Native authentication email OTP MFA (#2341)

* Email OTP MFA Network layer implementation (#2275)

* add introspect request, response and error classes

* make authentication method fields mandatory, add validator code for introspect responses

* update signIN challenge request and response

* handle mfa required using suberror and not error code

* fix unit tests after new changes

* rename validate function and add new test for introspect required error result

* add new unit tests for introspect validation

* add new unit tests for token response validation - mfa required

* fix integration tests compilation error

* add new integration tests for introspect api

* - Adjustments in integration tests to align with mock API changes

* Address comments on PR

---------

Co-authored-by: Marcos Borges <[email protected]>
Co-authored-by: Marcos Borges <[email protected]>

* first public interface draft

* add missing method in signINPasswordRequiredDelegate

* add dummy logic

* Add dedicated errors for MFA sub flow

* add optional new state to error callbacks

* Make channel type extensible

* Update and add new public comments

* fix compilation errors in E2E tests

* Fix typo and swiftlint warnings

* add base mfa states, return awaiting mfa on password required state

* add implementation for mfa required response after submitting a code

* handle remaning strongAuthRequired response

* handle introspect required and update todo comment

* add send challenge MFA business logic

* reuse code for send challenge method

* Email OTP MFA - public interface changes (#2296)

* first public interface draft

* add missing method in signINPasswordRequiredDelegate

* add dummy logic

* Add dedicated errors for MFA sub flow

* add optional new state to error callbacks

* Make channel type extensible

* Update and add new public comments

* fix compilation errors in E2E tests

* Fix typo and swiftlint warnings

* Address PR comments

* use same name for awaitingMFA method, add more details to the comment

* merge two mfa error and handle get auth methods request

* complete implementation of get auth methods method

* implement submit challenge reusing submit code function

* remove telemetry check in controller test. Delegate dispatcher should trigger telemetry

* Add unit tests for SendChallenge delegate dispatcher

* Add remaining tests for mfa delegate dispatchers

* add new unit tests for MFA error classes

* Writing tests for awaitingMFAState

* add unit tests for mfaRequiredState

* add new unit tests to existing signIn Controller

* add new test for sendChallengeState, add new class for MFA controller tests

* move mfa tests to dedicated class

* add new tests for mfa controller. Fix some bugs too

* add new tests for send challenge

* add new tests for get auth methods

* add new tests for submit Challenge, stop telemetry on successful result

* fix compilation error on integration tests

* rename sendChallenge to requestChallenge

* Address PR comments

* address PR comments. Fix bug around SSPR telemetry id

* address PR comments

* Email OTP MFA business logic (#2302)

* first public interface draft

* add missing method in signINPasswordRequiredDelegate

* add dummy logic

* Add dedicated errors for MFA sub flow

* add optional new state to error callbacks

* Make channel type extensible

* Update and add new public comments

* fix compilation errors in E2E tests

* Fix typo and swiftlint warnings

* add base mfa states, return awaiting mfa on password required state

* add implementation for mfa required response after submitting a code

* handle remaning strongAuthRequired response

* handle introspect required and update todo comment

* add send challenge MFA business logic

* reuse code for send challenge method

* merge two mfa error and handle get auth methods request

* complete implementation of get auth methods method

* implement submit challenge reusing submit code function

* remove telemetry check in controller test. Delegate dispatcher should trigger telemetry

* Add unit tests for SendChallenge delegate dispatcher

* Add remaining tests for mfa delegate dispatchers

* add new unit tests for MFA error classes

* Writing tests for awaitingMFAState

* add unit tests for mfaRequiredState

* add new unit tests to existing signIn Controller

* add new test for sendChallengeState, add new class for MFA controller tests

* move mfa tests to dedicated class

* add new tests for mfa controller. Fix some bugs too

* add new tests for send challenge

* add new tests for get auth methods

* add new tests for submit Challenge, stop telemetry on successful result

* fix compilation error on integration tests

* rename sendChallenge to requestChallenge

* Address PR comments

* address PR comments. Fix bug around SSPR telemetry id

* address PR comments

* Log a warning message and add warning on code documentation (#2306)

* add email otp mfa files to mac targets. Remove not used files

* Add E2E tests for email OTP MFA feature (#2331)

* add new e2e test for signIn with username and password and MFA

* add new end to end tests for mfa

* add missing E2E tests for email OTP MFA

* throw xctskip error to skip error

* refactor E2E tests

* rename internal test function

* send wrong code as string

* Refresh token, customise MFA required error description (#2322)

* add new error codes key and parse msid error codes

* add new error converter tests

* update changelog file

* add custom error message if error code is mfaRequired

* Add new unit tests for error codes handling

* add file to mac os target

* revert change for project file

* Add new MFARequestChallengeError and MFAGetAuthMethodsError (#2340)

* add period at the end of the sentence

* remove null pointer in project file

* remove trailing space and enable all mfa e2e tests

---------

Co-authored-by: Marcos Borges <[email protected]>
Co-authored-by: Marcos Borges <[email protected]>

Author: nilo-ms

MSAL/.swiftlint.yml

@@ -13,3 +13,4 @@ function_parameter_count:
 
 disabled_rules:
   - todo
+  - empty_enum_arguments

MSAL/MSAL.xcodeproj/project.pbxproj

@@ -20,18 +20,11 @@
 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-// THE SOFTWARE.
+// THE SOFTWARE.  
 
-enum MSALNativeAuthInternalChannelType: String, Decodable {
-    case phone
-    case email
+import Foundation
 
-    func toPublicChannelType() -> MSALNativeAuthChannelType {
-        switch self {
-        case .phone:
-            return .phone
-        case .email:
-            return .email
-        }
-    }
+enum MSALNativeAuthLogMessage {
+    static let privatePreviewLog =
+    "Warning ⚠️: this API is experimental. It may be changed in the future without notice. Do not use in production applications."
 }

MSAL/src/native_auth/network/MSALNativeAuthInternalChannelType.swift renamed to MSAL/src/native_auth/MSALNativeAuthLogMessage.swift

@@ -0,0 +1,41 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.  
+
+import Foundation
+
+enum MFARequestChallengeResult {
+    case verificationRequired(sentTo: String, channelTargetType: MSALNativeAuthChannelType, codeLength: Int, newState: MFARequiredState)
+    case selectionRequired(authMethods: [MSALAuthMethod], newState: MFARequiredState)
+    case error(error: MFARequestChallengeError, newState: MFARequiredState?)
+}
+
+enum MFAGetAuthMethodsResult {
+    case selectionRequired(authMethods: [MSALAuthMethod], newState: MFARequiredState)
+    case error(error: MFAGetAuthMethodsError, newState: MFARequiredState?)
+}
+
+enum MFASubmitChallengeResult {
+    case completed(MSALNativeAuthUserAccountResult)
+    case error(error: MFASubmitChallengeError, newState: MFARequiredState?)
+}

MSAL/src/native_auth/controllers/responses/MFAResults.swift

@@ -28,13 +28,15 @@ enum SignInStartResult {
     case completed(MSALNativeAuthUserAccountResult)
     case codeRequired(newState: SignInCodeRequiredState, sentTo: String, channelTargetType: MSALNativeAuthChannelType, codeLength: Int)
     case passwordRequired(newState: SignInPasswordRequiredState)
+    case awaitingMFA(newState: AwaitingMFAState)
     case error(SignInStartError)
 }
 
 typealias SignInResendCodeResult = CodeRequiredGenericResult<SignInCodeRequiredState, ResendCodeError>
 
 enum SignInPasswordRequiredResult {
     case completed(MSALNativeAuthUserAccountResult)
+    case awaitingMFA(newState: AwaitingMFAState)
     case error(error: PasswordRequiredError, newState: SignInPasswordRequiredState?)
 }
 

MSAL/src/native_auth/controllers/responses/SignInResults.swift

@@ -0,0 +1,51 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.  
+
+import Foundation
+
+protocol MSALNativeAuthMFAControlling {
+
+    typealias MFARequestChallengeControllerResponse = MSALNativeAuthControllerTelemetryWrapper<MFARequestChallengeResult>
+    typealias MFAGetAuthMethodsControllerResponse = MSALNativeAuthControllerTelemetryWrapper<MFAGetAuthMethodsResult>
+    typealias MFASubmitChallengeControllerResponse = MSALNativeAuthControllerTelemetryWrapper<MFASubmitChallengeResult>
+
+    func requestChallenge(
+        continuationToken: String,
+        authMethod: MSALAuthMethod?,
+        context: MSALNativeAuthRequestContext,
+        scopes: [String]
+    ) async -> MFARequestChallengeControllerResponse
+
+    func getAuthMethods(
+        continuationToken: String,
+        context: MSALNativeAuthRequestContext,
+        scopes: [String]
+    ) async -> MFAGetAuthMethodsControllerResponse
+
+    func submitChallenge(
+        challenge: String,
+        continuationToken: String,
+        context: MSALNativeAuthRequestContext,
+        scopes: [String]) async -> MFASubmitChallengeControllerResponse
+}