Merge branch 'release/1.17.1' into ameyapat/refresh-1.17.0-dev-changes-into-bart

Author: ameyapat

IdentityCore/src/MSIDBrokerConstants.h

@@ -99,6 +99,7 @@ extern NSString * _Nonnull const MSID_IS_CALLER_MANAGED_KEY;
 extern NSString * _Nonnull const MSID_BROKER_PREFERRED_AUTH_CONFIGURATION_KEY;
 extern NSString * _Nonnull const MSID_BROKER_CLIENT_FLIGHTS_KEY;
 extern NSString * _Nonnull const MSID_BROKER_SDM_WPJ_ATTEMPTED;
+extern NSString * _Nonnull const MSID_BART_DEVICE_ID_KEY;
 extern NSString * _Nonnull const MSID_EXP_RETRY_ON_NETWORK;
 extern NSString * _Nonnull const MSID_EXP_ENABLE_CONNECTION_CLOSE;
 extern NSString * _Nonnull const MSID_HTTP_CONNECTION;

IdentityCore/src/MSIDBrokerConstants.m

@@ -97,6 +97,7 @@
 NSString *const MSID_JIT_TROUBLESHOOTING_HOST = @"jit_troubleshooting";
 NSString *const MSID_IS_CALLER_MANAGED_KEY = @"isCallerAppManaged";
 NSString *const MSID_BROKER_SDM_WPJ_ATTEMPTED = @"sdm_reg_attempted";
+NSString *const MSID_BART_DEVICE_ID_KEY = @"bart_device_id";
 NSString *const MSID_FORCE_REFRESH_KEY = @"force_refresh";
 
 // Experiments

IdentityCore/src/MSIDOAuth2Constants.h

@@ -179,6 +179,8 @@ extern NSString *const MSID_CCS_REQUEST_ID_RESPONSE;
 
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE;
+extern NSString *const MSID_REFRESH_TOKEN_TYPE;
+extern NSString *const MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT;
 extern NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY;
 extern NSString *const MSID_MSAL_CLIENT_APV_PREFIX;
 extern NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE;

IdentityCore/src/MSIDOAuth2Constants.m

@@ -180,6 +180,8 @@
 NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY            = @"x-ms-srs";
 NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE       = @"ccs-request-sequence";
 
+NSString *const MSID_REFRESH_TOKEN_TYPE                  = @"refresh_token_type";
+NSString *const MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT     = @"bound_app_rt";
 NSString *const MSID_BOUND_REFRESH_TOKEN_EXCHANGE        = @"bound_rt_exchange";
 NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY           = @"bound_device_id";
 NSString *const MSID_MSAL_CLIENT_APV_PREFIX              = @"MsalClient";

IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m

@@ -48,6 +48,8 @@
 #import "MSIDAuthenticationScheme.h"
 #import "MSIDFamilyRefreshToken.h"
 #import "MSIDAADTokenRequestServerTelemetry.h"
+#import "MSIDBartFeatureUtil.h"
+#import "MSIDBoundRefreshToken.h"
 
 @interface MSIDDefaultTokenCacheAccessor()
 {
@@ -132,6 +134,15 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
                                          context:(id<MSIDRequestContext>)context
                                            error:(NSError *__autoreleasing *)error
 {
+    MSIDBoundRefreshToken *boundAppRefreshToken = [self getBoundApplicationRefreshTokenWithAccount:accountIdentifier
+                                                                                          familyId:familyId
+                                                                                     configuration:configuration
+                                                                                           context:context
+                                                                                             error:error];
+    if (boundAppRefreshToken)
+    {
+        return boundAppRefreshToken;
+    }
     NSError *frtError = nil;
     MSIDIsFRTEnabledStatus frtStatus = [_accountCredentialCache checkFRTEnabled:context error:&frtError];
     BOOL frtEnabled = frtStatus == MSIDIsFRTEnabledStatusEnabled;
@@ -151,7 +162,6 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
 #endif
 
     MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
-    
     MSIDRefreshToken *refreshToken =  [self getRefreshableTokenWithAccount:accountIdentifier
                                                                   familyId:familyId
                                                             credentialType:credentialType
@@ -193,6 +203,44 @@ - (MSIDRefreshToken *)getRefreshTokenWithAccount:(MSIDAccountIdentifier *)accoun
     return nil;
 }
 
+/// Get a bound refresh token if available. Returns nil if not found or if feature is disabled.
+- (MSIDBoundRefreshToken *)getBoundApplicationRefreshTokenWithAccount:(MSIDAccountIdentifier *)accountIdentifier
+                                                             familyId:(NSString *)familyId
+                                                        configuration:(MSIDConfiguration *)configuration
+                                                              context:(id<MSIDRequestContext>)context
+                                                                error:(NSError *__autoreleasing *)error
+{
+    MSIDBoundRefreshToken *boundAppRefreshToken;
+    if ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled])
+    {
+        boundAppRefreshToken = (MSIDBoundRefreshToken *)[self getRefreshableTokenWithAccount:accountIdentifier
+                                                                                    familyId:familyId
+                                                                              credentialType:MSIDBoundRefreshTokenType
+                                                                               configuration:configuration
+                                                                                     context:context
+                                                                                       error:error];
+        if (boundAppRefreshToken)
+        {
+            return boundAppRefreshToken;
+        }
+        for (id<MSIDCacheAccessor> accessor in _otherAccessors)
+        {
+            boundAppRefreshToken = (MSIDBoundRefreshToken *)[accessor getRefreshTokenWithAccount:accountIdentifier
+                                                                                        familyId:familyId
+                                                                                   configuration:configuration
+                                                                                         context:context
+                                                                                           error:error];
+            
+            if (boundAppRefreshToken)
+            {
+                MSID_LOG_WITH_CTX(MSIDLogLevelInfo, context, @"(Default accessor) Found Bound app refresh token in a different accessor %@", [accessor class]);
+                return boundAppRefreshToken;
+            }
+        }
+    }
+    return nil;
+}
+
 - (MSIDPrimaryRefreshToken *)getPrimaryRefreshTokenWithAccount:(MSIDAccountIdentifier *)accountIdentifier
                                                       familyId:(NSString *)familyId
                                                  configuration:(MSIDConfiguration *)configuration
@@ -254,7 +302,14 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac
                                              context:(id<MSIDRequestContext>)context
                                                error:(NSError *__autoreleasing *)error
 {
-    if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType && credentialType != MSIDFamilyRefreshTokenType) return nil;
+    BOOL shouldQueryBarts = [[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled];
+    if (credentialType != MSIDRefreshTokenType &&
+        credentialType != MSIDPrimaryRefreshTokenType &&
+        credentialType != MSIDFamilyRefreshTokenType &&
+        (!shouldQueryBarts || credentialType != MSIDBoundRefreshTokenType))
+    {
+        return nil;
+    }
 
     // For nested auth, get the RT using the broker/hub's client id
     NSString *clientId = [configuration isNestedAuthProtocol] ? configuration.nestedAuthBrokerClientId : configuration.clientId;
@@ -817,12 +872,20 @@ - (BOOL)validateAndRemoveRefreshToken:(MSIDRefreshToken *)token
         MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"Error checking FRT enabled status, not using new FRT.");
     }
 
-    MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
+    BOOL result;
+    if ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled])
+    {
+        result = [self validateAndRemoveRefreshableToken:token
+                                          credentialType:MSIDBoundRefreshTokenType
+                                                 context:context
+                                                   error:error];
+    }
 
-    BOOL result = [self validateAndRemoveRefreshableToken:token
-                                           credentialType:credentialType
-                                                  context:context
-                                                    error:error];
+    MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
+    result = [self validateAndRemoveRefreshableToken:token
+                                      credentialType:credentialType
+                                             context:context
+                                               error:error];
 
     // If family refresh token is not enabled, return list of regular refresh tokens
     if (!frtEnabled)
@@ -851,7 +914,11 @@ - (BOOL)validateAndRemoveRefreshableToken:(MSIDRefreshToken *)token
                                   context:(id<MSIDRequestContext>)context
                                     error:(NSError *__autoreleasing*)error
 {
-    if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType && credentialType != MSIDFamilyRefreshTokenType)
+    BOOL shouldBartBeRemoved = [[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled];
+    if (credentialType != MSIDRefreshTokenType &&
+        credentialType != MSIDPrimaryRefreshTokenType &&
+        credentialType != MSIDFamilyRefreshTokenType &&
+        (!shouldBartBeRemoved || credentialType != MSIDBoundRefreshTokenType))
     {
         return NO;
     }
@@ -995,6 +1062,20 @@ - (BOOL)saveRefreshTokenWithConfiguration:(MSIDConfiguration *)configuration
 
     if (![NSString msidIsStringNilOrBlank:refreshToken.familyId])
     {
+        // If FRT is a bound refresh token, we can assume it to be sFRT bound app refresh token
+        if ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled] &&
+            refreshToken.credentialType == MSIDBoundRefreshTokenType)
+        {
+            MSIDBoundRefreshToken *bart = (MSIDBoundRefreshToken *)refreshToken;
+            if (bart && bart.boundDeviceId)
+            {
+                MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, context, @"(Default accessor) Saving the sFRT as family bound refresh token %@", MSID_EUII_ONLY_LOG_MASKABLE(refreshToken));
+                return [self saveToken:refreshToken
+                               context:context
+                                 error:error];
+            }
+        }
+        
         NSError *frtError = nil;
         // Check if FRT is enabled, this will update the configuration object, and then use it to decide if
         // we should save the token as FRT or legacy RT (with familyId, if it contains that value).
@@ -1066,7 +1147,9 @@ - (BOOL)removeToken:(MSIDBaseToken *)token
     CONDITIONAL_START_CACHE_EVENT(event, MSID_TELEMETRY_EVENT_TOKEN_CACHE_DELETE, context);
     BOOL result = [_accountCredentialCache removeCredential:token.tokenCacheItem context:context error:error];
 
-    if (result && (token.credentialType == MSIDRefreshTokenType || token.credentialType == MSIDFamilyRefreshTokenType))
+    if (result && (token.credentialType == MSIDRefreshTokenType ||
+                   token.credentialType == MSIDFamilyRefreshTokenType ||
+                   ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled] && token.credentialType == MSIDBoundRefreshTokenType)))
     {
         [_accountCredentialCache saveWipeInfoWithContext:context error:nil];
     }
@@ -1131,7 +1214,9 @@ - (MSIDBaseToken *)getTokenWithEnvironment:(NSString *)environment
         return resultTokens[0];
     }
 
-    if (cacheQuery.credentialType == MSIDRefreshTokenType || cacheQuery.credentialType == MSIDFamilyRefreshTokenType)
+    if (cacheQuery.credentialType == MSIDRefreshTokenType ||
+            cacheQuery.credentialType == MSIDFamilyRefreshTokenType ||
+            ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled] && cacheQuery.credentialType == MSIDBoundRefreshTokenType))
     {
         NSError *wipeError = nil;
         CONDITIONAL_STOP_FAILED_CACHE_EVENT(event, [_accountCredentialCache wipeInfoWithContext:context error:&wipeError], context);
@@ -1288,7 +1373,6 @@ - (BOOL)saveAccount:(MSIDAccount *)account
     }
 
     MSIDCredentialType credentialType = frtEnabled ? MSIDFamilyRefreshTokenType : MSIDRefreshTokenType;
-    
     NSSet<NSString *> *firstSet = [self homeAccountIdsFromRTsWithAuthority:authority
                                                                   clientId:clientId
                                                                   familyId:familyId
@@ -1303,6 +1387,28 @@ - (BOOL)saveAccount:(MSIDAccount *)account
         return firstSet;
     }
 
+    if ([[MSIDBartFeatureUtil sharedInstance] isBartFeatureEnabled])
+    {
+        NSSet<NSString *> *bartSet = [self homeAccountIdsFromRTsWithAuthority:authority
+                                                                     clientId:clientId
+                                                                     familyId:familyId
+                                                               credentialType:MSIDBoundRefreshTokenType
+                                                       accountCredentialCache:accountCredentialCache
+                                                                      context:context
+                                                                        error:error];
+        if (bartSet)
+        {
+            [firstSet setByAddingObjectsFromSet:bartSet];
+        }
+        else
+        {
+            if (error)
+            {
+                MSID_LOG_WITH_CTX(MSIDLogLevelError, context, @"(Default accessor) Failed to retrieve homeAccountIds from BARTs: %@", MSID_PII_LOG_MASKABLE(*error));
+            }
+        }
+    }
+    
     NSSet<NSString *> *secondSet = [self homeAccountIdsFromRTsWithAuthority:authority
                                                                    clientId:clientId
                                                                    familyId:familyId

IdentityCore/src/oauth2/MSIDOauth2Factory.m

@@ -27,6 +27,7 @@
 #import "MSIDAccessToken.h"
 #import "MSIDBaseToken.h"
 #import "MSIDRefreshToken.h"
+#import "MSIDBoundRefreshToken.h"
 #import "MSIDLegacySingleResourceToken.h"
 #import "MSIDIdToken.h"
 #import "MSIDAccount.h"
@@ -170,6 +171,10 @@ - (MSIDRefreshToken *)refreshTokenFromResponse:(MSIDTokenResponse *)response
     BOOL result = [self fillRefreshToken:refreshToken fromResponse:response configuration:configuration];
 
     if (!result) return nil;
+    if (refreshToken && [self doesResponseHaveBoundAppRefreshToken:response])
+    {
+        return [[MSIDBoundRefreshToken alloc] initWithRefreshToken:refreshToken boundDeviceId:response.boundAppRefreshTokenDeviceId];
+    }
     return refreshToken;
 }
 
@@ -411,6 +416,13 @@ - (BOOL)fillAppMetadata:(MSIDAppMetadataCacheItem *)metadata
     return YES;
 }
 
+- (BOOL)doesResponseHaveBoundAppRefreshToken:(MSIDTokenResponse *)response
+{
+    return ![NSString msidIsStringNilOrBlank:response.boundAppRefreshTokenDeviceId] &&
+    ([MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT isEqualToString:response.additionalServerInfo[MSID_REFRESH_TOKEN_TYPE]] ||
+                [response.additionalServerInfo[MSID_BART_DEVICE_ID_KEY] length] > 0);
+}
+
 #pragma mark - Webview
 - (MSIDWebviewFactory *)webviewFactory
 {

IdentityCore/src/oauth2/MSIDTokenResponse.h

@@ -95,6 +95,8 @@
 
 @property (nonatomic) BOOL createdFromCache;
 
+@property (nonatomic, nullable) NSString *boundAppRefreshTokenDeviceId;
+
 - (nullable instancetype)initWithJSONDictionary:(nonnull NSDictionary *)json
                                    refreshToken:(nullable MSIDBaseToken<MSIDRefreshableToken> *)token
                                           error:(NSError * _Nullable __autoreleasing *_Nullable)error;

IdentityCore/src/oauth2/MSIDTokenResponse.m

@@ -170,6 +170,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
         _stsErrorCodes = [json msidArrayOfIntegersForKey: MSID_OAUTH2_ERROR_CODES];
         _errorDescription = [[json msidStringObjectForKey:MSID_OAUTH2_ERROR_DESCRIPTION] msidURLDecode];
         _clientAppVersion = [json msidStringObjectForKey:MSID_BROKER_CLIENT_APP_VERSION_KEY];
+        _boundAppRefreshTokenDeviceId = [json msidStringObjectForKey:MSID_BART_DEVICE_ID_KEY];
         [self setAdditionalServerInfo:json];
     }
 

IdentityCore/src/oauth2/token/MSIDBoundRefreshToken.m

@@ -54,18 +54,10 @@ - (instancetype)initWithRefreshToken:(MSIDRefreshToken *)refreshToken
 
 - (instancetype)initWithTokenCacheItem:(MSIDCredentialCacheItem *)tokenCacheItem
 {
-    if (![tokenCacheItem isKindOfClass:[MSIDBoundRefreshTokenCacheItem class]])
-    {
-        MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Failed to create bound refresh token: tokenCacheItem is not of type MSIDBoundRefreshTokenCacheItem.");
-        return nil;
-    }
-
-    MSIDBoundRefreshTokenCacheItem *boundTokenCacheItem = (MSIDBoundRefreshTokenCacheItem *)tokenCacheItem;
-    self = [super initWithTokenCacheItem:boundTokenCacheItem];
-    
+    self = [super initWithTokenCacheItem:tokenCacheItem];
     if (self)
     {
-        NSDictionary *jsonDictionary = boundTokenCacheItem.jsonDictionary;
+        NSDictionary *jsonDictionary = tokenCacheItem.jsonDictionary;
         _boundDeviceId = [jsonDictionary msidObjectForKey:MSID_BOUND_DEVICE_ID_CACHE_KEY ofClass:[NSString class]];
         if ([NSString msidIsStringNilOrBlank:_boundDeviceId])
         {

IdentityCore/src/requests/sdk/MSIDTokenResponseValidator.m

@@ -29,6 +29,7 @@
 #import "MSIDBrokerResponse.h"
 #import "MSIDAccessToken.h"
 #import "MSIDRefreshToken.h"
+#import "MSIDBoundRefreshToken.h"
 #import "MSIDBasicContext.h"
 #import "MSIDAccountMetadataCacheAccessor.h"
 #import "MSIDAccountIdentifier.h"
@@ -262,6 +263,12 @@ - (MSIDTokenResult *)validateAndSaveTokenResponse:(MSIDTokenResponse *)tokenResp
         return nil;
     }
 
+    if ([MSID_REFRESH_TOKEN_TYPE_BOUND_APP_RT isEqualToString:tokenResponse.additionalServerInfo[MSID_REFRESH_TOKEN_TYPE]] && tokenResponse.boundAppRefreshTokenDeviceId)
+    {
+        tokenResult.refreshToken = [[MSIDBoundRefreshToken alloc] initWithRefreshToken:(MSIDRefreshToken *)tokenResult.refreshToken
+                                                                         boundDeviceId:tokenResponse.boundAppRefreshTokenDeviceId];
+    }
+
     //save metadata
     NSError *authorityError;
     MSIDAuthority *resultingAuthority = [factory resultAuthorityWithConfiguration:parameters.msidConfiguration tokenResponse:tokenResponse error:&authorityError];