azuread / microsoft-authentication-library-common-for-objc Goto Github PK

See how it is done in MSIDOpenIdConfigurationInfoRequest:

- (instancetype _Nullable)initWithEndpoint:(nonnull NSURL *)endpoint
                                   context:(nullable id<MSIDRequestContext>)context NS_DESIGNATED_INITIALIZER;

MSIDCredentialCollectionController has bunch of values that we use to draw.
Let's improve on this.

Hi,

Currently the only way to create SPNs is powershell or API.

We need support for SPN creation through ARM template

Create an API layer for base token cache component

Currently we support only Microsoft's authorities (AAD, ADFS, B2C). Decide if we should allow to provide 3d party authorities.

Currently it does the same Kerberos handling for both iOS and macOS. However, Kerberos is handled transparently by the system, so we should always reject negotiate if we get one.

Would be great with support for CocoaPods as well.

https://guides.cocoapods.org/making/index.html

AAD v1 will now also return client info. We can move the MSALClientInfo class to the common core.

Move out drs discovery endpoint from here, because it's ADFS and not AAD specific.
Endpoint providing should apply also to basic Oauth2 flow, not only to AAD (e.g. we should be able to find an authorize endpoint or openid config for Google).

There're lots of constants that are duplicated between ADAL and MSAL. Going forward, all the constants that are the same, should be in the common core.

Currently MSIDLegacyTokenCacheKey needs to encode authority, resource etc, so it needs to parse those out of account, service properties. Revisit this logic.

Instead of passing authority as NSURL, developer should create instance of MSIDAuthority and provide authority endpoint together with authority type to it.

Because MSIDLogger is not thread safe, it crashes during the tests. Run the following UT to reproduce the issue:

• (void)test_logger
  {
  while (true) {
  dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^ {
  MSID_LOG_WARN(nil, @"BG thread");
  });

    MSID_LOG_WARN(nil, @"Main thread");
  

  }
  }

For broker, need to check UPN, for clients, applink check is needed.

See context here: #48

Going forward we should refactor the keychain token cache to be generic enough to handle both ADAL and MSAL and operate on keys and values. Token cache should be responsible for accessing the cache storage and performing reading and writing of tokens for that storage (in that case keychain storage).

This should include designing the actual API and keeping stub implementations.

In interactive flow, see if using upn from the response of msauth://wpj?upn=...&applink=... be better than username from request parameter

Currently we have lots of utils that are same between ADAL and MSAL:

e.g. Base64 url encoding/decoding
checking if string is empty or nil
string manipulation (e.g. string trimming)
sha256 computation

Because token cache and lots of ADAL/MSAL code uses those utils, we should move them to common core to be reusable.

Logger implementations and macros are already the same between ADAL and MSAL. We can now just move them to the common core.

Currently it can serialize/deserialize to NSData via NSArchiver. We might need to add json serialization as well.

Current error conversion is very error prone, if developer forgets to convert error in MSAL or ADAL

Instead, convert error when creating in in MSID space to avoid developer forgetting to convert it

This can be achieved if MSID creates "error delegate" that it calls before returning the final error. ADAL and MSAL would implement it and return appropriate error.

Remove 'resource', 'clientId', 'authority' from MSIDTokenCacheKey and parse them from 'service' instead;

+ (MSIDTokenCacheKey *)keyWithAuthority:(NSURL *)authority
                               clientId:(NSString *)clientId
                               resource:(NSString *)resource
                                    upn:(NSString *)upn
{
    MSIDTokenCacheKey *key = [[MSIDTokenCacheKey alloc] initWithAccount:upn
                                                                service:[self.class serviceWithAuthority:authority
                                                                                                resource:resource
                                                                                                clientId:clientId]
                                                                   type:nil];
    
    key.authority = authority;
    key.clientId = clientId;
    key.resource = resource;
    
    return key;
}

+ (NSString *)serviceWithAuthority:(NSURL *)authority
                          resource:(NSString *)resource
                          clientId:(NSString *)clientId
{
    
    return [NSString stringWithFormat:@"%@|%@|%@|%@",
            s_adalLibraryString,
            authority.absoluteString.msidBase64UrlEncode,
            [self.class getAttributeName:resource.msidBase64UrlEncode],
            clientId.msidBase64UrlEncode];
}

MSIDDeviceId class has multiple things in it, consider renaming or splitting this class. Also synchronize the method names.

Consider the following flow:

We get list of ATs, using api like 'getAllTokensOfType:withClientId:context:error', after we set expireOn to current date and we wanna save tokens back to the cache.

Currently for embedded webview, we dismiss the loading spinner in the following delegate callback:

• webView:didFinishNavigation:
• webView:didFailNavigation:withError:
• webView:didFailProvisionalNavigation:withError:

However, depending on server behavior, a page may or may not continue to load if we reject a auth challenge, say client TLS challenge.
If a page continues to load, the spinner will be dismissed by hitting any of the above delegate callbacks;
If a page does not continue to load, the spinner will not be dismissed.

We could try to figure out whether there is a way to improve the experience.

Some logic might need to be added to MSIDAADRequestErrorHandler.m, to replicate the behavior here: https://github.com/AzureAD/azure-activedirectory-library-for-objc/blob/dev/ADAL/src/request/ADWebAuthResponse.m#L240

We use context to get correlationID and logcomponents.
Discussion point here is to decide whether or not we want to pass in the context object vs passing in 2 strings, namely correlationId and log components.

In NSString+MSIDExtensions, should we return a hex string or base64 encoding?

In the past we've built and tested a dynamic library and tested that, however with a static library the executable being tested is the xctest binary itself. This means we need to change what binary is fed into llvm-cov and provide it a set of source files to filter on.

llvm-cov report [options] -instr-profile PROFILE BIN [-object BIN,...] [[-object BIN]] [SOURCES]

There currently is a bug in llvm-cov that prevents the SOURCES from being respected, but it's been fixed and will eventually get folded into an xcode release: https://bugs.llvm.org/show_bug.cgi?id=34275

Add this to the target specifier in build.py

		"codecov_sources" : "IdentityCore/src",
		"codecov_use_test_binary" : True,

such as nsdictionary extension, does not have msid prefix.

Currently the NTLM dialog implementation for Mac has some hard-coded X/Y coordinates.
Probably we want to figure out a better way to construct the dialog. NSStackView, NSAlert, or something else....

Currently, there is a single remove API,
removeItemsWithKey:
which if key is nil, deletes everything.
This could create confusion down the road.

As a reference, ADAL when given nil key, does not remove anything.

Not sure which is correct, but surely needs to be discussed and make it coherent.

Decide if we need to move out logic that is not related to json parsing from this class. In particular, these methods:

@property (readonly) MSIDWebviewFactory *webviewFactory;
- (NSString *)cacheEnvironmentFromEnvironment:(NSString *)originalEnvironment context:(id<MSIDRequestContext>)context;
- (NSArray<NSString *> *)defaultCacheAliasesForEnvironment:(NSString *)originalEnvironment;

Because both ADAL and MSAL token caches have telemetry around them, it will be tricky to implement common cache without bringing telemetry to common.

As part of the unified cache work we should minimize the amount of telemetry work, but the telemetry around cache should be common.

MSIDTokenSerializer should be able to ser/deser any class type, not only MSIDToken.

Current design creates session per request.
Let's design such that we have a queue for a session that we can reuse for all our tasks.