Merge pull request forcedotcom#3949 from wmathurin/migrate_refresh_token

Method to migrate refresh token

Author: wmathurin

libs/SalesforceSDKCore/SalesforceSDKCore.xcodeproj/project.pbxproj

@@ -80,6 +80,8 @@
 		4F2410B1282DCA4B00E5EFE3 /* SFSDKCollectionResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 4F2410B0282DCA4B00E5EFE3 /* SFSDKCollectionResponse.m */; };
 		4F3139652331C5A1007B3705 /* SFSDKAuthRootController.m in Sources */ = {isa = PBXBuildFile; fileRef = 4F3139642331C5A1007B3705 /* SFSDKAuthRootController.m */; };
 		4F3139682331C5C7007B3705 /* SFSDKAuthRootController.h in Headers */ = {isa = PBXBuildFile; fileRef = 4F3139672331C5B9007B3705 /* SFSDKAuthRootController.h */; };
+		4F3ECD8A2EBBD150005020A6 /* SFOAuthCoordinatorTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 4F3ECD892EBBD150005020A6 /* SFOAuthCoordinatorTests.m */; };
+		4F3ECD8C2EBBD182005020A6 /* SFOAuthInfoTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 4F3ECD8B2EBBD182005020A6 /* SFOAuthInfoTests.m */; };
 		4F5727E327F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.h in Headers */ = {isa = PBXBuildFile; fileRef = 4F5727DC27F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		4F5727E427F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 4F5727E227F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.m */; };
 		4F5A49502E98711600C89DDD /* ScopeParser.swift in Sources */ = {isa = PBXBuildFile; fileRef = 4F5A494F2E98711600C89DDD /* ScopeParser.swift */; };
@@ -600,6 +602,8 @@
 		4F2410B0282DCA4B00E5EFE3 /* SFSDKCollectionResponse.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFSDKCollectionResponse.m; sourceTree = "<group>"; };
 		4F3139642331C5A1007B3705 /* SFSDKAuthRootController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFSDKAuthRootController.m; sourceTree = "<group>"; };
 		4F3139672331C5B9007B3705 /* SFSDKAuthRootController.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFSDKAuthRootController.h; sourceTree = "<group>"; };
+		4F3ECD892EBBD150005020A6 /* SFOAuthCoordinatorTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFOAuthCoordinatorTests.m; sourceTree = "<group>"; };
+		4F3ECD8B2EBBD182005020A6 /* SFOAuthInfoTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFOAuthInfoTests.m; sourceTree = "<group>"; };
 		4F5727DC27F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SFSDKPrimingRecordsResponse.h; sourceTree = "<group>"; };
 		4F5727E227F27F1A0008CDA4 /* SFSDKPrimingRecordsResponse.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SFSDKPrimingRecordsResponse.m; sourceTree = "<group>"; };
 		4F5A494F2E98711600C89DDD /* ScopeParser.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = ScopeParser.swift; sourceTree = "<group>"; };
@@ -1046,6 +1050,8 @@
 		4F7EB3F61BFFC84700768720 /* SalesforceSDKCoreTests */ = {
 			isa = PBXGroup;
 			children = (
+				4F3ECD8B2EBBD182005020A6 /* SFOAuthInfoTests.m */,
+				4F3ECD892EBBD150005020A6 /* SFOAuthCoordinatorTests.m */,
 				4F5A49572E98B0F800C89DDD /* ScopeParserTests.swift */,
 				23F200AB2E551C890091C5F5 /* ActionTypeTests.swift */,
 				23F200AD2E551C890091C5F5 /* BootconfigTests.swift */,
@@ -1132,8 +1138,7 @@
 				6990CBBF29F5AF56004A5F8D /* SFSDKIDPAuthCodeLoginRequestCommandTest.m */,
 				23CAB0F82DCBE51F00B8929B /* Mocks */,
 			);
-			name = SalesforceSDKCoreTests;
-			path = SalesforceSDKCore;
+			path = SalesforceSDKCoreTests;
 			sourceTree = "<group>";
 		};
 		4F7EB4571BFFC9D900768720 /* Supporting Files */ = {
@@ -2244,6 +2249,7 @@
 				23D96B762E145B400004B06A /* DomainDiscoveryCoordinatorTests.swift in Sources */,
 				B7A4AE4922E8CA780060E737 /* SFSDKAuthUtilTests.swift in Sources */,
 				69DFE06C2B969C25000906E4 /* PushNotificationDecryptionTests.swift in Sources */,
+				4F3ECD8C2EBBD182005020A6 /* SFOAuthInfoTests.m in Sources */,
 				4F7EB4161BFFC8D700768720 /* SDKCommonNSDataTests.m in Sources */,
 				CE81A9C81E9C26F900F3D0AD /* SFUserAccountManagerNotificationsTests.m in Sources */,
 				23F200AC2E551C890091C5F5 /* ActionTypeTests.swift in Sources */,
@@ -2268,6 +2274,7 @@
 				69CEBC7E22F368CF00F16218 /* SFNetworkTests.m in Sources */,
 				4F7EB41B1BFFC8D700768720 /* SFSDKCryptoUtilsTests.m in Sources */,
 				69848CB82364035300893E57 /* SFSDKEncryptedPushNotificationTests.m in Sources */,
+				4F3ECD8A2EBBD150005020A6 /* SFOAuthCoordinatorTests.m in Sources */,
 				4F9E05322DD6A08000548985 /* SFSDKOAuthTokenEndpointResponseTests.m in Sources */,
 				4F06AF8D1C49A18E00F70798 /* SalesforceSDKManagerTests.m in Sources */,
 				237C186C2E44FCAE0008015C /* EncryptStreamTests.swift in Sources */,

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/OAuth/SFOAuthCoordinator+Internal.h

@@ -83,6 +83,11 @@ NS_ASSUME_NONNULL_BEGIN
  */
 - (NSString *)scopeQueryParamString;
 
+/**
+ Migrates the refresh token for a user to a new app configuration.
+ */
+- (void)migrateRefreshToken:(SFUserAccount *)user;
+
 @end
 
 NS_ASSUME_NONNULL_END

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/OAuth/SFOAuthCoordinator.m

@@ -519,6 +519,28 @@ - (void)swapJWTWithCompletionHandler:(void (^)(NSData *data, NSURLResponse *resp
     [[self.session dataTaskWithRequest:request completionHandler:completionHandler] resume];
 }
 
+// Refresh token migration
+- (void)migrateRefreshToken:(SFUserAccount *)user {    
+    self.authInfo = [[SFOAuthInfo alloc] initWithAuthType:SFOAuthTypeRefreshTokenMigration];
+    self.initialRequestLoaded = NO;
+    
+    // Use the single access bridge API to get a front door URL for the new app
+    NSURL *approvalUrl = [NSURL URLWithString:[self generateApprovalUrlString]];
+    NSString *approvalPath = [[approvalUrl path] stringByAppendingString:approvalUrl.query ? [@"?" stringByAppendingString:approvalUrl.query] : @""];
+
+    SFRestRequest* singleAccessRequest = [[SFRestAPI sharedInstanceWithUser:user] requestForSingleAccess:approvalPath];
+    __weak typeof (self) weakSelf = self;
+    [[SFRestAPI sharedInstanceWithUser:user] sendRequest:singleAccessRequest failureBlock:^(id response, NSError *error, NSURLResponse *rawResponse) {
+        if (self.authSession.authFailureCallback) {
+            self.authSession.authFailureCallback(self.authInfo, error);
+        }
+    } successBlock:^(id response, NSURLResponse *rawResponse) {
+        __strong typeof (self) strongSelf = weakSelf;
+        NSString *frontDoorUrlString = ((NSDictionary*) response)[@"frontdoor_uri"];
+        [strongSelf loadWebViewWithUrlString:frontDoorUrlString cookie:YES];
+    }];
+}
+
 // IDP related
 - (void)beginIDPFlow:(SFUserAccount *)user success:(void(^)(void))successBlock failure:(void(^)(NSError *))failureBlock {
     self.authInfo = [[SFOAuthInfo alloc] initWithAuthType:SFOAuthTypeIDP];

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/OAuth/SFOAuthInfo.h

@@ -38,6 +38,7 @@ typedef NS_ENUM(NSUInteger, SFOAuthType) {
     SFOAuthTypeIDP,
     SFOAuthTypeWebServer,
     SFOAuthTypeNative,
+    SFOAuthTypeRefreshTokenMigration,
 } NS_SWIFT_NAME(AuthInfo.AuthType);
 
 /**

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/OAuth/SFOAuthInfo.m

@@ -62,8 +62,15 @@ - (NSString *)authTypeDescription
         case SFOAuthTypeJwtTokenExchange:
             desc = @"SFOAuthTypeJwtTokenExchange";
             break;
+        case SFOAuthTypeIDP:
+            desc = @"SFOAuthTypeIDP";
+            break;
         case SFOAuthTypeNative:
             desc = @"SFOAuthTypeNative";
+            break;
+        case SFOAuthTypeRefreshTokenMigration:
+            desc = @"SFOAuthTypeRefreshTokenMigration";
+            break;
         case SFOAuthTypeUnknown:
         default:
             desc = @"SFOAuthTypeUnknown";

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/UserAccount/SFUserAccountManager+Internal.h

@@ -216,6 +216,8 @@ Set this block to handle presentation of the Authentication View Controller.
          frontDoorBridgeUrl:(nullable NSURL * )frontDoorBridgeUrl
                codeVerifier:(nullable NSString *)codeVerifier;
 
+- (SFSDKAuthRequest *)migrateRefreshAuthRequest:(SFSDKAppConfig *)newAppConfig;
+
 @end
 
 NS_ASSUME_NONNULL_END

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/UserAccount/SFUserAccountManager.h

@@ -571,6 +571,23 @@ Use this method to stop/clear any authentication which is has already been start
  */
 - (void)logoutAllUsers;
 
+/**
+ Migrates the refresh token for the specified user to a new app configuration.
+ 
+ This might cause the approve/deny screen to be presented to the user to authorize the
+ new app. If successful a new set of credentials (refresh token, access token) are obtained
+ and replace the existing credentials for the user.
+ 
+ @param user The user account whose refresh token should be migrated.
+ @param newAppConfig The new app configuration to migrate to.
+ @param completionBlock Called on successful migration with the updated user account and auth info.
+ @param failureBlock Called if the migration fails with an error and optional auth info.
+ */
+- (void)migrateRefreshToken:(SFUserAccount *)user
+               newAppConfig:(SFSDKAppConfig *)newAppConfig
+                    success:(SFUserAccountManagerSuccessCallbackBlock)completionBlock
+                    failure:(SFUserAccountManagerFailureCallbackBlock)failureBlock NS_SWIFT_NAME(migrateRefreshToken(for:newAppConfig:success:failure:));
+
 /**
  Handle an authentication response from the IDP application
  @param url The URL response returned to the app from the IDP application.

libs/SalesforceSDKCore/SalesforceSDKCore/Classes/UserAccount/SFUserAccountManager.m

@@ -573,6 +573,16 @@ -(SFSDKAuthRequest *)defaultAuthRequest {
     return [self defaultAuthRequestWithLoginHost:nil];
 }
 
+-(SFSDKAuthRequest *)migrateRefreshAuthRequest:(SFSDKAppConfig *)newAppConfig {
+    SFSDKAuthRequest *request = [[SFSDKAuthRequest alloc] init];
+    request.loginHost = self.loginHost;
+    request.additionalOAuthParameterKeys = self.additionalOAuthParameterKeys;
+    request.oauthClientId = newAppConfig.remoteAccessConsumerKey;
+    request.oauthCompletionUrl = newAppConfig.oauthRedirectURI;
+    request.scene = [[SFSDKWindowManager sharedManager] defaultScene];
+    return request;
+}
+
 -(SFSDKAuthRequest *)nativeLoginAuthRequest {
     SFNativeLoginManagerInternal *nativeLoginManager = (SFNativeLoginManagerInternal *)[[SalesforceSDKManager sharedManager] nativeLoginManager];
     SFSDKAuthRequest *request = [[SFSDKAuthRequest alloc] init];
@@ -815,6 +825,45 @@ - (void)dismissAuthViewControllerIfPresentForScene:(UIScene *)scene completion:(
     }
 }
 
+- (void)migrateRefreshToken:(SFUserAccount *)user
+               newAppConfig:(SFSDKAppConfig *)newAppConfig
+                    success:(SFUserAccountManagerSuccessCallbackBlock)completionBlock
+                    failure:(SFUserAccountManagerFailureCallbackBlock)failureBlock {
+    
+    // Store current user credentials to revoke them once migration completes
+    SFOAuthCredentials *preMigrationCredentials = self.currentUser.credentials;
+
+    // Creating a SFSDKAuthRequest and SFSDKAuthSession
+    SFSDKAuthRequest *request = [self migrateRefreshAuthRequest:newAppConfig];
+    SFSDKAuthSession *authSession = [[SFSDKAuthSession alloc] initWith:request credentials:nil];
+    authSession.isAuthenticating = YES;
+    authSession.authSuccessCallback = ^(SFOAuthInfo *authInfo, SFUserAccount *newUserAccount) {
+        if (preMigrationCredentials != nil && ![preMigrationCredentials.refreshToken isEqualToString:newUserAccount.credentials.refreshToken]) {
+            
+            id<SFSDKOAuthProtocol> authClient = self.authClient();
+            [authClient revokeRefreshToken:preMigrationCredentials reason:SFLogoutReasonRefreshTokenRotated];
+        }
+
+        if (completionBlock) {
+            completionBlock(authInfo, newUserAccount);
+        }
+    };
+    authSession.authFailureCallback = failureBlock;
+    authSession.oauthCoordinator.delegate = self;
+    authSession.identityCoordinator.delegate = self;
+    self.authSessions[authSession.sceneId] = authSession;
+    
+    // Kicking off the actual migration (will load front-door approval URL in web view)
+    __weak typeof(self) weakSelf = self;
+    dispatch_async(dispatch_get_main_queue(), ^{
+        __strong typeof(weakSelf) strongSelf = weakSelf;
+        [strongSelf dismissAuthViewControllerIfPresentForScene:authSession.oauthRequest.scene completion:^{
+            [authSession.oauthCoordinator migrateRefreshToken:user];
+        }];
+    });
+}
+
+
 #pragma mark - SFOAuthCoordinatorDelegate
 - (void)oauthCoordinatorWillBeginAuthentication:(SFOAuthCoordinator *)coordinator authInfo:(SFOAuthInfo *)info {
     NSDictionary *userInfo = @{ kSFNotificationUserInfoCredentialsKey: coordinator.credentials,

libs/SalesforceSDKCore/SalesforceSDKCoreTests/SFOAuthCoordinatorTests.m

@@ -0,0 +1,104 @@
+/*
+ Copyright (c) 2025-present, salesforce.com, inc. All rights reserved.
+ 
+ Redistribution and use of this software in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+ * Redistributions of source code must retain the above copyright notice, this list of conditions
+ and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice, this list of
+ conditions and the following disclaimer in the documentation and/or other materials provided
+ with the distribution.
+ * Neither the name of salesforce.com, inc. nor the names of its contributors may be used to
+ endorse or promote products derived from this software without specific prior written
+ permission of salesforce.com, inc.
+ 
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
+ WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#import <XCTest/XCTest.h>
+#import <SalesforceSDKCore/SalesforceSDKCore.h>
+#import "SFOAuthCoordinator+Internal.h"
+#import "SFUserAccount+Internal.h"
+#import "SFOAuthCredentials+Internal.h"
+#import "SFSDKAuthSession.h"
+#import "SFSDKAuthRequest.h"
+
+@interface SFOAuthCoordinatorTests : XCTestCase
+
+@end
+
+@implementation SFOAuthCoordinatorTests
+
+- (void)testMigrateRefreshTokenSetup {
+    // Create test credentials
+    SFOAuthCredentials *credentials = [[SFOAuthCredentials alloc] initWithIdentifier:@"testIdentifier" clientId:@"testClientId" encrypted:NO];
+    credentials.redirectUri = @"testapp://callback";
+    credentials.domain = @"test.salesforce.com";
+    credentials.accessToken = @"testAccessToken";
+    credentials.refreshToken = @"testRefreshToken";
+    credentials.instanceUrl = [NSURL URLWithString:@"https://test.salesforce.com"];
+    
+    // Create a test user account (not fully logged in to avoid actual API calls)
+    SFUserAccount *userAccount = [[SFUserAccount alloc] initWithCredentials:credentials];
+    
+    // Create auth request and session
+    SFSDKAuthRequest *authRequest = [[SFSDKAuthRequest alloc] init];
+    authRequest.oauthClientId = @"newClientId";
+    authRequest.oauthCompletionUrl = @"newapp://callback";
+    authRequest.loginHost = @"login.salesforce.com";
+    
+    SFSDKAuthSession *authSession = [[SFSDKAuthSession alloc] initWith:authRequest credentials:nil];
+    
+    // Track whether callbacks are invoked
+    __block BOOL failureCallbackInvoked = NO;
+    __block SFOAuthInfo *capturedAuthInfo = nil;
+    __block NSError *capturedError = nil;
+    
+    authSession.authFailureCallback = ^(SFOAuthInfo *authInfo, NSError *error) {
+        failureCallbackInvoked = YES;
+        capturedAuthInfo = authInfo;
+        capturedError = error;
+    };
+    
+    // Create coordinator
+    SFOAuthCoordinator *coordinator = [[SFOAuthCoordinator alloc] initWithAuthSession:authSession];
+    coordinator.credentials = credentials;
+    
+    // Verify initial state
+    XCTAssertNotNil(coordinator.credentials);
+    XCTAssertEqualObjects(coordinator.credentials.clientId, @"testClientId");
+    
+    // Call migrateRefreshToken - this will attempt to make a REST API call
+    // which will fail because the user is not properly logged in
+    [coordinator migrateRefreshToken:userAccount];
+    
+    // Wait a bit for the async failure callback
+    XCTestExpectation *expectation = [self expectationWithDescription:@"Wait for failure callback"];
+    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(1.0 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
+        [expectation fulfill];
+    });
+    [self waitForExpectations:@[expectation] timeout:2.0];
+    
+    // Verify that the auth info was set to the correct type
+    // This happens synchronously before the REST call
+    XCTAssertNotNil(coordinator.authInfo, @"Auth info should be set");
+    XCTAssertEqual(coordinator.authInfo.authType, SFOAuthTypeRefreshTokenMigration, @"Auth type should be refresh token migration");
+    
+    // Verify initialRequestLoaded was set to false
+    XCTAssertFalse(coordinator.initialRequestLoaded, @"Initial request loaded should be false");
+    
+    // Verify the failure callback was invoked (because the user isn't logged in properly)
+    XCTAssertTrue(failureCallbackInvoked, @"Failure callback should be invoked when REST API fails");
+    XCTAssertNotNil(capturedError, @"Should have captured an error");
+    XCTAssertEqual(capturedAuthInfo.authType, SFOAuthTypeRefreshTokenMigration, @"AuthInfo type should be refresh token migration");
+}
+
+@end
+