@
 		B2C0747E246B70DC0008D701 /* crypto */ = {
 			isa = PBXGroup;
 			children = (
+				728ABACD2E5A418F00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m */,
+				728ABACB2E5A3B2800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.h */,
 				B27893792470CAF200627C28 /* mac */,
 				B2C0748E246B71470008D701 /* MSIDAssymetricKeyGenerating.h */,
 				B2C07490246B735B0008D701 /* MSIDAssymetricKeyKeychainGenerator.h */,
@@ -6143,6 +6150,7 @@
 				A07EB427259D0C6B00783943 /* MSIDThrottlingService.h in Headers */,
 				9658103120C7E1180025F4A4 /* MSIDWebviewResponse.h in Headers */,
 				1E707FDF2407335700716148 /* MSIDBrokerNativeAppOperationResponse.h in Headers */,
+				728ABACC2E5A3B4E00FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.h in Headers */,
 				B28BDA7F217E964B003E5670 /* MSIDB2CTokenResponse.h in Headers */,
 				96B8D57D20946D2600E3F4A6 /* MSIDPkce.h in Headers */,
 				B286B9912389DC47007833AD /* MSIDIndividualClaimRequest.h in Headers */,
@@ -7390,6 +7398,7 @@
 				23C8981A2C892A3800071482 /* MSIDBrowserNativeMessageGetSupportedContractsResponse.m in Sources */,
 				B286B9992389DC9D007833AD /* MSIDSSOExtensionSilentTokenRequest.m in Sources */,
 				B2C7089921991D0000D917B8 /* MSIDAADV2BrokerResponse.m in Sources */,
+				728ABACE2E5A41A800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m in Sources */,
 				B20E3CB61FC4FE400029C097 /* MSIDOAuth2Constants.m in Sources */,
 				B2BE924D21A2331A00F5AB8C /* MSIDTelemetryAuthorityValidationEvent.m in Sources */,
 				B2807FF9204CAFDF00944D89 /* MSIDHelpers.m in Sources */,
@@ -8097,6 +8106,7 @@
 				239E3BBF23E1004F00F7A50A /* MSIDClientSDKType.m in Sources */,
 				23B39ABD209BD47D000AA905 /* MSIDB2CAuthorityResolver.m in Sources */,
 				B2F671E92467A34400649855 /* MSIDAuthorizationCodeResult.m in Sources */,
+				728ABACF2E5A41A800FCE434 /* MSIDWPJKeyPairWithCert+TransportKey.m in Sources */,
 				23C10A9F2B40D9350063D97C /* MSIDBrowserNativeMessageSignOutResponse.m in Sources */,
 				23FB5C2B225517AA002BF1EB /* MSIDIndividualClaimRequestAdditionalInfo.m in Sources */,
 				1E707FDD2406FA9200716148 /* MSIDBrokerBrowserOperationResponse.m in Sources */,
diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h
@@ -50,7 +50,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
 @property (nonatomic) BOOL ignoreScopeValidation;
-
+@property (nonatomic) BOOL bypassRedirectURIValidation;
 
 + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
      withParameters:(MSIDRequestParameters *)parameters
diff --git a/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m b/IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m
@@ -68,6 +68,7 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request
     request.platformSequence = parameters.platformSequence;
     request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;
     request.ignoreScopeValidation = parameters.ignoreScopeValidation;
+    request.bypassRedirectURIValidation = parameters.bypassRedirectURIValidation;
     return YES;
 }
 
diff --git a/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert+TransportKey.h b/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert+TransportKey.h
@@ -0,0 +1,33 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.  
+
+#import <Foundation/Foundation.h>
+
+NS_ASSUME_NONNULL_BEGIN
+@interface MSIDWPJKeyPairWithCert (TransportKey)
+
+@property (nonatomic) SecKeyRef privateTransportKeyRef;
+
+@end
+NS_ASSUME_NONNULL_END
diff --git a/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert+TransportKey.m b/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert+TransportKey.m
@@ -0,0 +1,49 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+#import "MSIDWPJKeyPairWithCert.h"
+#import "MSIDWPJKeyPairWithCert+TransportKey.h"
+
+@implementation MSIDWPJKeyPairWithCert (TransportKey)
+
+- (void)setPrivateTransportKeyRef:(SecKeyRef)privateTransportKeyRef
+{
+    if (_privateTransportKeyRef != privateTransportKeyRef)
+    {
+        if (_privateTransportKeyRef)
+        {
+            CFRelease(_privateTransportKeyRef);
+            _privateTransportKeyRef = NULL;
+        }
+        
+        _privateTransportKeyRef = privateTransportKeyRef;
+        
+        if (_privateTransportKeyRef)
+        {
+            CFRetain(_privateTransportKeyRef);
+        }
+    }
+}
+
+@end
diff --git a/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert.h b/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert.h
@@ -47,6 +47,7 @@ typedef NS_ENUM(NSInteger, MSIDWPJKeychainAccessGroup)
     NSString *_certificateSubject;
     NSString *_certificateIssuer;
     SecKeyRef _privateKeyRef;
+    SecKeyRef _privateTransportKeyRef;
 }
 
 @property (nonatomic, readonly) SecKeyRef privateKeyRef;
@@ -55,6 +56,8 @@ typedef NS_ENUM(NSInteger, MSIDWPJKeychainAccessGroup)
 @property (nonatomic, readonly) NSString *certificateSubject;
 @property (nonatomic, readonly) NSString *certificateIssuer;
 @property (nonatomic) MSIDWPJKeychainAccessGroup keyChainVersion;
+// The private session transport key. Only populated if the private STK is stored in the secure enclave.
+@property (nonatomic, readonly) SecKeyRef privateTransportKeyRef;
 
 - (nullable instancetype)initWithPrivateKey:(SecKeyRef)privateKey
                                 certificate:(SecCertificateRef)certificate
diff --git a/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert.m b/IdentityCore/src/cache/crypto/MSIDWPJKeyPairWithCert.m
@@ -101,6 +101,12 @@ - (void)dealloc
         CFRelease(_privateKeyRef);
         _privateKeyRef = NULL;
     }
+    
+    if (_privateTransportKeyRef)
+    {
+        CFRelease(_privateTransportKeyRef);
+        _privateTransportKeyRef = NULL;
+    }
 }
 
 @end
diff --git a/IdentityCore/src/oauth2/MSIDExternalSSOContext.h b/IdentityCore/src/oauth2/MSIDExternalSSOContext.h
@@ -37,6 +37,7 @@ NS_ASSUME_NONNULL_BEGIN
 #if __MAC_OS_X_VERSION_MAX_ALLOWED >= 130000
 @property (nonatomic, nullable, strong) ASAuthorizationProviderExtensionLoginManager *loginManager API_AVAILABLE(macos(13.0));
 @property (nonatomic) BOOL isDeviceRegistered API_AVAILABLE(macos(13.0));
+@property (nonatomic) BOOL isPlatformSSORegistrationFlow API_AVAILABLE(macos(13.0));
 #endif
 #endif
 
diff --git a/IdentityCore/src/oauth2/token/MSIDPrimaryRefreshToken.h b/IdentityCore/src/oauth2/token/MSIDPrimaryRefreshToken.h
@@ -49,6 +49,7 @@ typedef NS_ENUM(NSInteger, MSIDExternalPRTKeyLocationType)
 @property (nonatomic) MSIDExternalPRTKeyLocationType externalKeyLocationType;
  
 - (BOOL)isDevicelessPRT;
+- (BOOL)isDevicelessPRTv3;
 - (BOOL)shouldRefreshWithInterval:(NSUInteger)refreshInterval;
 - (NSUInteger)prtId;
 
diff --git a/IdentityCore/src/oauth2/token/MSIDPrimaryRefreshToken.m b/IdentityCore/src/oauth2/token/MSIDPrimaryRefreshToken.m
@@ -216,6 +216,12 @@ - (BOOL)isDevicelessPRT
     return prtVersion >= 3.0 && [NSString msidIsStringNilOrBlank:self.deviceID];
 }
 
+- (BOOL)isDevicelessPRTv3
+{
+    CGFloat prtVersion = [self.prtProtocolVersion floatValue];
+    return prtVersion == 3.0 && [NSString msidIsStringNilOrBlank:self.deviceID];
+}
+
 - (BOOL)shouldRefreshWithInterval:(NSUInteger)refreshInterval
 {
     if (!self.expiresOn)
diff --git a/IdentityCore/src/parameters/MSIDRequestParameters.h b/IdentityCore/src/parameters/MSIDRequestParameters.h
@@ -59,6 +59,9 @@
 @property (nonatomic) NSString *clientSku;
 @property (nonatomic) BOOL skipValidateResultAccount;
 @property (nonatomic) BOOL forceRefresh;
+// If YES — redirect URI validation is bypassed.
+// This flag may be set by either the MSAL app or the broker process.
+// - When set by the MSAL app: brokered flows are disabled, and MSAL falls back to local auth flows.
 @property (nonatomic) BOOL bypassRedirectURIValidation;
 
 // Telemetry metadata
diff --git a/IdentityCore/src/requests/broker/mac/MSIDSSOXpcInteractiveTokenRequest.m b/IdentityCore/src/requests/broker/mac/MSIDSSOXpcInteractiveTokenRequest.m
@@ -20,7 +20,7 @@
 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.  
+// THE SOFTWARE.
 
 
 #import "MSIDSSOXpcInteractiveTokenRequest.h"
@@ -96,13 +96,31 @@ - (void)performXpcRequest:(NSDictionary *)xpcRequest
 
     // Retrieve the bundle identifier
     NSString *bundleIdentifier = [mainBundle bundleIdentifier];
+
+    // Use parentViewController frame if available, otherwise fall back to presentationAnchorWindow frame.
+    // This is also aligned when providing anchor window for the SSO Extension
+    CGRect xpcAnchorFrame = CGRectZero;
+    MSIDViewController *strongParentViewController = self.requestParameters.parentViewController;
+    if (strongParentViewController)
+    {
+        xpcAnchorFrame = strongParentViewController.view.window.frame;
+    }
+    else if (self.requestParameters.presentationAnchorWindow)
+    {
+        xpcAnchorFrame = self.requestParameters.presentationAnchorWindow.frame;
+    }
+    else
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelWarning, self.context, @"Anchor window is missing, the xpc window will try best effort to be presented on the screen with default size and position.");
+    }
+
     NSDictionary *parameters = @{@"source_application": bundleIdentifier,
                                  @"sso_request_param": xpcRequest,
                                  @"is_silent": @(NO),
                                  @"sso_request_operation": [self.operationRequest.class operation],
                                  @"sso_request_id": [[NSUUID UUID] UUIDString]};
     [self.xpcSingleSignOnProvider handleRequestParam:parameters
-                                     parentViewFrame:self.requestParameters.parentViewController.view.window.frame
+                                     parentViewFrame:xpcAnchorFrame
                            assertKindOfResponseClass:MSIDBrokerOperationTokenResponse.class
                                     xpcProviderCache:MSIDXpcProviderCache.sharedInstance
                                              context:self.context
diff --git a/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinConstants.h b/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinConstants.h
@@ -26,6 +26,7 @@
 #pragma once
 
 extern NSString *const kMSIDPrivateKeyIdentifier;
+extern NSString *const kMSIDPrivateTransportKeyIdentifier;
 extern NSString *const kMSIDTenantKeyIdentifier;
 extern NSString *const kMSIDUPNKeyIdentifier;
 extern NSString *const kMSIDWPJThumbprintIdentifier;
diff --git a/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinConstants.m b/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinConstants.m
@@ -24,6 +24,7 @@
 #import "MSIDWorkPlaceJoinConstants.h"
 
 NSString *const kMSIDPrivateKeyIdentifier               = @"com.microsoft.workplacejoin.privatekey\0";
+NSString *const kMSIDPrivateTransportKeyIdentifier      = @"com.microsoft.workplacejoin.stk.privatekey\0";
 NSString *const kMSIDTenantKeyIdentifier                = @"com.microsoft.workplacejoin.tenantId";
 NSString *const kMSIDUPNKeyIdentifier                   = @"com.microsoft.workplacejoin.registeredUserPrincipalName";
 NSString *const kMSIDWPJThumbprintIdentifier            = @"com.microsoft.workplacejoin.thumbprint";
diff --git a/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinUtilBase.m b/IdentityCore/src/workplacejoin/MSIDWorkPlaceJoinUtilBase.m
@@ -27,6 +27,7 @@
 #import "MSIDWorkPlaceJoinConstants.h"
 #import "MSIDWPJKeyPairWithCert.h"
 #import "MSIDWPJMetadata.h"
+#import "MSIDWPJKeyPairWithCert+TransportKey.h"
 
 static NSString *kWPJPrivateKeyIdentifier = @"com.microsoft.workplacejoin.privatekey\0";
 static NSString *kECPrivateKeyTagSuffix = @"-EC";
@@ -380,6 +381,13 @@ + (MSIDWPJKeyPairWithCert *)getWPJKeysWithTenantId:(__unused NSString *)tenantId
     {
         defaultKeys.keyChainVersion = MSIDWPJKeychainAccessGroupV2;
         MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Returning EC private device key from default registration.");
+        // Query the session transport key only for iOS.
+        // 1P apps use transport key to decrypt ECDH JWE responses when redeeming bound regular refresh tokens
+        id keyType = privateKeyAttributes[(__bridge id)kSecAttrKeyType];
+        if (keyType && [keyType isEqual: (__bridge id)kSecAttrKeyTypeECSECPrimeRandom])
+        {
+            defaultKeys.privateTransportKeyRef = [self getSessionTransportKeyRefFromSecureEnclaveForTenantId:tenantId context:context];
+        }
         return defaultKeys;
     }
 
@@ -492,4 +500,52 @@ + (MSIDWPJMetadata *)readWPJMetadataWithSharedAccessGroup:(NSString *)sharedAcce
     }
     return nil;
 }
+
++ (SecKeyRef)getSessionTransportKeyRefFromSecureEnclaveForTenantId:(NSString *)tenantId context:(id<MSIDRequestContext>)context
+{
+    SecKeyRef transportKeyRef = nil;
+#if TARGET_OS_IPHONE
+    if (!tenantId)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"No tenantId provided to read secure enclave session transport key.");
+        return nil;
+    }
+    NSString *teamId = [[MSIDKeychainUtil sharedInstance] teamId];
+    NSString *defaultSharedAccessGroup = [NSString stringWithFormat:@"%@.com.microsoft.workplacejoin.v2", teamId];
+    NSString *tag = [NSString stringWithFormat:@"%@#%@%@", kMSIDPrivateTransportKeyIdentifier, tenantId, kECPrivateKeyTagSuffix];
+    NSData *tagData = [tag dataUsingEncoding:NSUTF8StringEncoding];
+    NSMutableDictionary *stkKeyAttributes = [[NSMutableDictionary alloc] initWithDictionary:
+                                             @{ (__bridge id)kSecAttrApplicationTag : tagData,
+                                                (__bridge id)kSecAttrAccessGroup : defaultSharedAccessGroup,
+                                                (__bridge id)kSecAttrTokenID : (__bridge id)kSecAttrTokenIDSecureEnclave,
+                                                (__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeECSECPrimeRandom,
+                                                (__bridge id)kSecAttrKeySizeInBits : @256,
+                                                (__bridge id)kSecClass : (__bridge id)kSecClassKey,
+                                                (__bridge id)kSecReturnRef : @YES,
+                                                (__bridge id)kSecReturnAttributes : @YES
+                                             }];
+    OSStatus status = noErr;
+    CFTypeRef privateKeyCFDict = NULL;
+    
+    status = SecItemCopyMatching((__bridge CFDictionaryRef)stkKeyAttributes, (CFTypeRef*)&privateKeyCFDict); // +1 privateKeyCFDict
+    if (status != errSecSuccess)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Failed to find secure enclave session transport private key with status %ld", (long)status);
+        return nil;
+    }
+        
+    NSDictionary *privateKeyDict = CFBridgingRelease(privateKeyCFDict); // -1 privateKeyCFDict
+    transportKeyRef = (__bridge SecKeyRef)privateKeyDict[(__bridge id)kSecValueRef];
+    
+    if (!transportKeyRef)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"No private session transport key ref found. Continuing without transport key.");
+    }
+    else
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"Found secure enclave private session transport key ref in keychain.");
+    }
+#endif
+    return transportKeyRef;
+}
 @end
diff --git a/IdentityCore/tests/MSIDWorkPlaceJoinUtilTests.m b/IdentityCore/tests/MSIDWorkPlaceJoinUtilTests.m
diff --git a/changelog.txt b/changelog.txt

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ + (BOOL)fillRequest:(MSIDBrokerOperationTokenRequest *)request`
`68`	`68`	`request.platformSequence = parameters.platformSequence;`
`69`	`69`	`request.allowAnyExtraURLQueryParameters = parameters.allowAnyExtraURLQueryParameters;`
`70`	`70`	`request.ignoreScopeValidation = parameters.ignoreScopeValidation;`
	`71`	`+ request.bypassRedirectURIValidation = parameters.bypassRedirectURIValidation;`
`71`	`72`	`return YES;`
`72`	`73`	`}`
`73`	`74`
Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,12 @@ - (void)dealloc`
`101`	`101`	`CFRelease(_privateKeyRef);`
`102`	`102`	`_privateKeyRef = NULL;`
`103`	`103`	`}`
	`104`	`+`
	`105`	`+ if (_privateTransportKeyRef)`
	`106`	`+ {`
	`107`	`+ CFRelease(_privateTransportKeyRef);`
	`108`	`+ _privateTransportKeyRef = NULL;`
	`109`	`+ }`
`104`	`110`	`}`
`105`	`111`
`106`	`112`	`@end`
Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,12 @@ - (BOOL)isDevicelessPRT`
`216`	`216`	`return prtVersion >= 3.0 && [NSString msidIsStringNilOrBlank:self.deviceID];`
`217`	`217`	`}`
`218`	`218`
	`219`	`+- (BOOL)isDevicelessPRTv3`
	`220`	`+{`
	`221`	`+ CGFloat prtVersion = [self.prtProtocolVersion floatValue];`
	`222`	`+ return prtVersion == 3.0 && [NSString msidIsStringNilOrBlank:self.deviceID];`
	`223`	`+}`
	`224`	`+`
`219`	`225`	`- (BOOL)shouldRefreshWithInterval:(NSUInteger)refreshInterval`
`220`	`226`	`{`
`221`	`227`	`if (!self.expiresOn)`