API to get signed JWT for bound refresh token exchange

Author: ameyapat

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -733,6 +733,8 @@
 		720B5B582DD58A7F00318FE5 /* MSIDJWECryptoTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 720B5B572DD58A6A00318FE5 /* MSIDJWECryptoTests.m */; };
 		720B5B592DD58A7F00318FE5 /* MSIDJWECryptoTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 720B5B572DD58A6A00318FE5 /* MSIDJWECryptoTests.m */; };
 		72371CEB27051CC200EF5475 /* MSIDKeyOperationUtilTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 72371CEA27051CC200EF5475 /* MSIDKeyOperationUtilTest.m */; };
+		724C9DD42E6906290039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 724C9DD32E6906270039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m */; };
+		724C9DD52E6906290039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 724C9DD32E6906270039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m */; };
 		728209C326FA9C9A00B5F018 /* MSIDBackgroundTaskData.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209C226FA9C9A00B5F018 /* MSIDBackgroundTaskData.m */; };
 		728209C926FE94D800B5F018 /* MSIDJwtAlgorithm.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209C826FE94D800B5F018 /* MSIDJwtAlgorithm.m */; };
 		728209CA26FE94D800B5F018 /* MSIDJwtAlgorithm.m in Sources */ = {isa = PBXBuildFile; fileRef = 728209C826FE94D800B5F018 /* MSIDJwtAlgorithm.m */; };
@@ -2664,6 +2666,7 @@
 		720B5B542DD57D6600318FE5 /* MSIDEcdhApv.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDEcdhApv.m; sourceTree = "<group>"; };
 		720B5B572DD58A6A00318FE5 /* MSIDJWECryptoTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDJWECryptoTests.m; sourceTree = "<group>"; };
 		72371CEA27051CC200EF5475 /* MSIDKeyOperationUtilTest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDKeyOperationUtilTest.m; sourceTree = "<group>"; };
+		724C9DD32E6906270039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBoundRefreshTokenRedemptionTests.m; sourceTree = "<group>"; };
 		728209C126FA9C9A00B5F018 /* MSIDBackgroundTaskData.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDBackgroundTaskData.h; sourceTree = "<group>"; };
 		728209C226FA9C9A00B5F018 /* MSIDBackgroundTaskData.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBackgroundTaskData.m; sourceTree = "<group>"; };
 		728209C826FE94D800B5F018 /* MSIDJwtAlgorithm.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDJwtAlgorithm.m; sourceTree = "<group>"; };
@@ -5748,6 +5751,7 @@
 		D6DA89731FBA6A4E004C56C7 /* tests */ = {
 			isa = PBXGroup;
 			children = (
+				724C9DD32E6906270039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m */,
 				72C764F82E09CFA400043AB1 /* MSIDBoundRefreshTokenTests.m */,
 				720B5B572DD58A6A00318FE5 /* MSIDJWECryptoTests.m */,
 				729357F22DDBD3F60001D03C /* MSIDNonceTokenRequestTest.m */,
@@ -7138,6 +7142,7 @@
 				2347D6692D5453A400372D20 /* MSIDSwitchBrowserOperationTest.swift in Sources */,
 				23419F82239B36F500EA78C5 /* MSIDAccountIdentifierTests.m in Sources */,
 				589BDB1D2718CD7D00BF3799 /* MSIDBrokerOperationGetSsoCookiesRequestTests.m in Sources */,
+				724C9DD52E6906290039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m in Sources */,
 				B210F42E1FDDE6A5005A8F76 /* MSIDJsonObjectTests.m in Sources */,
 				B2E97FB32914CC4500AFD558 /* MSIDBrokerNativeAppOperationResponseTests.m in Sources */,
 				B29F7805213DFA5600D61FC8 /* MSIDErrorTests.m in Sources */,
@@ -7773,6 +7778,7 @@
 				96CD652A20C885E2004813EE /* MSIDWebviewFactoryTests.m in Sources */,
 				239DF9C220E04BC9002D428B /* MSIDB2CAuthorityTests.m in Sources */,
 				B281B339226BBB1C009619AB /* MSIDOAuthRequestConfiguratorTests.m in Sources */,
+				724C9DD42E6906290039BAA0 /* MSIDBoundRefreshTokenRedemptionTests.m in Sources */,
 				B2808005204CB2A700944D89 /* MSIDAADV1TokenResponseTests.m in Sources */,
 				23419F64239896E500EA78C5 /* MSIDBrokerOperationResponseTests.m in Sources */,
 				D6D9A4BD1FBE712900EFA430 /* MSIDURLExtensionsTests.m in Sources */,

IdentityCore/src/MSIDOAuth2Constants.h

@@ -179,3 +179,5 @@ extern NSString *const MSID_CCS_REQUEST_ID_RESPONSE;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE;
 extern NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY;
+extern NSString *const MSID_MSAL_CLIENT_APV_PREFIX;
+extern NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE;

IdentityCore/src/MSIDOAuth2Constants.m

@@ -179,4 +179,6 @@
 NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY            = @"x-ms-srs";
 NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE       = @"ccs-request-sequence";
 
+NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE        = @"bound_rt_exchange";
 NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY           = @"bound_device_id";
+NSString *const MSID_MSAL_CLIENT_APV_PREFIX              = @"MsalClient";

IdentityCore/src/oauth2/token/MSIDBoundRefreshToken+Redemption.h

@@ -37,7 +37,7 @@ NS_ASSUME_NONNULL_BEGIN
 - (NSString *) getTokenRedemptionJwtForTenantId: (nullable NSString *)tenantId
                       tokenRedemptionParameters: (MSIDBoundRefreshTokenRedemptionParameters *)requestParameters
                                         context:(id<MSIDRequestContext> _Nullable)context
-                                      jweCrypto: (NSDictionary * __autoreleasing *)jweCrypto
+                                      jweCrypto: (NSDictionary * __nonnull __autoreleasing *__nonnull)jweCrypto
                                           error: (NSError * __autoreleasing *)error;
 @end
 NS_ASSUME_NONNULL_END

IdentityCore/src/oauth2/token/MSIDBoundRefreshToken+Redemption.m

@@ -30,6 +30,7 @@
 #import "MSIDEcdhApv.h"
 #import "MSIDJwtAlgorithm.h"
 #import "MSIDJWTHelper.h"
+#import "MSIDKeyOperationUtil.h"
 
 @implementation MSIDBoundRefreshToken (Redemption)
 
@@ -38,7 +39,7 @@ @implementation MSIDBoundRefreshToken (Redemption)
 - (NSString *)getTokenRedemptionJwtForTenantId:(nullable NSString *)tenantId
                      tokenRedemptionParameters:(MSIDBoundRefreshTokenRedemptionParameters *) requestParameters
                                        context:(id<MSIDRequestContext> _Nullable)context
-                                     jweCrypto:(NSDictionary * __autoreleasing _Nullable *_Nullable)jweCrypto
+                                     jweCrypto:(NSDictionary * __autoreleasing __nonnull *__nonnull)jweCrypto
                                          error:(NSError *__autoreleasing  _Nullable * _Nullable)error
 {
     if (![self validateRequestParameters:requestParameters context:context error:error])
@@ -53,22 +54,25 @@ - (NSString *)getTokenRedemptionJwtForTenantId:(nullable NSString *)tenantId
         return nil;
     }
 
-    MSIDWPJKeyPairWithCert *workplacejoinData = [self validateAndGetWorkplaceJoinData:tenantId context:context error:error];
+    MSIDWPJKeyPairWithCert *workplacejoinData = [self getWorkplaceJoinDataAndValidateForTenantId:tenantId context:context error:error];
     if (!workplacejoinData)
     {
         return nil;
     }
 
-    // TODO: Use new method to query STK private reference
-    SecKeyRef publicSessionTransportKeyRef = NULL;
-    NSString *apvPrefix = @"MsalClient"; // TODO: Make this a constant
-    MSIDEcdhApv *ecdhPartyVInfoData = [[MSIDEcdhApv alloc] initWithKey:publicSessionTransportKeyRef
-                                                             apvPrefix:apvPrefix
+    SecKeyRef publicTransportKeyRef = SecKeyCopyPublicKey(workplacejoinData.privateTransportKeyRef);
+    MSIDEcdhApv *ecdhPartyVInfoData = [[MSIDEcdhApv alloc] initWithKey:publicTransportKeyRef
+                                                             apvPrefix:MSID_MSAL_CLIENT_APV_PREFIX
                                                                context:context
                                                                  error:error];
     if (!ecdhPartyVInfoData)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] Failed to create ECDH APV data for bound RT redemption JWT.");
+        if (error)
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorInvalidInternalParameter
+                                        description:@"Failed to create ECDH APV data for bound RT redemption JWT."
+                                            context:context];
         return nil;
     }
 
@@ -80,14 +84,20 @@ - (NSString *)getTokenRedemptionJwtForTenantId:(nullable NSString *)tenantId
     if (!jweCryptoObj)
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] Failed to create JWE crypto for bound RT redemption JWT.");
+        if (error)
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorInvalidInternalParameter
+                                     description:@"Failed to create JWE crypto for bound RT redemption JWT."
+                                         context:context];
         return nil;
     }
 
-    *jweCrypto = [jweCryptoObj.jweCryptoDictionary copy];
+    if (jweCrypto)
+        *jweCrypto = [jweCryptoObj.jweCryptoDictionary copy];
 
     NSMutableDictionary *jwtPayload = [requestParameters jsonDictionary];
     [jwtPayload setObject:self.refreshToken forKey:MSID_OAUTH2_REFRESH_TOKEN];
-    [jwtPayload setObject:*jweCrypto forKey:@"jwe_crypto"];
+    [jwtPayload setObject:jweCryptoObj.jweCryptoDictionary forKey:@"jwe_crypto"];
 
     NSArray *certificateData = @[[NSString stringWithFormat:@"%@", [[workplacejoinData certificateData] base64EncodedStringWithOptions:kNilOptions]]];
     NSDictionary *header = @{
@@ -145,9 +155,9 @@ - (BOOL)validateBoundDeviceId:(id<MSIDRequestContext>)context
     return YES;
 }
 
-- (MSIDWPJKeyPairWithCert *)validateAndGetWorkplaceJoinData:(NSString *)tenantId
-                                                    context:(id<MSIDRequestContext>)context
-                                                      error:(NSError *__autoreleasing * _Nullable)error
+- (MSIDWPJKeyPairWithCert *)getWorkplaceJoinDataAndValidateForTenantId:(NSString *)tenantId
+                                                               context:(id<MSIDRequestContext>)context
+                                                                 error:(NSError *__autoreleasing * _Nullable)error
 {
     MSIDWPJKeyPairWithCert *workplacejoinData = [MSIDWorkPlaceJoinUtil getWPJKeysWithTenantId:tenantId context:context];
     if (!workplacejoinData)
@@ -195,6 +205,60 @@ - (MSIDWPJKeyPairWithCert *)validateAndGetWorkplaceJoinData:(NSString *)tenantId
         return nil;
     }
 
+    SecKeyRef privateTransportKey = workplacejoinData.privateTransportKeyRef;
+    if (!privateTransportKey)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] Failed to obtain private transport key for bound RT redemption JWT.");
+        if (error)
+        {
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorWorkplaceJoinRequired
+                                     description:@"Failed to obtain private transport key for bound RT redemption JWT."
+                                         context:context];
+        }
+        return nil;
+    }
+    
+    SecKeyRef publicSessionTransportKeyRef = SecKeyCopyPublicKey(privateTransportKey);
+    if (!publicSessionTransportKeyRef)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] Failed to calculate public session transport key from private key for bound RT redemption JWT.");
+        if (error)
+        {
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorWorkplaceJoinRequired
+                                     description:@"[Bound Refresh token redemption] Failed to calculate public session transport key from private key for bound RT redemption JWT."
+                                         context:context];
+        }
+        return nil;
+    }
+    
+    if (![[MSIDKeyOperationUtil sharedInstance] isKeyFromSecureEnclave:workplacejoinData.privateKeyRef])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] The private device key for bound RT redemption JWT is not from Secure Enclave. Binding will not be satisfied.");
+        if (error)
+        {
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorWorkplaceJoinRequired
+                                        description:@"The private device key for bound RT redemption JWT is not from Secure Enclave. Binding will not be satisfied."
+                                            context:context];
+        }
+        return nil;
+    }
+    
+    if (![[MSIDKeyOperationUtil sharedInstance] isKeyFromSecureEnclave:workplacejoinData.privateTransportKeyRef])
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"[Bound Refresh token redemption] The private transport key for bound RT redemption JWT is not from Secure Enclave. Binding will not be satisfied.");
+        if (error)
+        {
+            *error = [self createErrorWithDomain:MSIDErrorDomain
+                                            code:MSIDErrorWorkplaceJoinRequired
+                                        description:@"The private transport key for bound RT redemption JWT is not from Secure Enclave. Binding will not be satisfied."
+                                            context:context];
+        }
+        return nil;
+    }
+    
     return workplacejoinData;
 }
 

IdentityCore/src/oauth2/token/MSIDBoundRefreshToken.h

@@ -52,7 +52,7 @@ NS_ASSUME_NONNULL_BEGIN
  @return An initialized instance of MSIDBoundRefreshToken.
  */
 - (instancetype)initWithRefreshToken:(MSIDRefreshToken *)refreshToken
-                      boundDeviceId:(NSString *)boundDeviceId;
+                       boundDeviceId:(NSString *)boundDeviceId;
 
 - (instancetype)init NS_UNAVAILABLE;
 + (instancetype)new NS_UNAVAILABLE;

IdentityCore/src/parameters/MSIDBoundRefreshTokenRedemptionParameters.h

@@ -35,7 +35,11 @@ NS_ASSUME_NONNULL_BEGIN
 // Client nonce GUID to be used in bound refresh token redemption request payload.
 @property (nonatomic, copy) NSString *nonce;
 
+// Audience (token endpoint URL) for the bound refresh token redemption request
+@property (nonatomic, copy) NSString *audience;
+
 - (instancetype)initWithClientId:(NSString *)clientId
+               authorityEndpoint:(NSURL *)authorityEndpoint
                           scopes:(NSSet <NSString *>*)scopes
                            nonce:(NSString *)nonce;
 

IdentityCore/src/parameters/MSIDBoundRefreshTokenRedemptionParameters.m

@@ -26,7 +26,10 @@
 
 @implementation MSIDBoundRefreshTokenRedemptionParameters
 
-- (nonnull instancetype)initWithClientId:(nonnull NSString *)clientId scopes:(nonnull NSSet *)scopes nonce:(nonnull NSString *)nonce
+- (nonnull instancetype)initWithClientId:(nonnull NSString *)clientId
+                       authorityEndpoint:(nonnull NSURL *)authorityEndpoint
+                                  scopes:(nonnull NSSet *)scopes
+                                   nonce:(nonnull NSString *)nonce
 {
     self = [super init];
     if (self)
@@ -36,17 +39,26 @@ - (nonnull instancetype)initWithClientId:(nonnull NSString *)clientId scopes:(no
             MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token redemption parameters: clientId is nil or blank.");
             return nil;
         }
+        
+        if ([NSString msidIsStringNilOrBlank:authorityEndpoint.absoluteString])
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token redemption parameters: authorityEndpoint is nil.");
+            return nil;
+        }
+        
         if (!scopes || scopes.count == 0)
         {
             MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token redemption parameters: scope is nil or empty.");
             return nil;
         }
-        if ([NSString msidIsStringNilOrBlank:nonce])
+                
+        if ([scopes containsObject:@"aza"])
         {
-            MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token redemption parameters: nonce is nil or blank.");
+            MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token redemption parameters: scopes contains aza.");
             return nil;
         }
 
+        _audience = authorityEndpoint.absoluteString;
         _clientId = clientId;
         _scopes = scopes;
         _nonce = nonce;
@@ -58,14 +70,16 @@ - (nonnull NSMutableDictionary *)jsonDictionary
 {
     NSMutableDictionary *jsonDict = [NSMutableDictionary new];
     jsonDict[MSID_OAUTH2_GRANT_TYPE] = MSID_OAUTH2_REFRESH_TOKEN;
-    jsonDict[@"purpose"] = @"bound_rt_exchange"; // TODO: Add constants for purposes
+    jsonDict[MSID_BOUND_REFRESH_TOKEN_EXCHANGE] = @1;
+    jsonDict[@"aud"] = self.audience;
     jsonDict[@"iss"] = self.clientId; // Issuer is the client ID
-    NSNumber *now = @([[NSDate date] timeIntervalSince1970]);
-    jsonDict[@"iat"] = [NSString stringWithFormat:@"%ld", [now longValue]]; // Issued at time
-    jsonDict[@"exp"] = @([[NSDate dateWithTimeIntervalSinceNow:5 * 60] timeIntervalSince1970]); // 5 minutes
-    jsonDict[@"nbf"] = [NSString stringWithFormat:@"%ld", [now longValue]]; // Not before time
+    NSInteger now = round([[NSDate date] timeIntervalSince1970]);
+    jsonDict[@"iat"] = [NSNumber numberWithInteger:now]; // Issued at time
+    jsonDict[@"exp"] = [NSNumber numberWithInteger:now + 300]; // 5 minutes
+    jsonDict[@"nbf"] = [NSNumber numberWithInteger:now]; // Not before time
     [jsonDict setObject:self.clientId forKey:MSID_OAUTH2_CLIENT_ID];
-    [jsonDict setObject:self.nonce forKey:@"nonce"];
+    if (![NSString msidIsStringNilOrBlank:self.nonce])
+        [jsonDict setObject:self.nonce forKey:@"nonce"];
     NSString *scopeString = [self.scopes.allObjects componentsJoinedByString:@" "];
     [jsonDict setObject:scopeString forKey:MSID_OAUTH2_SCOPE];
     return jsonDict;