Ensure valid broker capable redirect URI is required for AAD scenarions

Author: Swasti Gupta

MSAL/IdentityCore

@@ -58,6 +58,7 @@ + (void)initialize
                                    @(MSIDErrorServerNonHttpsRedirect) : @(MSALInternalErrorNonHttpsRedirect),
                                    @(MSIDErrorMismatchedAccount): @(MSALInternalErrorMismatchedUser),
                                    @(MSIDErrorRedirectSchemeNotRegistered): @(MSALInternalErrorRedirectSchemeNotRegistered),
+                                   @(MSIDErrorInvalidRedirectURI): @(MSALInternalErrorInvalidRedirectURI),
 
                                    // Cache
                                    @(MSIDErrorCacheMultipleUsers) : @(MSALInternalErrorAmbiguousAccount),

MSAL/src/MSALErrorConverter.m

@@ -185,10 +185,16 @@ - (instancetype)initWithConfiguration:(MSALPublicClientApplicationConfig *)confi
                                                                     bypassRedirectValidation:config.bypassRedirectURIValidation
                                                                                        error:&msidError];
 
-    if (!msalRedirectUri && !config.bypassRedirectURIValidation)
+    if (!config.bypassRedirectURIValidation)
     {
-        if (error) *error = [MSALErrorConverter msalErrorFromMsidError:msidError];
-        return nil;
+        if (!msalRedirectUri || (!msalRedirectUri.brokerCapable && config.authority.msidAuthority.supportsBrokeredAuthentication && [self isAADNonConsumerTenant:config.authority]))
+        {
+            if (error)
+            {
+                *error = [MSALErrorConverter msalErrorFromMsidError:msidError];
+            }
+            return nil;
+        }
     }
 
 #if TARGET_OS_IPHONE
@@ -890,6 +896,19 @@ - (void)updateExternalAccountsWithResult:(MSALResult *)result context:(id<MSIDRe
     }
 }
 
+- (BOOL)isAADNonConsumerTenant:(MSALAuthority *)authority
+{
+    if (![authority isKindOfClass:[MSALAADAuthority class]]) return NO;
+    
+    MSIDAuthority *msidAuthority = ((MSALAADAuthority *)authority).msidAuthority;
+    if (![msidAuthority isKindOfClass:[MSIDAADAuthority class]]) return NO;
+    
+    MSIDAADAuthority *aadMsidAuthority = (MSIDAADAuthority *)msidAuthority;
+    MSIDAADTenant *tenant = aadMsidAuthority.tenant;
+    
+    return (tenant && tenant.type != MSIDAADTenantTypeConsumers);
+}
+
 - (void)acquireTokenWithParameters:(MSALInteractiveTokenParameters *)parameters
                    completionBlock:(MSALCompletionBlock)completionBlock
 {

MSAL/src/MSALPublicClientApplication.m

@@ -222,6 +222,19 @@ typedef NS_ENUM(NSInteger, MSALInternalError)
      */
     MSALInternalErrorRedirectSchemeNotRegistered        = -42001,
 
+    /**
+     The provided redirect URI is invalid.
+
+     Valid formats include:
+     - Default MSAL format: "msauth.[my.app.bundleId]://auth"
+     - ADAL format: "<custom_scheme>://[my.app.bundleId]"
+
+     Ensure the redirect URI matches one of the valid formats.
+     e.g. an app with the bundle Id "com.contoso.myapp" would need redirect URI in the form: msauth.com.contoso.myapp://auth.
+     See MSALErrorDescriptionKey for detailed error information.
+     */
+    MSALInternalErrorInvalidRedirectURI                 = -42011,
+    
     /**
      Protocol error, such as a missing required parameter.
      */

MSAL/src/public/MSALError.h

@@ -66,8 +66,11 @@ + (NSURL *)defaultBrokerCapableRedirectUri
 }
 
 + (BOOL)redirectUriIsBrokerCapable:(NSURL *)redirectUri
+                             error:(NSError * __autoreleasing *)error
 {
-    return [MSIDRedirectUri redirectUriIsBrokerCapable:redirectUri] == MSIDRedirectUriValidationResultMatched;
+    MSIDRedirectUriValidationResult validationResult = [MSIDRedirectUri redirectUriIsBrokerCapable:redirectUri
+                                                                                                error:error];
+    return validationResult == MSIDRedirectUriValidationResultMatched;
 }
 
 @end