Merge branch 'dev' into sedemche/sign_out_corr_id

Author: antrix1989

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -157,6 +157,7 @@ extern NSString *const MSID_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_PRT_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_FRT_TOKEN_CACHE_TYPE;
+extern NSString *const MSID_BOUND_RT_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_CACHE_ITEM_TYPE;
 extern NSString *const MSID_APP_METADATA_CACHE_TYPE;
@@ -177,3 +178,4 @@ extern NSString *const MSID_CCS_REQUEST_ID_RESPONSE;
 
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE;
+extern NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY;

IdentityCore/src/MSIDOAuth2Constants.h

@@ -151,6 +151,7 @@
 NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE          = @"V1IdToken";
 NSString *const MSID_PRT_TOKEN_CACHE_TYPE                = @"PrimaryRefreshToken";
 NSString *const MSID_FRT_TOKEN_CACHE_TYPE                = @"FamilyRefreshToken";
+NSString *const MSID_BOUND_RT_TOKEN_CACHE_TYPE           = @"BoundRefreshToken";
 NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE            = @"token";
 NSString *const MSID_GENERAL_CACHE_ITEM_TYPE             = @"general_cache_item";
 NSString *const MSID_APP_METADATA_CACHE_TYPE             = @"appmetadata";
@@ -177,3 +178,5 @@
 
 NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY            = @"x-ms-srs";
 NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE       = @"ccs-request-sequence";
+
+NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY           = @"bound_device_id";

IdentityCore/src/MSIDOAuth2Constants.m

@@ -0,0 +1,185 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+#import <Foundation/Foundation.h>
+#import "MSIDJsonSerializable.h"
+#import "MSIDConstants.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+/**
+ * MATS Silent Status Enum
+ *
+ * Represents the outcome of a silent token request attempt.
+ * Based on WebTokenRequestStatus values used in Windows WAM.
+ */
+typedef NS_ENUM(NSInteger, MSIDMATSSilentStatus) {
+    /**
+     * Silent token obtained successfully
+     */
+    MSIDMATSSilentStatusSuccess = 0,
+    
+    /**
+     * User cancelled the silent token request
+     */
+    MSIDMATSSilentStatusUserCancel = 1,
+    
+    /**
+     * Silent attempt concluded that user interaction is required
+     */
+    MSIDMATSSilentStatusUserInteractionRequired = 3,
+    
+    /**
+     * Silent attempt hit a provider error (e.g., refresh token expired)
+     */
+    MSIDMATSSilentStatusProviderError = 5
+};
+
+typedef NSString *MSIDMATSDeviceJoinStatus NS_TYPED_ENUM;
+extern MSIDMATSDeviceJoinStatus const MSIDMATSDeviceJoinStatusNotJoined;
+extern MSIDMATSDeviceJoinStatus const MSIDMATSDeviceJoinStatusAADJ; 
+
+/**
+ * Microsoft Authentication Telemetry System (MATS) Report
+ *
+ * This class represents detailed telemetry information about the token acquisition process
+ * that the native broker returns to MSAL.js. MSAL.js will record these fields in its
+ * telemetry if the broker provides them. This telemetry helps correlate broker operations
+ * (like cache hits, device state, or errors) with MSAL.js events.
+ */
+@interface MSIDBrokerOperationBrowserNativeMessageMATSReport : NSObject <MSIDJsonSerializable>
+
+/**
+ * Indicates if the token came from cache.
+ *
+ * A boolean flag where YES (1) means the broker returned a cached token without a network call,
+ * and NO (0) means a network request was made to acquire a new token. This helps measure
+ * how often silent SSO worked via cache vs network.
+ *
+ * Example: YES (token was served from cache), NO (fresh call required)
+ */
+@property (nonatomic) BOOL isCached;
+
+/**
+ * Version of the broker handling the request.
+ *
+ * Example:  "3.9.0"
+ */
+@property (nonatomic, nullable) NSString *brokerVersion;
+
+/**
+ * Device's AAD join status.
+ *
+ * Indicates the device's registration state in Entra ID (Azure AD). Possible values:
+ * - MSIDMATSDeviceJoinStatusAADJ (@"aadj") - Device is Azure AD joined (managed by org)
+ * - MSIDMATSDeviceJoinStatusNotJoined (@"not_joined") - Device is not joined to AAD
+ * This field helps identify if device is corporate-managed or personal.
+ *
+ * Example: MSIDMATSDeviceJoinStatusAADJ (managed device), MSIDMATSDeviceJoinStatusNotJoined (personal device)
+ */
+@property (nonatomic, nullable) MSIDMATSDeviceJoinStatus deviceJoin;
+
+/**
+ * Type of prompt that occurred.
+ */
+@property (nonatomic) MSIDPromptType promptBehavior;
+
+/**
+ * Broker/IDP error code.
+ *
+ * A numeric code representing the error if the token request failed. 0 if the operation
+ * succeeded or no specific error.
+ *
+ * Example: 0 (no error, success)
+ */
+@property (nonatomic) NSInteger apiErrorCode;
+
+/**
+ * Was UI shown?
+ *
+ * Boolean flag: YES if the broker showed any UI to the user. NO if the entire flow was silent/invisible.
+ * This directly indicates if the user was interrupted with a prompt.
+ *
+ * Example: YES (user saw sign-in window), NO (completely silent SSO).
+ */
+@property (nonatomic) BOOL uiVisible;
+
+/**
+ * Silent attempt error code.
+ *
+ * If the broker attempted to get a token silently (using cached credentials or refresh
+ * token) and that attempt failed, this is the error code from the silent try. 0 if
+ * silent succeeded or no error was encountered silently.
+ *
+ * Example: 0 (silent succeeded or not attempted)
+ */
+@property (nonatomic) NSInteger silentCode;
+
+/**
+ * Silent attempt error message.
+ *
+ * A short text description of why the silent attempt failed, if an error occurred.
+ * Including this helps debugging exact silent failure reasons.
+ *
+ * Example: @"" (silent succeeded), @"The web page and the redirect uri must be on the same origin."
+ */
+@property (nonatomic, nullable) NSString *silentMessage;
+
+/**
+ * Outcome of silent request (status code).
+ *
+ * Corresponds to the broker's internal status enum for a silent token attempt.
+ * Values based on WebTokenRequestStatus:
+ * - MSIDMATSSilentStatusSuccess (0) - Silent token obtained successfully
+ * - MSIDMATSSilentStatusUserCancel (1) - User cancelled the silent token request
+ * - MSIDMATSSilentStatusUserInteractionRequired (3) - Silent attempt concluded that user interaction is required
+ * - MSIDMATSSilentStatusProviderError (5) - Silent attempt hit a provider error
+ *
+ * Example: MSIDMATSSilentStatusSuccess (silent success), MSIDMATSSilentStatusUserInteractionRequired (interaction required)
+ */
+@property (nonatomic) MSIDMATSSilentStatus silentStatus;
+
+/**
+ * HTTP response code from token endpoint.
+ *
+ * If the broker made a network request to AAD (for token, device code, etc.), this
+ * captures the HTTP status code. 200 for success, 4xx/5xx for various errors.
+ * Will be 0 if no network call occurred (e.g., fully cached token).
+ *
+ * Example: 200 (token obtained successfully), 400 (bad request), 500 (server error)
+ */
+@property (nonatomic) NSInteger httpStatus;
+
+/**
+ * JSON string representation of the report.
+ *
+ * Converts the MATS report into a JSON string format for easy logging or transmission.
+ *
+ * @return A JSON string representing the MATS report, or nil if serialization fails.
+ */
+- (NSString *)jsonString;
+
+@end
+
+NS_ASSUME_NONNULL_END

IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrokerOperationBrowserNativeMessageMATSReport.h

@@ -0,0 +1,138 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+#import "MSIDBrokerOperationBrowserNativeMessageMATSReport.h"
+#import "NSDictionary+MSIDExtensions.h"
+#import "MSIDPromptType_Internal.h"
+
+NSString *const MSID_MATS_IS_CACHED_KEY = @"is_cached";
+NSString *const MSID_MATS_BROKER_VERSION_KEY = @"broker_version";
+NSString *const MSID_MATS_DEVICE_JOIN_KEY = @"device_join";
+NSString *const MSID_MATS_PROMPT_BEHAVIOR_KEY = @"prompt_behavior";
+NSString *const MSID_MATS_API_ERROR_CODE_KEY = @"api_error_code";
+NSString *const MSID_MATS_UI_VISIBLE_KEY = @"ui_visible";
+NSString *const MSID_MATS_SILENT_CODE_KEY = @"silent_code";
+NSString *const MSID_MATS_SILENT_MESSAGE_KEY = @"silent_message";
+NSString *const MSID_MATS_SILENT_STATUS_KEY = @"silent_status";
+NSString *const MSID_MATS_HTTP_STATUS_KEY = @"http_status";
+NSString *const MSID_MATS_HTTP_EVENT_COUNT_KEY = @"http_event_count";
+
+// Device Join Status Constants
+MSIDMATSDeviceJoinStatus const MSIDMATSDeviceJoinStatusAADJ = @"aadj";
+MSIDMATSDeviceJoinStatus const MSIDMATSDeviceJoinStatusNotJoined = @"not_joined";
+
+@implementation MSIDBrokerOperationBrowserNativeMessageMATSReport
+
+- (instancetype)init
+{
+    self = [super init];
+    if (self)
+    {
+        // Initialize with default values.
+        _isCached = NO;
+        _apiErrorCode = 0;
+        _uiVisible = NO;
+        _silentCode = 0;
+        _silentStatus = MSIDMATSSilentStatusSuccess;
+        _httpStatus = 0;
+    }
+    return self;
+}
+
+- (NSString *)description
+{
+    return [NSString stringWithFormat:@"MSIDBrokerOperationBrowserNativeMessageMATSReport: isCached: %@, brokerVersion: %@, deviceJoin: %@, promptBehavior: %@, apiErrorCode: %ld, uiVisible: %@, silentCode: %ld, silentMessage: %@, silentStatus: %ld, httpStatus: %ld",
+            @(self.isCached),
+            self.brokerVersion,
+            self.deviceJoin,
+            MSIDPromptParamFromType(self.promptBehavior),
+            (long)self.apiErrorCode,
+            @(self.uiVisible),
+            (long)self.silentCode,
+            self.silentMessage,
+            (long)self.silentStatus,
+            (long)self.httpStatus];
+}
+
+#pragma mark - MSIDJsonSerializable
+
+- (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing *)error
+{
+    self = [super init];
+    if (!self) return nil;
+    
+    _isCached = [json msidBoolObjectForKey:MSID_MATS_IS_CACHED_KEY];
+    _brokerVersion = [json msidStringObjectForKey:MSID_MATS_BROKER_VERSION_KEY];
+    _deviceJoin = [json msidStringObjectForKey:MSID_MATS_DEVICE_JOIN_KEY];
+    NSString *promptString = [json msidStringObjectForKey:MSID_MATS_PROMPT_BEHAVIOR_KEY];
+    _promptBehavior = MSIDPromptTypeFromString(promptString);
+    _apiErrorCode = [json msidIntegerObjectForKey:MSID_MATS_API_ERROR_CODE_KEY];
+    _uiVisible = [json msidBoolObjectForKey:MSID_MATS_UI_VISIBLE_KEY];
+    _silentCode = [json msidIntegerObjectForKey:MSID_MATS_SILENT_CODE_KEY];
+    _silentMessage = [json msidStringObjectForKey:MSID_MATS_SILENT_MESSAGE_KEY];
+    _silentStatus = [json msidIntegerObjectForKey:MSID_MATS_SILENT_STATUS_KEY];
+    _httpStatus = [json msidIntegerObjectForKey:MSID_MATS_HTTP_STATUS_KEY];
+    
+    return self;
+}
+
+- (NSDictionary *)jsonDictionary
+{
+    NSMutableDictionary *json = [NSMutableDictionary new];
+    
+    json[MSID_MATS_IS_CACHED_KEY] = @(self.isCached);
+    if (self.brokerVersion) json[MSID_MATS_BROKER_VERSION_KEY] = self.brokerVersion;
+    if (self.deviceJoin) json[MSID_MATS_DEVICE_JOIN_KEY] = self.deviceJoin;
+    
+    NSString *promptString = MSIDPromptParamFromType(self.promptBehavior);
+    if (![NSString msidIsStringNilOrBlank:promptString]) json[MSID_MATS_PROMPT_BEHAVIOR_KEY] = promptString;
+    
+    json[MSID_MATS_API_ERROR_CODE_KEY] = @(self.apiErrorCode);
+    json[MSID_MATS_UI_VISIBLE_KEY] = @(self.uiVisible);
+    json[MSID_MATS_SILENT_CODE_KEY] = @(self.silentCode);
+    json[MSID_MATS_SILENT_MESSAGE_KEY] = self.silentMessage;
+    json[MSID_MATS_SILENT_STATUS_KEY] = @(self.silentStatus);
+    json[MSID_MATS_HTTP_STATUS_KEY] = @(self.httpStatus);
+    
+    return json;
+}
+
+- (NSString *)jsonString
+{
+    NSDictionary *matsDict = [self jsonDictionary];
+    if (matsDict)
+    {
+        NSString *matsString = [matsDict msidJSONSerializeWithContext:nil];
+        if (!matsString)
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"Failed to serialize MATS report to JSON string.");
+        }
+        
+        return matsString;
+    }
+    
+    return nil;
+}
+
+@end

IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrokerOperationBrowserNativeMessageMATSReport.m

@@ -26,6 +26,7 @@
 #import "MSIDBrokerNativeAppOperationResponse.h"
 
 @class MSIDBrokerOperationTokenResponse;
+@class MSIDBrokerOperationBrowserNativeMessageMATSReport;
 
 NS_ASSUME_NONNULL_BEGIN
 
@@ -35,6 +36,8 @@ NS_ASSUME_NONNULL_BEGIN
 - (instancetype _Nullable)initWithTokenResponse:(nonnull MSIDBrokerOperationTokenResponse *)tokenResponse;
 
 @property (nonatomic, nullable) NSString *state;
+@property (nonatomic, nullable) MSIDBrokerOperationBrowserNativeMessageMATSReport *matsReport;
+
 
 @end
 

IdentityCore/src/broker_operation/response/browser_native_message_response/MSIDBrowserNativeMessageGetTokenResponse.h

@@ -20,13 +20,14 @@
 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.  
+// THE SOFTWARE.
 
 
 #import "MSIDBrowserNativeMessageGetTokenResponse.h"
 #import "MSIDBrokerOperationTokenResponse.h"
 #import "MSIDTokenResponse.h"
 #import "MSIDOAuth2Constants.h"
+#import "MSIDBrokerOperationBrowserNativeMessageMATSReport.h"
 
 @interface MSIDBrowserNativeMessageGetTokenResponse()
 
@@ -80,6 +81,9 @@ - (NSDictionary *)jsonDictionary
     __auto_type propertiesJson = [NSMutableDictionary new];
     // TODO: once ests follow the latest protocol, this should be removed. Account ID should be read from accountJson.
     propertiesJson[@"UPN"] = accountJson[@"userName"];
+    // Add MATS report as JSON string
+    propertiesJson[@"MATS"] = [self.matsReport jsonString];
+    
     response[@"properties"] = propertiesJson;
 
     return response;