Native auth: JIT feature implementation (#2293)

This is the last PR that contains all the changes related to the JIT
feature (registration of a new strong authentication method).

MSAL Common PR:
[#2639](AzureAD/microsoft-authentication-library-common-for-android#2639)

Author: nilo-ms

changelog

@@ -2,6 +2,8 @@ MSAL Wiki : https://github.com/AzureAD/microsoft-authentication-library-for-andr
 
 vNext
 ----------
+- [MINOR] Native auth: Add claimsRequest also to getAccessToken and signIn after signUp/SSPR flows (#2278)
+- [MINOR] Native auth: user can now register new strong authentication method when required (#2293)
 
 Version 6.0.1
 ----------
@@ -11,7 +13,6 @@ Version 6.0.0
 ----------
 - [PATCH] Update common @21.0.0
 - [MAJOR] Update minSDK to 21
-- [MINOR] Native auth: Add claimsRequest also to getAccessToken and signIn after signUp/SSPR flows (#2278)
 
 Version 5.10.2
 ----------

common

@@ -32,11 +32,10 @@
 import com.microsoft.identity.client.IAccount;
 import com.microsoft.identity.client.ITenantProfile;
 import com.microsoft.identity.client.MultiTenantAccount;
-import com.microsoft.identity.common.internal.msafederation.google.SignInWithGoogleApi;
-import com.microsoft.identity.common.internal.msafederation.google.SignInWithGoogleCredential;
-import com.microsoft.identity.common.internal.msafederation.google.SignInWithGoogleParameters;
 import com.microsoft.identity.common.internal.platform.AndroidPlatformUtil;
 import com.microsoft.identity.common.java.logging.DiagnosticContext;
+import com.microsoft.identity.common.java.nativeauth.commands.parameters.JITChallengeAuthMethodCommandParameters;
+import com.microsoft.identity.common.java.nativeauth.commands.parameters.JITContinueCommandParameters;
 import com.microsoft.identity.nativeauth.AuthMethod;
 import com.microsoft.identity.nativeauth.NativeAuthPublicClientApplicationConfiguration;
 import com.microsoft.identity.client.PoPAuthenticationScheme;
@@ -1125,6 +1124,104 @@ public static ResetPasswordSubmitNewPasswordCommandParameters createResetPasswor
         return commandParameters;
     }
 
+    /**
+     * Creates command parameter for [[com.microsoft.identity.common.nativeauth.internal.commands.JITChallengeAuthMethodCommand]] of Native Auth
+     * @param configuration PCA configuration
+     * @param tokenCache token cache for storing results
+     * @param verificationContact the email/phone to send the challenge to
+     * @param challengeChannel the channel used to send the challenge
+     * @param challengeType the type of challenge
+     * @param correlationId correlation ID to use in the API request, taken from the previous request in the flow
+     * @param continuationToken Continuation token
+     * @return Command parameter object
+     * @throws ClientException
+     */
+    public static JITChallengeAuthMethodCommandParameters createJITChallengeAuthMethodCommandParameters(
+            @NonNull final NativeAuthPublicClientApplicationConfiguration configuration,
+            @NonNull final OAuth2TokenCache tokenCache,
+            @NonNull final String verificationContact,
+            @NonNull final String challengeChannel,
+            @NonNull final String challengeType,
+            @NonNull final String correlationId,
+            @NonNull final String continuationToken
+    ) throws ClientException {
+        final NativeAuthCIAMAuthority authority = ((NativeAuthCIAMAuthority) configuration.getDefaultAuthority());
+
+        final AbstractAuthenticationScheme authenticationScheme = AuthenticationSchemeFactory.createScheme(
+                AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()),
+                null
+        );
+
+        return JITChallengeAuthMethodCommandParameters.builder()
+                .authenticationScheme(authenticationScheme)
+                .platformComponents(AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()))
+                .applicationName(configuration.getAppContext().getPackageName())
+                .applicationVersion(getPackageVersion(configuration.getAppContext()))
+                .clientId(configuration.getClientId())
+                .isSharedDevice(configuration.getIsSharedDevice())
+                .redirectUri(configuration.getRedirectUri())
+                .oAuth2TokenCache(tokenCache)
+                .requiredBrokerProtocolVersion(configuration.getRequiredBrokerProtocolVersion())
+                .sdkType(SdkType.MSAL)
+                .sdkVersion(PublicClientApplication.getSdkVersion())
+                .powerOptCheckEnabled(configuration.isPowerOptCheckForEnabled())
+                .authority(authority)
+                .verificationContact(verificationContact)
+                .authMethodChallengeType(challengeType)
+                .continuationToken(continuationToken)
+                .correlationId(correlationId)
+                .challengeChannel(challengeChannel)
+                .build();
+    }
+
+    /**
+     * Creates command parameter for [[com.microsoft.identity.common.nativeauth.internal.commands.JITContinueCommandParameters]] of Native Auth
+     * @param configuration PCA configuration
+     * @param tokenCache token cache for storing results
+     * @param grantType grant type
+     * @param code the code provided by the user
+     * @param correlationId correlation ID to use in the API request, taken from the previous request in the flow
+     * @param continuationToken continuation token
+     * @return Command parameter object
+     * @throws ClientException
+     */
+    public static JITContinueCommandParameters createJITSubmitChallengeCommandParameters(
+             @NonNull final NativeAuthPublicClientApplicationConfiguration configuration,
+             @NonNull final OAuth2TokenCache tokenCache,
+             @NonNull final String grantType,
+             @NonNull final String code,
+             @NonNull final String correlationId,
+             @NonNull final String continuationToken
+    ) throws ClientException {
+        final NativeAuthCIAMAuthority authority = ((NativeAuthCIAMAuthority) configuration.getDefaultAuthority());
+
+        final AbstractAuthenticationScheme authenticationScheme = AuthenticationSchemeFactory.createScheme(
+                AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()),
+                null
+        );
+
+        return JITContinueCommandParameters.builder()
+                .authenticationScheme(authenticationScheme)
+                .platformComponents(AndroidPlatformComponentsFactory.createFromContext(configuration.getAppContext()))
+                .applicationName(configuration.getAppContext().getPackageName())
+                .applicationVersion(getPackageVersion(configuration.getAppContext()))
+                .clientId(configuration.getClientId())
+                .isSharedDevice(configuration.getIsSharedDevice())
+                .redirectUri(configuration.getRedirectUri())
+                .oAuth2TokenCache(tokenCache)
+                .requiredBrokerProtocolVersion(configuration.getRequiredBrokerProtocolVersion())
+                .sdkType(SdkType.MSAL)
+                .sdkVersion(PublicClientApplication.getSdkVersion())
+                .powerOptCheckEnabled(configuration.isPowerOptCheckForEnabled())
+                .authority(authority)
+                .grantType(grantType)
+                .continuationToken(continuationToken)
+                .code(code)
+                .correlationId(correlationId)
+                .build();
+    }
+
+
     private static String getPackageVersion(@NonNull final Context context) {
         final String packageName = context.getPackageName();
         try {

msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java

@@ -78,6 +78,7 @@ import com.microsoft.identity.nativeauth.statemachine.results.SignUpResult
 import com.microsoft.identity.nativeauth.statemachine.states.AccountState
 import com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState
 import com.microsoft.identity.nativeauth.statemachine.states.Callback
+import com.microsoft.identity.nativeauth.statemachine.states.RegisterStrongAuthState
 import com.microsoft.identity.nativeauth.statemachine.states.ResetPasswordCodeRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInCodeRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInContinuationState
@@ -771,6 +772,17 @@ class NativeAuthPublicClientApplication(
                             )
                         }
 
+                        is SignInCommandResult.StrongAuthMethodRegistrationRequired -> {
+                            SignInResult.StrongAuthMethodRegistrationRequired(
+                                nextState = RegisterStrongAuthState(
+                                    continuationToken = result.continuationToken,
+                                    correlationId = result.correlationId,
+                                    config = nativeAuthConfig
+                                ),
+                                authMethods = result.authMethods.toListOfAuthMethods()
+                            )
+                        }
+
                         is INativeAuthCommandResult.Redirect -> {
                             SignInError(
                                 errorType = ErrorTypes.BROWSER_REQUIRED,

msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplication.kt

@@ -0,0 +1,19 @@
+package com.microsoft.identity.nativeauth.parameters
+
+import com.microsoft.identity.nativeauth.AuthMethod
+
+/**
+ * Encapsulates the parameters passed to the challengeAuthMethod methods of RegisterStrongAuthState
+ */
+class NativeAuthChallengeAuthMethodParameters(
+    /**
+     * authentication method to challenge
+     */
+    val authMethod: AuthMethod
+) {
+
+    /**
+     * email to contact to register a new strong authentication method
+     */
+    var verificationContact: String? = null
+}

msal/src/main/java/com/microsoft/identity/nativeauth/parameters/NativeAuthChallengeAuthMethodParameters.kt

@@ -0,0 +1,39 @@
+package com.microsoft.identity.nativeauth.parameters
+
+import com.microsoft.identity.nativeauth.statemachine.states.RegisterStrongAuthVerificationRequiredState
+
+class NativeAuthRegisterStrongAuthVerificationRequiredResultParameter internal constructor(
+    internal val nextState: RegisterStrongAuthVerificationRequiredState,
+    internal val codeLength: Int,
+    internal val sentTo: String,
+    internal val channel: String
+) {
+
+    /**
+     * The next state to use to continue the strong authentication method registration flow.
+     */
+    fun getNextState(): RegisterStrongAuthVerificationRequiredState {
+        return nextState
+    }
+
+    /**
+     * The length of the challenge required by the server.
+     */
+    fun getCodeLength(): Int {
+        return codeLength
+    }
+
+    /**
+     * The email/phone number the challenge was sent to.
+     */
+    fun getSentTo(): String {
+        return sentTo
+    }
+
+    /**
+     * the channel(email/phone) the challenge was sent through.
+     */
+    fun getChannel(): String {
+        return channel
+    }
+}

msal/src/main/java/com/microsoft/identity/nativeauth/parameters/NativeAuthRegisterStrongAuthVerificationRequiredResultParameters.kt

@@ -83,6 +83,12 @@ internal class ErrorTypes {
          */
         const val INVALID_USERNAME = "invalid_username"
 
+        /*
+         * The INVALID_INPUT value indicates the input provided by the user is incorrect.
+         * The input needs be re-submitted.
+         */
+        const val INVALID_INPUT = "invalid_input"
+
         /*
          * The INVALID_STATE value indicates a misconfigured or expired state, or an internal error
          * in state transitions. If this occurs, the flow should be restarted.

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/Error.kt

@@ -0,0 +1,28 @@
+package com.microsoft.identity.nativeauth.statemachine.errors
+
+import com.microsoft.identity.nativeauth.statemachine.results.RegisterStrongAuthChallengeResult
+import com.microsoft.identity.nativeauth.statemachine.results.RegisterStrongAuthSubmitChallengeResult
+
+class RegisterStrongAuthChallengeError(
+    override val errorType: String? = null,
+    override val error: String? = null,
+    override val errorMessage: String?,
+    override val correlationId: String,
+    override val errorCodes: List<Int>? = null,
+    override var exception: Exception? = null
+): RegisterStrongAuthChallengeResult, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
+{
+    fun isInvalidInput(): Boolean = this.errorType == ErrorTypes.INVALID_INPUT
+}
+
+class RegisterStrongAuthSubmitChallengeError(
+    override val errorType: String? = null,
+    override val error: String? = null,
+    override val errorMessage: String?,
+    override val correlationId: String,
+    override val errorCodes: List<Int>? = null,
+    override var exception: Exception? = null
+): RegisterStrongAuthSubmitChallengeResult, Error(errorType = errorType, error = error, errorMessage= errorMessage, correlationId = correlationId, errorCodes = errorCodes, exception = exception)
+{
+    fun isInvalidChallenge(): Boolean = this.errorType == ErrorTypes.INVALID_CHALLENGE
+}

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/errors/JITErrors.kt

@@ -0,0 +1,46 @@
+//  Copyright (c) Microsoft Corporation.
+//  All rights reserved.
+//
+//  This code is licensed under the MIT License.
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files(the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions :
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+
+package com.microsoft.identity.nativeauth.statemachine.results
+
+import com.microsoft.identity.nativeauth.parameters.NativeAuthRegisterStrongAuthVerificationRequiredResultParameter
+
+interface RegisterStrongAuthChallengeResult: Result {
+
+    /**
+     * Verification required result, which indicates that a challenge was sent to the user's auth method,
+     * and the server expects the challenge to be verified.
+     *
+     * @param result [com.microsoft.identity.nativeauth.parameters.NativeAuthRegisterStrongAuthVerificationRequiredResultParameter] a parameter object containing the result of the action.
+     */
+    class VerificationRequired(
+        val result: NativeAuthRegisterStrongAuthVerificationRequiredResultParameter
+    ) : RegisterStrongAuthChallengeResult, Result.SuccessResult(nextState = result.nextState)
+
+}
+
+/**
+ * Results related to submit challenge operation, produced by
+ * [com.microsoft.identity.nativeauth.statemachine.states.RegisterStrongAuthVerificationquiredState.submitChallenge]
+ */
+interface RegisterStrongAuthSubmitChallengeResult : Result

msal/src/main/java/com/microsoft/identity/nativeauth/statemachine/results/JITResult.kt

@@ -23,8 +23,10 @@
 
 package com.microsoft.identity.nativeauth.statemachine.results
 
+import com.microsoft.identity.nativeauth.AuthMethod
 import com.microsoft.identity.nativeauth.statemachine.states.AccountState
 import com.microsoft.identity.nativeauth.statemachine.states.AwaitingMFAState
+import com.microsoft.identity.nativeauth.statemachine.states.RegisterStrongAuthState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInCodeRequiredState
 import com.microsoft.identity.nativeauth.statemachine.states.SignInPasswordRequiredState
 
@@ -45,7 +47,9 @@ interface SignInResult : Result {
         SignInResult,
         SignInSubmitCodeResult,
         SignInSubmitPasswordResult,
-        MFASubmitChallengeResult
+        MFASubmitChallengeResult,
+        RegisterStrongAuthChallengeResult,
+        RegisterStrongAuthSubmitChallengeResult
 
     /**
      * CodeRequired Result, which indicates a verification code is required from the user to continue.
@@ -80,6 +84,17 @@ interface SignInResult : Result {
     class MFARequired(
         override val nextState: AwaitingMFAState
     ) : SignInResult, Result.SuccessResult(nextState = nextState), SignInSubmitPasswordResult
+
+    /**
+     * StrongAuthMethodRegistration Result, which indicates that a registration of a strong authentication method is required to continue.
+     *
+     * <strong><u>Warning: this class is experimental. It may be changed in the future without notice. Do not use in production applications.</u></strong>
+     * @param nextState [com.microsoft.identity.nativeauth.statemachine.states.RegisterStrongAuthState] the current state of the flow with follow-on methods.
+     */
+    class StrongAuthMethodRegistrationRequired(
+        override val nextState: RegisterStrongAuthState,
+        val authMethods: List<AuthMethod>
+    ) : SignInResult, SignInSubmitPasswordResult, Result.SuccessResult(nextState = nextState)
 }
 
 /**