Release 1.6.3 (#966)

* POC for Olga's suggestion

* initialize commit

* throttling service core functions

* update last refresh time function

* hook up throttling in silent request

* update invoke point for UI Throttle

* refactor code. invoke sso-ext flow

* refactor

* update SSO-ext flow

* update file location

* update metadata cache. Address some comments

* refactor code: move throttling type handler to helper class. add more utiliti class

* refactor code to using factory pattern. Move the business handle code from service to Model class

* clean code

* fix error when e2e test. Address some comment. Clean some unused class

* initial commit

* first sample unit test :)

* new UT

* changelog

* fixed unsigned int in MSIDThrottlingModelInteractionRequire

* ...

* ..

* travis silly unsigned error

* Address comments

* address comment

* update Peter comments

* address comments

* update last refresh time when interactive flow is success

* update thumbprint log

* ...

* gosh

* ...

* ...

* fix UT

* Handle missing bundle identifier when writing wipe data to keychain

* nonSSO serverside test

* address comment. update sso interactive flow.

* intermi save

* added more unit tests

* throtting service integration test

* demiurge

* throttling test

* update from accessgroup to datasource

* saving

* yaldabaoth

* ...

* ...

* monad

* resolved unit test failure due to swizzling/category method for default cache accessor

* reverting unnecessary changes

* solved concurrency issue

* heroic

* enhanced logging

* changelog

* add unit tests

* Remove input param to make the method reusable in CPP, added tests (#956)

* Remove input param to make the method reusable in CPP, added tests

* try fix UT

* add and change some parameters

* clean up the format

* update

* clean up files

* fix ascii error when reporting build in terminal

* fix swizzle causing test cases failing

* fix swizzle

* added PII masking

* address comments

* add extended token cache into interactive token request, remove casting in local intereactive controller

* merge with dev

* add extended token cache in sso ext silent token request

* update back code

* remove class check

* added additional logging

* Throttling merge to dev (#960)

* throttling feature.

* update at pop logic

* update changelog

* Minor logging improvements

* addressed comments

* Initial Commit

* Removed unnecessary change

* Changelog

* Update changelog.

* Update release branch (#968)

* Added checking for the existence of id_token when validating response

* Skip validate token result for id_token only case

* Fixed compile error

* Skip save access token

* Adding test case

* Addressed comments

* Fixed build issue

* Modify init method for keychain token cache so that developers can se… (#965)

* Address commits from previous PR (#967)

Co-authored-by: Tatsuro Shibamura <me@shibayan.jp>
Co-authored-by: Olga Dalton <oldalton@microsoft.com>
Co-authored-by: kaisong1990 <kaisong1990@gmail.com>

Co-authored-by: Hieu Nguyen <65981263+hieunguyenmsft@users.noreply.github.com>
Co-authored-by: Peter Lee <peterlee@ELSMITH2-X1G2.northamerica.corp.microsoft.com>
Co-authored-by: HieuNguyen <hiengu@microsoft.com>
Co-authored-by: Peter Lee <peterlee@Peters-MacBook-Pro.local>
Co-authored-by: Peter Lee <30302999+NerevarineRule@users.noreply.github.com>
Co-authored-by: Olga Dalton <oldalton@microsoft.com>
Co-authored-by: Peter Lee <peterlee@MININT-947M1BJ.redmond.corp.microsoft.com>
Co-authored-by: Peter Lee <peterlee@CBREV-LOOGUN.northamerica.corp.microsoft.com>
Co-authored-by: Yong Zeng <zeyong@microsoft.com>
Co-authored-by: kaisong1990 <kaisong1990@gmail.com>
Co-authored-by: tongyuze <yuto@microsoft.com>
Co-authored-by: Logan Dorsey <>
Co-authored-by: Logan Dorsey <logdog16@users.noreply.github.com>
Co-authored-by: Tatsuro Shibamura <me@shibayan.jp>

Author: 13 people

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -124,3 +124,6 @@ extern NSString * _Nonnull const MSID_CLIENT_SDK_TYPE_ADAL;
 
 extern NSString * _Nonnull const MSID_POP_TOKEN_PRIVATE_KEY;
 extern NSString * _Nonnull const MSID_POP_TOKEN_KEY_LABEL;
+
+extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN;
+extern NSString * _Nonnull const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION;

IdentityCore/src/MSIDConstants.h

@@ -55,3 +55,5 @@
 
 NSString *const MSID_POP_TOKEN_PRIVATE_KEY = @"com.microsoft.token.private.key";
 NSString *const MSID_POP_TOKEN_KEY_LABEL = @"com.microsoft.token.key";
+NSString *const MSID_THROTTLING_METADATA_KEYCHAIN = @"com.microsoft.identity.throttling.metadata";
+NSString *const MSID_THROTTLING_METADATA_KEYCHAIN_VERSION = @"Ver1";

IdentityCore/src/MSIDConstants.m

@@ -107,6 +107,7 @@ extern NSString *const MSID_CLIENT_INFO_CACHE_KEY;
 extern NSString *const MSID_ID_TOKEN_CACHE_KEY;
 extern NSString *const MSID_ADDITIONAL_INFO_CACHE_KEY;
 extern NSString *const MSID_EXPIRES_ON_CACHE_KEY;
+extern NSString *const MSID_REFRESH_ON_CACHE_KEY;
 extern NSString *const MSID_OAUTH_TOKEN_TYPE_CACHE_KEY;
 extern NSString *const MSID_CACHED_AT_CACHE_KEY;
 extern NSString *const MSID_EXTENDED_EXPIRES_ON_CACHE_KEY;

IdentityCore/src/MSIDOAuth2Constants.h

@@ -109,6 +109,7 @@
 NSString *const MSID_ID_TOKEN_CACHE_KEY                  = @"id_token";
 NSString *const MSID_ADDITIONAL_INFO_CACHE_KEY           = @"additional_info";
 NSString *const MSID_EXPIRES_ON_CACHE_KEY                = @"expires_on";
+NSString *const MSID_REFRESH_ON_CACHE_KEY                = @"refresh_on";
 NSString *const MSID_OAUTH_TOKEN_TYPE_CACHE_KEY          = @"access_token_type";
 NSString *const MSID_CACHED_AT_CACHE_KEY                 = @"cached_at";
 NSString *const MSID_EXTENDED_EXPIRES_ON_CACHE_KEY       = @"extended_expires_on";

IdentityCore/src/MSIDOAuth2Constants.m

@@ -129,7 +129,8 @@ + (NSSet *)fullRequestThumbprintExcludeParams
                                            MSID_BROKER_CLIENT_VERSION_KEY,
                                            MSID_BROKER_CLIENT_APP_VERSION_KEY,
                                            MSID_BROKER_CLIENT_APP_NAME_KEY,
-                                           MSID_BROKER_CORRELATION_ID_KEY]];
+                                           MSID_BROKER_CORRELATION_ID_KEY,
+                                           MSID_BROKER_KEY]];
     });
     return excludeSet;
 
@@ -147,5 +148,6 @@ + (NSSet *)strictRequestThumbprintIncludeParams
 
 }
 
+
 @end
 #endif

IdentityCore/src/broker_operation/request/silent_token_request/MSIDBrokerOperationSilentTokenRequest.m

@@ -562,7 +562,14 @@ - (BOOL)removeItemsWithKey:(MSIDCacheKey *)key
 - (BOOL)saveWipeInfoWithContext:(id<MSIDRequestContext>)context
                           error:(NSError **)error
 {
-    NSDictionary *wipeInfo = @{ @"bundleId" : [[NSBundle mainBundle] bundleIdentifier],
+    NSString *appIdentifier = [[NSBundle mainBundle] bundleIdentifier];
+    
+    if (!appIdentifier)
+    {
+        appIdentifier = [NSProcessInfo processInfo].processName;
+    }
+    
+    NSDictionary *wipeInfo = @{ @"bundleId" : appIdentifier ?: @"",
                                 @"wipeTime" : [NSDate date]
                                 };
 

IdentityCore/src/cache/MSIDKeychainTokenCache.m

@@ -24,6 +24,7 @@
 #import <Foundation/Foundation.h>
 #import "MSIDCredentialType.h"
 #import "MSIDAccountType.h"
+#import "MSIDExtendedTokenCacheDataSource.h"
 
 @class MSIDAccountCacheItem;
 @class MSIDAppMetadataCacheItem;
@@ -38,6 +39,8 @@
 
 @interface MSIDAccountCredentialCache : NSObject
 
+@property (nonatomic, readonly) id<MSIDExtendedTokenCacheDataSource> _Nonnull dataSource;
+
 - (nonnull instancetype)initWithDataSource:(nonnull id<MSIDExtendedTokenCacheDataSource>)dataSource;
 
 /*

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.h

@@ -39,7 +39,6 @@
 
 @interface MSIDAccountCredentialCache()
 {
-    id<MSIDExtendedTokenCacheDataSource> _dataSource;
     MSIDCacheItemJsonSerializer *_serializer;
 }
 
@@ -69,13 +68,16 @@ - (instancetype)initWithDataSource:(id<MSIDExtendedTokenCacheDataSource>)dataSou
                                                                  context:(nullable id<MSIDRequestContext>)context
                                                                    error:(NSError * _Nullable * _Nullable)error
 {
+    NSString *className = NSStringFromClass(self.class);
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) retrieving cached credentials using credential query", className);
     NSError *cacheError = nil;
-
+    
     NSArray<MSIDCredentialCacheItem *> *results = [_dataSource tokensWithKey:cacheQuery
                                                                   serializer:_serializer
                                                                      context:context
                                                                        error:&cacheError];
 
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) retrieved %ld cached credentials", className, (long)results.count);
     if (cacheError)
     {
         if (error)
@@ -91,14 +93,16 @@ - (instancetype)initWithDataSource:(id<MSIDExtendedTokenCacheDataSource>)dataSou
         BOOL shouldMatchAccount = !cacheQuery.homeAccountId || !cacheQuery.environment;
 
         NSMutableArray *filteredResults = [NSMutableArray array];
-
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) credential query requires exact match with the cached credential items. Performing additional filtering checks.", className);
         for (MSIDCredentialCacheItem *cacheItem in results)
         {
+            MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, context, @"(%@) performing filtering check on cached credential item with the following properties - client ID: %@, target: %@, realm: %@, environment: %@, familyID: %@, homeAccountId: %@, enrollmentId: %@, appKey: %@, applicationIdentifier: %@, tokenType: %@", className, cacheItem.clientId, cacheItem.target, cacheItem.realm, cacheItem.environment, cacheItem.familyId, MSID_PII_LOG_TRACKABLE(cacheItem.homeAccountId), MSID_PII_LOG_MASKABLE(cacheItem.enrollmentId), MSID_PII_LOG_MASKABLE(cacheItem.appKey), MSID_EUII_ONLY_LOG_MASKABLE(cacheItem.applicationIdentifier), cacheItem.tokenType);
             if (shouldMatchAccount
                 && ![cacheItem matchesWithHomeAccountId:cacheQuery.homeAccountId
                                            environment:cacheQuery.environment
                                     environmentAliases:cacheQuery.environmentAliases])
             {
+                MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) cached item had mismatching homeAccountID or environment/aliases with the credential query. excluding from the results.", className);
                 continue;
             }
 
@@ -110,15 +114,16 @@ - (instancetype)initWithDataSource:(id<MSIDExtendedTokenCacheDataSource>)dataSou
                               targetMatching:cacheQuery.targetMatchingOptions
                             clientIdMatching:cacheQuery.clientIdMatchingOptions])
             {
+                MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) cached item had mismatching realm/clientId/familyId/target/requestedClaims with the credential query. excluding from the results.", className);
                 continue;
             }
-
+            
             [filteredResults addObject:cacheItem];
         }
-
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) returning %ld filtered credentials", className, (long)filteredResults.count);
         return filteredResults;
     }
-
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(%@) returning %ld credentials", className, (long)results.count);
     return results;
 }
 

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m

@@ -23,6 +23,7 @@
 
 #import <Foundation/Foundation.h>
 #import "MSIDCacheAccessor.h"
+#import "MSIDAccountCredentialCache.h"
 
 @class MSIDAccountIdentifier;
 @class MSIDConfiguration;
@@ -38,6 +39,8 @@
 
 @interface MSIDDefaultTokenCacheAccessor : NSObject <MSIDCacheAccessor>
 
+@property (nonatomic, readonly) MSIDAccountCredentialCache *accountCredentialCache;
+
 - (instancetype)initWithDataSource:(id<MSIDExtendedTokenCacheDataSource>)dataSource
                otherCacheAccessors:(NSArray<id<MSIDCacheAccessor>> *)otherAccessors;