refactor : Updated the MRRT key storing logic

Author: pmathew92

auth0/src/main/java/com/auth0/android/authentication/storage/BaseCredentialsManager.kt

@@ -3,16 +3,12 @@ package com.auth0.android.authentication.storage
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.authentication.AuthenticationAPIClient
 import com.auth0.android.callback.Callback
-import com.auth0.android.request.internal.GsonProvider
-import com.auth0.android.request.internal.Jwt
 import com.auth0.android.result.APICredentials
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.SSOCredentials
 import com.auth0.android.result.UserProfile
 import com.auth0.android.util.Clock
 import java.util.*
-import kotlin.collections.component1
-import kotlin.collections.component2
 
 /**
  * Base class meant to abstract common logic across Credentials Manager implementations.
@@ -36,7 +32,12 @@ public abstract class BaseCredentialsManager internal constructor(
 
     @Throws(CredentialsManagerException::class)
     public abstract fun saveCredentials(credentials: Credentials)
-    public abstract fun saveApiCredentials(apiCredentials: APICredentials, audience: String)
+    public abstract fun saveApiCredentials(
+        apiCredentials: APICredentials,
+        audience: String,
+        scope: String?
+    )
+
     public abstract fun getCredentials(callback: Callback<Credentials, CredentialsManagerException>)
     public abstract fun getSsoCredentials(
         parameters: Map<String, String>,
@@ -158,13 +159,22 @@ public abstract class BaseCredentialsManager internal constructor(
      *
      * @param storedScope   the stored scope, separated by space characters.
      * @param requiredScope the required scope, separated by space characters.
+     * @param ignoreOpenid whether to ignore the openid scope from the storedScope or not while comparing.
      * @return whether the scope are different or not
      */
-    protected fun hasScopeChanged(storedScope: String?, requiredScope: String?): Boolean {
+    protected fun hasScopeChanged(
+        storedScope: String?,
+        requiredScope: String?,
+        ignoreOpenid: Boolean = false
+    ): Boolean {
         if (requiredScope == null) {
             return false
         }
-        val stored = storedScope.orEmpty().split(" ").toTypedArray()
+        val storedScopeList = storedScope.orEmpty().split(" ").toMutableList()
+
+        if (ignoreOpenid) storedScopeList.remove("openid")
+
+        val stored = storedScopeList.toTypedArray()
         Arrays.sort(stored)
         val required = requiredScope.split(" ").toTypedArray()
         Arrays.sort(required)
@@ -196,4 +206,15 @@ public abstract class BaseCredentialsManager internal constructor(
     protected fun hasExpired(expiresAt: Long): Boolean {
         return expiresAt <= currentTimeInMillis
     }
+
+    /**
+     * Returns the key for storing the APICredentials in storage. Uses a combination of audience and scope.
+     *
+     * @param audience the audience of the credentials.
+     * @param scope    optional scope for the credentials.
+     */
+    protected fun getAPICredentialsKey(audience: String, scope: String?): String {
+        // Use audience if scope is null else use a combination of audience and scope
+        return if (scope == null) audience else "$audience::$scope"
+    }
 }

auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt

@@ -1,28 +1,24 @@
 package com.auth0.android.authentication.storage
 
 import android.text.TextUtils
-import android.util.Base64
 import android.util.Log
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.authentication.AuthenticationAPIClient
 import com.auth0.android.authentication.AuthenticationException
-import com.auth0.android.authentication.storage.SecureCredentialsManager.Companion.KEY_CREDENTIALS
 import com.auth0.android.callback.Callback
 import com.auth0.android.request.internal.GsonProvider
 import com.auth0.android.request.internal.Jwt
 import com.auth0.android.result.APICredentials
 import com.auth0.android.result.Credentials
-import com.auth0.android.result.OptionalCredentials
 import com.auth0.android.result.SSOCredentials
 import com.auth0.android.result.UserProfile
 import com.auth0.android.result.toAPICredentials
 import com.google.gson.Gson
 import kotlinx.coroutines.suspendCancellableCoroutine
-import java.util.*
+import java.util.Date
+import java.util.Locale
 import java.util.concurrent.Executor
 import java.util.concurrent.Executors
-import kotlin.collections.component1
-import kotlin.collections.component2
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 
@@ -85,10 +81,16 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
      * Stores the given [APICredentials] in the storage for the given audience.
      * @param apiCredentials the API Credentials to be stored
      * @param audience the audience for which the credentials are stored
+     * @param scope the scope for which the credentials are stored
      */
-    override fun saveApiCredentials(apiCredentials: APICredentials, audience: String) {
+    override fun saveApiCredentials(
+        apiCredentials: APICredentials,
+        audience: String,
+        scope: String?
+    ) {
+        val key = getAPICredentialsKey(audience, scope)
         gson.toJson(apiCredentials).let {
-            storage.store(audience, it)
+            storage.store(key, it)
         }
     }
 
@@ -594,14 +596,23 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         headers: Map<String, String>,
         callback: Callback<APICredentials, CredentialsManagerException>
     ) {
+
         serialExecutor.execute {
             //Check if existing api credentials are present and valid
-            val apiCredentialsJson = storage.retrieveString(audience)
+            val key = getAPICredentialsKey(audience, scope)
+            val apiCredentialsJson = storage.retrieveString(key)
             apiCredentialsJson?.let {
                 val apiCredentials = gson.fromJson(it, APICredentials::class.java)
                 val willTokenExpire = willExpire(apiCredentials.expiresAt.time, minTtl.toLong())
-                val scopeChanged = hasScopeChanged(apiCredentials.scope, scope)
+
+                val scopeChanged = hasScopeChanged(
+                    apiCredentials.scope,
+                    scope,
+                    ignoreOpenid = scope?.contains("openid") == false
+                )
+
                 val hasExpired = hasExpired(apiCredentials.expiresAt.time)
+
                 if (!hasExpired && !willTokenExpire && !scopeChanged) {
                     callback.onSuccess(apiCredentials)
                     return@execute
@@ -645,7 +656,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
                 val newApiCredentials = newCredentials.toAPICredentials()
                 storage.store(KEY_REFRESH_TOKEN, updatedRefreshToken)
                 storage.store(KEY_ID_TOKEN, newCredentials.idToken)
-                saveApiCredentials(newApiCredentials, audience)
+                saveApiCredentials(newApiCredentials, audience, scope)
                 callback.onSuccess(newApiCredentials)
             } catch (error: AuthenticationException) {
                 val exception = when {

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

@@ -11,24 +11,19 @@ import com.auth0.android.authentication.AuthenticationAPIClient
 import com.auth0.android.authentication.AuthenticationException
 import com.auth0.android.callback.Callback
 import com.auth0.android.request.internal.GsonProvider
-import com.auth0.android.request.internal.Jwt
 import com.auth0.android.result.APICredentials
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.OptionalCredentials
 import com.auth0.android.result.SSOCredentials
 import com.auth0.android.result.UserProfile
 import com.auth0.android.result.toAPICredentials
 import com.google.gson.Gson
-import kotlinx.coroutines.CoroutineScope
-import kotlinx.coroutines.GlobalScope
-import kotlinx.coroutines.launch
 import kotlinx.coroutines.suspendCancellableCoroutine
 import java.lang.ref.WeakReference
-import java.util.*
+import java.util.Date
+import java.util.Locale
 import java.util.concurrent.Executor
 import java.util.concurrent.atomic.AtomicLong
-import kotlin.collections.component1
-import kotlin.collections.component2
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
 
@@ -143,13 +138,19 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
      * Stores the given [APICredentials] in the storage for the given audience.
      * @param apiCredentials the API Credentials to be stored
      * @param audience the audience for which the credentials are stored
+     * @param scope the scope for which the credentials are stored
      */
-    override fun saveApiCredentials(apiCredentials: APICredentials, audience: String) {
+    override fun saveApiCredentials(
+        apiCredentials: APICredentials,
+        audience: String,
+        scope: String?
+    ) {
+        val key = getAPICredentialsKey(audience, scope)
         val json = gson.toJson(apiCredentials)
         try {
             val encrypted = crypto.encrypt(json.toByteArray())
             val encryptedEncoded = Base64.encodeToString(encrypted, Base64.DEFAULT)
-            storage.store(audience, encryptedEncoded)
+            storage.store(key, encryptedEncoded)
         } catch (e: IncompatibleDeviceException) {
             throw CredentialsManagerException(
                 CredentialsManagerException.Code.INCOMPATIBLE_DEVICE,
@@ -270,7 +271,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
             if (credentials == null) {
                 return null
             }
-           return credentials.user
+            return credentials.user
         }
 
     /**
@@ -908,7 +909,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
         callback: Callback<APICredentials, CredentialsManagerException>
     ) {
         serialExecutor.execute {
-            val encryptedEncodedJson = storage.retrieveString(audience)
+            val encryptedEncodedJson = storage.retrieveString(getAPICredentialsKey(audience, scope))
             //Check if existing api credentials are present and valid
             encryptedEncodedJson?.let { encryptedEncoded ->
                 val encrypted = Base64.decode(encryptedEncoded, Base64.DEFAULT)
@@ -938,7 +939,10 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
 
                 val expiresAt = apiCredentials.expiresAt.time
                 val willAccessTokenExpire = willExpire(expiresAt, minTtl.toLong())
-                val scopeChanged = hasScopeChanged(apiCredentials.scope, scope)
+                val scopeChanged = hasScopeChanged(
+                    apiCredentials.scope, scope,
+                    ignoreOpenid = scope?.contains("openid") == false
+                )
                 val hasExpired = hasExpired(apiCredentials.expiresAt.time)
                 if (!hasExpired && !willAccessTokenExpire && !scopeChanged) {
                     callback.onSuccess(apiCredentials)
@@ -993,7 +997,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
                         idToken = newCredentials.idToken
                     )
                 )
-                saveApiCredentials(newApiCredentials, audience)
+                saveApiCredentials(newApiCredentials, audience, scope)
                 callback.onSuccess(newApiCredentials)
 
             } catch (error: AuthenticationException) {
@@ -1138,7 +1142,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
     internal fun isBiometricSessionValid(): Boolean {
         val lastAuth = lastBiometricAuthTime.get()
         if (lastAuth == NO_SESSION) return false // No session exists
-        
+
         return when (val policy = biometricPolicy) {
             is BiometricPolicy.Session,
             is BiometricPolicy.AppLifecycle -> {
@@ -1149,6 +1153,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
                 } * 1000L
                 System.currentTimeMillis() - lastAuth < timeoutMillis
             }
+
             is BiometricPolicy.Always -> false
         }
     }