Merge pull request #1635 from AzureAD/ameyapat/save-bart-only-when-rt-type-bart

ameyapat · web-flow · commit 689c32498b20 · 2025-12-16T14:44:14.000-08:00
Save bound app refresh token only when rt type in token response = bart
diff --git a/IdentityCore/src/network/response_serializer/preprocessor/MSIDJweResponseDecryptPreProcessor.m b/IdentityCore/src/network/response_serializer/preprocessor/MSIDJweResponseDecryptPreProcessor.m
@@ -26,6 +26,7 @@
 #import "MSIDJweResponse.h"
 #import "MSIDJweResponse+EcdhAesGcm.h"
 #import "MSIDJsonResponsePreprocessor.h"
+#import "MSIDBrokerConstants.h"
 
 @implementation MSIDJweResponseDecryptPreProcessor
 
@@ -75,6 +76,12 @@ - (nullable NSDictionary *)decryptJweResponseData:(NSData *)data
     {
         NSMutableDictionary *mutableDecryptedResponse = [decryptedResponse mutableCopy];
         [mutableDecryptedResponse addEntriesFromDictionary:self.additionalResponseClaims];
+        // bart_device_id should be present in response only when refresh_token_type=bound_app_rt is present in token response from server.
+        if (![decryptedResponse[MSID_REFRESH_TOKEN_TYPE] isEqualToString:MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT])
+        {
+            [mutableDecryptedResponse removeObjectForKey:MSID_BART_DEVICE_ID_KEY];
+        }
+
         decryptedResponse = [mutableDecryptedResponse copy];
     }
     return decryptedResponse;
diff --git a/IdentityCore/src/oauth2/MSIDOauth2Factory.m b/IdentityCore/src/oauth2/MSIDOauth2Factory.m
@@ -418,9 +418,8 @@ - (BOOL)fillAppMetadata:(MSIDAppMetadataCacheItem *)metadata
 
 - (BOOL)doesResponseHaveBoundAppRefreshToken:(MSIDTokenResponse *)response
 {
-    return ![NSString msidIsStringNilOrBlank:response.boundAppRefreshTokenDeviceId] &&
-    ([MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT isEqualToString:response.additionalServerInfo[MSID_REFRESH_TOKEN_TYPE]] ||
-                [response.additionalServerInfo[MSID_BART_DEVICE_ID_KEY] length] > 0);
+    return ![NSString msidIsStringNilOrBlank:response.boundAppRefreshTokenDeviceId] ||
+                [response.additionalServerInfo[MSID_BART_DEVICE_ID_KEY] length] > 0;
 }
 
 #pragma mark - Webview
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,6 @@
+TBD
+* Add logic to save bound app RT only when token response has refresh_token_type=bound_app_rt
+
 Version 1.18.0
 * Silent token request should use FRT first when single FRT is enabled #1624
 * Use autolayout for loading indicator #1628

Original file line number	Diff line number	Diff line change
`@@ -418,9 +418,8 @@ - (BOOL)fillAppMetadata:(MSIDAppMetadataCacheItem *)metadata`
`418`	`418`
`419`	`419`	`- (BOOL)doesResponseHaveBoundAppRefreshToken:(MSIDTokenResponse *)response`
`420`	`420`	`{`
`421`		`- return ![NSString msidIsStringNilOrBlank:response.boundAppRefreshTokenDeviceId] &&`
`422`		`- ([MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT isEqualToString:response.additionalServerInfo[MSID_REFRESH_TOKEN_TYPE]] \|\|`
`423`		`- [response.additionalServerInfo[MSID_BART_DEVICE_ID_KEY] length] > 0);`
	`421`	`+ return ![NSString msidIsStringNilOrBlank:response.boundAppRefreshTokenDeviceId] \|\|`
	`422`	`+ [response.additionalServerInfo[MSID_BART_DEVICE_ID_KEY] length] > 0;`
`424`	`423`	`}`
`425`	`424`
`426`	`425`	`#pragma mark - Webview`