Native auth: add backward compatibility feature (capabilities) (#2645)

* Native auth: backward compatibility, add new capabilities parameter  (#2635)

* add new capabilities ns option, add new config class for native auth

* add public comments, add new init and deprecated old methods

* Rename internal config class, call one single init method in application class

* fix issue on super init method

* Add capabilities to internal configuration

* send capabilities to first call of each flows

* call new init application method

* use correct comment

* fix unit tests

* fix integration and unit tests

* add new tests for request parameters and capabilities

* add new tests

* fix indentation, rename test variables

* remove unused method

* rewording public capabilities comment

* removed otp challenge type because not required

* Native auth: add redirect reason to all native auth HTTP response (#2642)

* add new capabilities ns option, add new config class for native auth

* add public comments, add new init and deprecated old methods

* Rename internal config class, call one single init method in application class

* fix issue on super init method

* Add capabilities to internal configuration

* send capabilities to first call of each flows

* call new init application method

* use correct comment

* fix unit tests

* fix integration and unit tests

* add new tests for request parameters and capabilities

* add new tests

* parse new field redirect reason and send browser required when needed

* parse token response when redirect response is received

* add new test for native auth CIAM token response

* add browser required to all SDK public error responses

* add new test for redirect

* create generic native auth error to remove repeated code

* add new tests for redirect in controllers

* add new test for duplicate capabilities

* add new tests for redirect

* update changelog

* New integration tests for redirect

* fix bugs for SSPR responses, all fields should be optional

* add new test, remove todo comment

* address PR comments

Author: nilo-ms

CHANGELOG.md

@@ -1,3 +1,6 @@
+## TBD
+* Make native auth MFA feature more backward compatible (#2645)
+
 ## [2.1.0]
 * Integrate Broker XPC service into Mac Sample app
 * Update minimum supported version to iOS 16.0 and macOS 11.0 (#2623)

MSAL/MSAL.xcodeproj/project.pbxproj

@@ -27,11 +27,9 @@ class MSALNativeAuthSilentTokenProvider: MSALNativeAuthSilentTokenProviding {
 
     private let application: MSALNativeAuthPublicClientApplication?
 
-    init(
-        configuration config: MSALPublicClientApplicationConfig,
-        challengeTypes: MSALNativeAuthChallengeTypes) throws {
-            self.application = try? MSALNativeAuthPublicClientApplication(configuration: config, challengeTypes: challengeTypes)
-        }
+    init(configuration: MSALNativeAuthPublicClientApplicationConfig) throws {
+        self.application = try? MSALNativeAuthPublicClientApplication(nativeAuthConfiguration: configuration)
+    }
 
     func acquireTokenSilent(parameters: MSALSilentTokenParameters,
                             completionBlock: @escaping MSALNativeAuthSilentTokenResponse) {

MSAL/src/native_auth/client_application_wrapper/silent_token/MSALNativeAuthSilentTokenProvider.swift

@@ -23,6 +23,5 @@
 // THE SOFTWARE.  
 
 protocol MSALNativeAuthSilentTokenProviderBuildable {
-    func makeSilentTokenProvider(configuration: MSALPublicClientApplicationConfig,
-                                 challengeTypes: MSALNativeAuthChallengeTypes) throws -> MSALNativeAuthSilentTokenProviding?
+    func makeSilentTokenProvider(configuration: MSALNativeAuthPublicClientApplicationConfig) throws -> MSALNativeAuthSilentTokenProviding?
 }

MSAL/src/native_auth/client_application_wrapper/silent_token/factory/MSALNativeAuthSilentTokenProviderBuildable.swift

@@ -23,8 +23,7 @@
 // THE SOFTWARE.  
 
 class MSALNativeAuthSilentTokenProviderFactory: MSALNativeAuthSilentTokenProviderBuildable {
-    func makeSilentTokenProvider(configuration: MSALPublicClientApplicationConfig,
-                                 challengeTypes: MSALNativeAuthChallengeTypes) throws -> MSALNativeAuthSilentTokenProviding? {
-        return try? MSALNativeAuthSilentTokenProvider(configuration: configuration, challengeTypes: challengeTypes)
+    func makeSilentTokenProvider(configuration: MSALNativeAuthPublicClientApplicationConfig) throws -> MSALNativeAuthSilentTokenProviding? {
+        return try? MSALNativeAuthSilentTokenProvider(configuration: configuration)
     }
 }

MSAL/src/native_auth/client_application_wrapper/silent_token/factory/MSALNativeAuthSilentTokenProviderFactory.swift

@@ -0,0 +1,92 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+@_implementationOnly import MSAL_Private
+
+struct MSALNativeAuthInternalConfiguration {
+    var challengeTypesString: String {
+        return challengeTypes.map { $0.rawValue }.joined(separator: " ")
+    }
+
+    var capabilitiesString: String? {
+        return capabilities?.map { $0.rawValue }.joined(separator: " ")
+    }
+
+    let clientId: String
+    let authority: MSIDCIAMAuthority
+    let challengeTypes: [MSALNativeAuthInternalChallengeType]
+    let capabilities: [MSALNativeAuthInternalCapability]?
+    let redirectUri: String?
+    var sliceConfig: MSALSliceConfig?
+
+    init(
+        clientId: String,
+        authority: MSALCIAMAuthority,
+        challengeTypes: MSALNativeAuthChallengeTypes,
+        capabilities: MSALNativeAuthCapabilities?,
+        redirectUri: String?) throws {
+        self.clientId = clientId
+        self.authority = try MSIDCIAMAuthority(
+            url: authority.url,
+            validateFormat: false,
+            context: MSALNativeAuthRequestContext()
+        )
+        self.challengeTypes = MSALNativeAuthInternalConfiguration.getInternalChallengeTypes(challengeTypes)
+        self.capabilities = MSALNativeAuthInternalConfiguration.getInternalCapabilities(capabilities)
+        self.redirectUri = redirectUri
+    }
+
+    private static func getInternalChallengeTypes(
+        _ challengeTypes: MSALNativeAuthChallengeTypes
+    ) -> [MSALNativeAuthInternalChallengeType] {
+        var internalChallengeTypes = [MSALNativeAuthInternalChallengeType]()
+
+        if challengeTypes.contains(.OOB) {
+            internalChallengeTypes.append(.oob)
+        }
+
+        if challengeTypes.contains(.password) {
+            internalChallengeTypes.append(.password)
+        }
+
+        internalChallengeTypes.append(.redirect)
+        return internalChallengeTypes
+    }
+
+    private static func getInternalCapabilities(
+        _ capabilities: MSALNativeAuthCapabilities?
+    ) -> [MSALNativeAuthInternalCapability]? {
+        guard let capabilities else { return nil }
+        var internalCapabilities: [MSALNativeAuthInternalCapability] = []
+
+        if capabilities.contains(.mfaRequired) {
+            internalCapabilities.append(.mfaRequired)
+        }
+
+        if capabilities.contains(.registrationRequired) {
+            internalCapabilities.append(.registrationRequired)
+        }
+        return internalCapabilities
+    }
+}

MSAL/src/native_auth/configuration/MSALNativeAuthInternalConfiguration.swift

@@ -54,7 +54,7 @@ class MSALNativeAuthTokenController: MSALNativeAuthBaseController {
     func performAndValidateTokenRequest(
         _ request: MSIDHttpRequest,
         context: MSALNativeAuthRequestContext) async -> MSALNativeAuthTokenValidatedResponse {
-            let ciamTokenResponse: Result<MSIDCIAMTokenResponse, Error> = await performTokenRequest(request, context: context)
+            let ciamTokenResponse: Result<MSALNativeAuthCIAMTokenResponse, Error> = await performTokenRequest(request, context: context)
             return responseValidator.validate(
                 context: context,
                 result: ciamTokenResponse
@@ -206,7 +206,10 @@ extension MSALNativeAuthTokenController {
         }
     }
 
-    private func performTokenRequest(_ request: MSIDHttpRequest, context: MSIDRequestContext) async -> Result<MSIDCIAMTokenResponse, Error> {
+    private func performTokenRequest(
+        _ request: MSIDHttpRequest,
+        context: MSIDRequestContext
+    ) async -> Result<MSALNativeAuthCIAMTokenResponse, Error> {
         return await withCheckedContinuation { continuation in
             request.send { response, error in
                 if let error = error {
@@ -218,8 +221,9 @@ extension MSALNativeAuthTokenController {
                     return
                 }
                 do {
-                    let tokenResponse = try MSIDCIAMTokenResponse(jsonDictionary: responseDict)
-                    tokenResponse.correlationId = request.context?.correlationId().uuidString
+                    let tokenResponse = try MSALNativeAuthCIAMTokenResponse(jsonDictionary: responseDict)
+                    // use request correlation id if server doesn't return one
+                    tokenResponse.correlationId = tokenResponse.correlationId ?? request.context?.correlationId().uuidString
                     continuation.resume(returning: .success(tokenResponse))
                 } catch {
                     MSALNativeAuthLogger.log(level: .error, context: context, format: "Error token request - Both result and error are nil")

MSAL/src/native_auth/controllers/MSALNativeAuthTokenController.swift

@@ -50,7 +50,7 @@ final class MSALNativeAuthCredentialsController: MSALNativeAuthTokenController,
         )
     }
 
-    convenience init(config: MSALNativeAuthConfiguration, cacheAccessor: MSALNativeAuthCacheInterface) {
+    convenience init(config: MSALNativeAuthInternalConfiguration, cacheAccessor: MSALNativeAuthCacheInterface) {
         let factory = MSALNativeAuthResultFactory(config: config, cacheAccessor: cacheAccessor)
         self.init(
             clientId: config.clientId,

MSAL/src/native_auth/controllers/credentials/MSALNativeAuthCredentialsController.swift

@@ -31,9 +31,9 @@ protocol MSALNativeAuthControllerBuildable {
 }
 
 final class MSALNativeAuthControllerFactory: MSALNativeAuthControllerBuildable {
-    private let config: MSALNativeAuthConfiguration
+    private let config: MSALNativeAuthInternalConfiguration
 
-    init(config: MSALNativeAuthConfiguration) {
+    init(config: MSALNativeAuthInternalConfiguration) {
         self.config = config
     }
 

MSAL/src/native_auth/controllers/factories/MSALNativeAuthControllerFactory.swift

@@ -26,7 +26,7 @@
 
 protocol MSALNativeAuthResultBuildable {
 
-    var config: MSALNativeAuthConfiguration {get}
+    var config: MSALNativeAuthInternalConfiguration {get}
 
     func makeAccount(tokenResult: MSIDTokenResult, context: MSIDRequestContext) -> MSALAccount
 
@@ -39,10 +39,10 @@ protocol MSALNativeAuthResultBuildable {
 
 final class MSALNativeAuthResultFactory: MSALNativeAuthResultBuildable {
 
-    let config: MSALNativeAuthConfiguration
+    let config: MSALNativeAuthInternalConfiguration
     let cacheAccessor: MSALNativeAuthCacheInterface
 
-    init(config: MSALNativeAuthConfiguration, cacheAccessor: MSALNativeAuthCacheInterface) {
+    init(config: MSALNativeAuthInternalConfiguration, cacheAccessor: MSALNativeAuthCacheInterface) {
         self.config = config
         self.cacheAccessor = cacheAccessor
     }