Merge pull request #2592 from AzureAD/swagup/msal/valid_redirectURI

[MSAL2.x]Ensure valid broker capable redirect URI is required for AAD scenarios

Author: swasti29

CHANGELOG.md

@@ -1,5 +1,9 @@
 ## [TBD]
+* Removed deprecated APIs, including legacy initializers, account management methods, token acquisition methods, and the MSALTelemetry interface (#2577)
+* Enforced requirement for a valid ParentViewController (with a window) in interactive token requests (#2590)
 * Removed deprecated methods from native auth public interface (#2588)
+* Removed the deprecated MSALLogger interface and implementation class (#2591)
+* Enforced a valid broker-capable redirect URI format for AAD scenarios (#2592)
 
 ## [1.9.0]
 * Add feature flags provider to be controlled from broker (#2540)

MSAL/IdentityCore

@@ -58,6 +58,7 @@ + (void)initialize
                                    @(MSIDErrorServerNonHttpsRedirect) : @(MSALInternalErrorNonHttpsRedirect),
                                    @(MSIDErrorMismatchedAccount): @(MSALInternalErrorMismatchedUser),
                                    @(MSIDErrorRedirectSchemeNotRegistered): @(MSALInternalErrorRedirectSchemeNotRegistered),
+                                   @(MSIDErrorInvalidRedirectURI): @(MSALInternalErrorInvalidRedirectURI),
 
                                    // Cache
                                    @(MSIDErrorCacheMultipleUsers) : @(MSALInternalErrorAmbiguousAccount),

MSAL/src/MSALErrorConverter.m

@@ -185,10 +185,17 @@ - (instancetype)initWithConfiguration:(MSALPublicClientApplicationConfig *)confi
                                                                     bypassRedirectValidation:config.bypassRedirectURIValidation
                                                                                        error:&msidError];
 
-    if (!msalRedirectUri && !config.bypassRedirectURIValidation)
+    if (!config.bypassRedirectURIValidation)
     {
-        if (error) *error = [MSALErrorConverter msalErrorFromMsidError:msidError];
-        return nil;
+        if (!msalRedirectUri || (!msalRedirectUri.brokerCapable && config.authority.msidAuthority.supportsBrokeredAuthentication && [self isAADNonConsumerTenant:config.authority]))
+        {
+            if (error)
+            {
+                *error = [MSALErrorConverter msalErrorFromMsidError:msidError];
+            }
+            
+            return nil;
+        }
     }
 
 #if TARGET_OS_IPHONE
@@ -890,6 +897,27 @@ - (void)updateExternalAccountsWithResult:(MSALResult *)result context:(id<MSIDRe
     }
 }
 
+- (BOOL)isAADNonConsumerTenant:(MSALAuthority *)authority
+{
+    // Ensure the authority is of type MSALAADAuthority
+    if (![authority isKindOfClass:[MSALAADAuthority class]]) {
+        return NO;
+    }
+    
+    MSIDAuthority *msidAuthority = ((MSALAADAuthority *)authority).msidAuthority;
+    
+    // Ensure the underlying MSID authority is of type MSIDAADAuthority
+    if (![msidAuthority isKindOfClass:[MSIDAADAuthority class]]) {
+        return NO;
+    }
+    
+    MSIDAADAuthority *aadAuthority = (MSIDAADAuthority *)msidAuthority;
+    MSIDAADTenant *tenant = aadAuthority.tenant;
+    
+    // Return YES if the tenant exists and is not of type 'Consumers'
+    return (tenant != nil && tenant.type != MSIDAADTenantTypeConsumers);
+}
+
 - (void)acquireTokenWithParameters:(MSALInteractiveTokenParameters *)parameters
                    completionBlock:(MSALCompletionBlock)completionBlock
 {

MSAL/src/MSALPublicClientApplication.m

@@ -55,7 +55,7 @@ - (BOOL)fillWithWebViewParameters:(MSALWebviewParameters *)webParameters
 
     if (parentViewController.view.window == nil)
     {
-        NSError *msidError = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidDeveloperParameter, @"parentViewController has no window! Provide a valid controller with view and window.", nil, nil, nil, nil, nil, YES);
+        NSError *msidError = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidDeveloperParameter, @"parentViewController has no window! Provide a valid controller with its view attached to a valid window.", nil, nil, nil, nil, nil, YES);
         if (error) *error = msidError;
         return NO;
     }

MSAL/src/MSIDInteractiveRequestParameters+MSALRequest.m

@@ -222,6 +222,19 @@ typedef NS_ENUM(NSInteger, MSALInternalError)
      */
     MSALInternalErrorRedirectSchemeNotRegistered        = -42001,
 
+    /**
+     The provided redirect URI is invalid.
+
+     Valid formats include:
+     - Default MSAL format: "msauth.[my.app.bundleId]://auth"
+     - ADAL format: "<custom_scheme>://[my.app.bundleId]"
+
+     Ensure the redirect URI matches one of the valid formats.
+     e.g. an app with the bundle Id "com.contoso.myapp" would need redirect URI in the form: msauth.com.contoso.myapp://auth.
+     See MSALErrorDescriptionKey for detailed error information.
+     */
+    MSALInternalErrorInvalidRedirectURI                 = -42011,
+    
     /**
      Protocol error, such as a missing required parameter.
      */

MSAL/src/public/MSALError.h

@@ -44,8 +44,8 @@ NS_ASSUME_NONNULL_BEGIN
 #pragma mark - Configuration options
 
 /**
- The view controller to present from. This property must be valid. If nil is provided, or if the view controller is not attached to a window (i.e., parentViewController.view.window is nil), MSAL will return an error and will not proceed with authentication.
- It is required to provide a valid parentViewController with a window to proceed with authentication.
+ The view controller to present from. If nil is provided, or if the view controller's view is not attached to a window (i.e., parentViewController.view.window is nil), MSAL will return an error and will not proceed with authentication.
+ A valid parentViewController with its view attached to a valid window is required to proceed with authentication.
  */
 @property (nonatomic, strong, nonnull) MSALViewController *parentViewController;
 
@@ -82,9 +82,9 @@ NS_ASSUME_NONNULL_BEGIN
 #pragma mark - Constructing MSALWebviewParameters
 
 /**
-   Creates an instance of MSALWebviewParameters with a provided parentViewController.
-   @param parentViewController The view controller to present authorization UI from. This property must be valid
-   @note parentViewController is mandatory on iOS 13+  and macOS 10.15+. If nil is provided, or if the view controller is not attached to a window (i.e., parentViewController.view.window is nil), MSAL will return an error and authentication will not proceed. It is required to provide a valid parentViewController with a window to proceed with authentication.
+   Creates an instance of MSALWebviewParameters with the provided parentViewController.
+   @param parentViewController The view controller to present authorization UI from.
+   @note parentViewController is mandatory on iOS 13+  and macOS 10.15+. If nil is provided, or if the view controller's view is not attached to a window (i.e., parentViewController.view.window is nil), MSAL will return an error and authentication will not proceed. A valid parentViewController with its view attached to a valid window is required to proceed with authentication.
 */
 - (nonnull instancetype)initWithAuthPresentationViewController:(nonnull MSALViewController *)parentViewController;
 

MSAL/src/public/MSALWebviewParameters.h

@@ -66,8 +66,11 @@ + (NSURL *)defaultBrokerCapableRedirectUri
 }
 
 + (BOOL)redirectUriIsBrokerCapable:(NSURL *)redirectUri
+                             error:(NSError * __autoreleasing *)error
 {
-    return [MSIDRedirectUri redirectUriIsBrokerCapable:redirectUri] == MSIDRedirectUriValidationResultMatched;
+    MSIDRedirectUriValidationResult validationResult = [MSIDRedirectUri redirectUriIsBrokerCapable:redirectUri
+                                                                                             error:error];
+    return validationResult == MSIDRedirectUriValidationResultMatched;
 }
 
 @end