Merge pull request #206 from AzureAD/jak/webview-fixes

PKeyAuth handling and scopes handling fix

Author: unpluggedk

IdentityCore/src/oauth2/aad_base/MSIDAADWebviewFactory.m

@@ -38,16 +38,6 @@ @implementation MSIDAADWebviewFactory
     NSMutableDictionary<NSString *, NSString *> *parameters = [super authorizationParametersFromConfiguration:configuration
                                                                                                  requestState:state];
 
-    NSMutableOrderedSet<NSString *> *allScopes = parameters[MSID_OAUTH2_SCOPE].scopeSet.mutableCopy;
-    
-    if (!allScopes)
-    {
-        allScopes = [NSMutableOrderedSet new];
-    }
-    
-    [allScopes addObject:MSID_OAUTH2_SCOPE_OPENID_VALUE];
-    
-    parameters[MSID_OAUTH2_SCOPE] = allScopes.msidToString;
     parameters[MSID_OAUTH2_PROMPT] = configuration.promptBehavior;
 
     if (configuration.correlationId)

IdentityCore/src/oauth2/aad_v2/MSIDAADV2WebviewFactory.m

@@ -35,6 +35,12 @@ @implementation MSIDAADV2WebviewFactory
                                                                                                  requestState:state];
 
     NSMutableOrderedSet<NSString *> *allScopes = parameters[MSID_OAUTH2_SCOPE].scopeSet.mutableCopy;
+    if (!allScopes)
+    {
+        allScopes = [NSMutableOrderedSet new];
+    }
+    
+    [allScopes addObject:MSID_OAUTH2_SCOPE_OPENID_VALUE];
     [allScopes addObject:MSID_OAUTH2_SCOPE_OFFLINE_ACCESS_VALUE];
     [allScopes addObject:MSID_OAUTH2_SCOPE_PROFILE_VALUE];
 

IdentityCore/src/webview/embeddedWebview/challangeHandlers/MSIDPKeyAuthHandler.m

@@ -29,6 +29,7 @@
 #import "MSIDError.h"
 #import "MSIDDeviceId.h"
 #import "MSIDConstants.h"
+#import "NSDictionary+MSIDExtensions.h"
 
 @implementation MSIDPKeyAuthHandler
 
@@ -68,11 +69,16 @@ + (BOOL)handleChallenge:(NSString *)challengeUrl
 
     // Attach client version to response url
     NSURLComponents *responseUrlComp = [[NSURLComponents alloc] initWithURL:[NSURL URLWithString:submitUrl] resolvingAgainstBaseURL:NO];
-    NSMutableArray *queryItems = responseUrlComp.queryItems ? [responseUrlComp.queryItems mutableCopy] : [NSMutableArray new];
-    [queryItems addObject:[[NSURLQueryItem alloc] initWithName:MSID_VERSION_KEY value:MSIDDeviceId.deviceId[MSID_VERSION_KEY]]];
-    responseUrlComp.queryItems = queryItems;
+    NSMutableDictionary *queryDict = [NSMutableDictionary new];
 
-    NSMutableURLRequest *responseReq = [[NSMutableURLRequest alloc]initWithURL:responseUrlComp.URL];
+    for (NSURLQueryItem *item in responseUrlComp.queryItems)
+    {
+        [queryDict setValue:item.value forKey:item.name];
+    }
+    [queryDict setValue:MSIDDeviceId.deviceId[MSID_VERSION_KEY] forKey:MSID_VERSION_KEY];
+    responseUrlComp.percentEncodedQuery = [queryDict msidURLFormEncode];
+    
+    NSMutableURLRequest *responseReq = [[NSMutableURLRequest alloc] initWithURL:responseUrlComp.URL];
     [responseReq setValue:kMSIDPKeyAuthHeaderVersion forHTTPHeaderField:kMSIDPKeyAuthHeader];
     [responseReq setValue:authHeader forHTTPHeaderField:MSID_OAUTH2_AUTHORIZATION];
     completionHandler(responseReq, nil);

IdentityCore/tests/MSIDAADV1WebviewFactoryTests.m

@@ -87,7 +87,6 @@ - (void)testAuthorizationParametersFromConfiguration_withValidParams_shouldConta
                                           @"client-request-id" : correlationId.UUIDString,
                                           @"login_hint" : @"fakeuser@contoso.com",
                                           @"state" : requestState.msidBase64UrlEncode,
-                                          @"scope" : @"openid",
                                           @"prompt" : @"login",
                                           @"haschrome" : @"1"
                                           }];
@@ -98,5 +97,53 @@ - (void)testAuthorizationParametersFromConfiguration_withValidParams_shouldConta
     XCTAssertTrue([expectedQPs compareAndPrintDiff:params]);
 }
 
+- (void)testAuthorizationParametersFromConfiguration_withValidParamsWithScopes_shouldContainAADV1ConfigurationWithScopes
+{
+    __block NSUUID *correlationId = [NSUUID new];
+    
+    MSIDWebviewConfiguration *config = [[MSIDWebviewConfiguration alloc] initWithAuthorizationEndpoint:[NSURL URLWithString:DEFAULT_TEST_AUTHORIZATION_ENDPOINT]
+                                                                                           redirectUri:DEFAULT_TEST_REDIRECT_URI
+                                                                                              clientId:DEFAULT_TEST_CLIENT_ID
+                                                                                              resource:DEFAULT_TEST_RESOURCE
+                                                                                                scopes:[NSOrderedSet orderedSetWithObjects:@"scope1", nil]
+                                                                                         correlationId:correlationId
+                                                                                            enablePkce:NO];
+    
+    config.extraQueryParameters = @{ @"eqp1" : @"val1", @"eqp2" : @"val2" };
+    config.promptBehavior = @"login";
+    config.claims = @"claims";
+    config.sliceParameters = DEFAULT_TEST_SLICE_PARAMS_DICT;
+    config.loginHint = @"fakeuser@contoso.com";
+    
+    NSString *requestState = @"state";
+    
+    MSIDAADV1WebviewFactory *factory = [MSIDAADV1WebviewFactory new];
+    
+    NSDictionary *params = [factory authorizationParametersFromConfiguration:config requestState:requestState];
+    
+    NSMutableDictionary *expectedQPs = [NSMutableDictionary dictionaryWithDictionary:
+                                        @{
+                                          @"client_id" : DEFAULT_TEST_CLIENT_ID,
+                                          @"redirect_uri" : DEFAULT_TEST_REDIRECT_URI,
+                                          @"resource" : DEFAULT_TEST_RESOURCE,
+                                          @"response_type" : @"code",
+                                          @"eqp1" : @"val1",
+                                          @"eqp2" : @"val2",
+                                          @"claims" : @"claims",
+                                          @"return-client-request-id" : @"true",
+                                          @"client-request-id" : correlationId.UUIDString,
+                                          @"login_hint" : @"fakeuser@contoso.com",
+                                          @"state" : requestState.msidBase64UrlEncode,
+                                          @"prompt" : @"login",
+                                          @"haschrome" : @"1",
+                                          @"scope" : @"scope1"
+                                          }];
+    
+    [expectedQPs addEntriesFromDictionary:[MSIDDeviceId deviceId]];
+    [expectedQPs addEntriesFromDictionary:DEFAULT_TEST_SLICE_PARAMS_DICT];
+    
+    XCTAssertTrue([expectedQPs compareAndPrintDiff:params]);
+}
+
 
 @end

IdentityCore/tests/MSIDAADWebviewFactoryTests.m

@@ -81,10 +81,11 @@ - (void)testAuthorizationParametersFromConfiguration_withValidParams_shouldConta
                                           @"client-request-id" : correlationId.UUIDString,
                                           @"login_hint" : @"fakeuser@contoso.com",
                                           @"state" : requestState.msidBase64UrlEncode,
-                                          @"scope" : @"scope1 openid",
                                           @"prompt" : @"login",
                                           @"slice": @"myslice",
-                                          @"haschrome" : @"1"
+                                          @"haschrome" : @"1",
+                                          @"scope" : @"scope1"
+                                          
                                           }];
     [expectedQPs addEntriesFromDictionary:[MSIDDeviceId deviceId]];
     [expectedQPs addEntriesFromDictionary:DEFAULT_TEST_SLICE_PARAMS_DICT];