Move authority migration to common core #130
Conversation
| @@ -108,3 +107,17 @@ | |||
| NSString *const MSID_LEGACY_TOKEN_CACHE_TYPE = @"legacysingleresourcetoken"; | |||
| NSString *const MSID_ID_TOKEN_CACHE_TYPE = @"idtoken"; | |||
| NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE = @"token"; | |||
|
|
|||
| NSString *MSID_OAUTH2_AUTHORIZE_SUFFIX(void) | |||
There was a problem hiding this comment.
Can we move it out of constants?
There was a problem hiding this comment.
I like the approach, but with Olga in this one, lets move it
| NSParameterAssert(authority); | ||
|
|
||
| NSMutableDictionary *parameters = [NSMutableDictionary new]; | ||
| parameters[@"api-version"] = @"1.1"; |
There was a problem hiding this comment.
nit: can this be configurable?
|
|
||
| NSMutableDictionary *parameters = [NSMutableDictionary new]; | ||
| parameters[@"api-version"] = @"1.1"; | ||
| __auto_type authorizationEndpoint = [authority.absoluteString.lowercaseString stringByAppendingString:MSID_OAUTH2_AUTHORIZE_SUFFIX()]; |
There was a problem hiding this comment.
do we need to hardcode this one?
| return nil; | ||
| } | ||
|
|
||
| __auto_type endpoint = (NSString *)jsonObject[@"IdentityProviderService"][@"PassiveAuthEndpoint"]; |
There was a problem hiding this comment.
Can we make sure it's coming as NSString?
| else if (type == MSIDADFSTypeCloud) | ||
| { | ||
| return [NSURL URLWithString: | ||
| [NSString stringWithFormat:@"https://enterpriseregistration.windows.net/%@/enrollmentserver/contract", domain.lowercaseString]]; |
There was a problem hiding this comment.
does this have to be a hardcoded URL?
| } | ||
|
|
||
| // B2C | ||
| if ([self isB2CInstanceURL:authority]) |
There was a problem hiding this comment.
consider adding a separate class for normalization and additional authority manipulations. e.g. separate for B2C, ADFS etc
| return NO; | ||
| } | ||
|
|
||
| if (authority.pathComponents.count < 2) |
There was a problem hiding this comment.
again, this is realistic for AAD, but for other authorities there might be less than 2 components, because there's no tenant. Can we make sure we separate the "base" implementation from AAD specific things.
There was a problem hiding this comment.
i agree with possible need for a specific aad check.
However, for check is for all authorities afaik. b2c will have "tfp" as a component, adfs => "adfs" and aad will have it's value.
|
|
||
| #import <Foundation/Foundation.h> | ||
|
|
||
| @interface MSIDAuthorityCacheRecord : NSObject |
There was a problem hiding this comment.
just curious, what is this class for?
There was a problem hiding this comment.
It is used for saving authority validation info into the cache. We use MSIDAuthorityCacheRecord & MSIDAadAuthorityCacheRecord.
| context:(id<MSIDRequestContext>)context | ||
| completionBlock:(MSIDAuthorityInfoBlock)completionBlock | ||
| { | ||
| if (validate && ![MSIDAuthority isKnownHost:authority]) |
There was a problem hiding this comment.
does this mean if authority validation is enabled for B2C, MSAL always fails?
There was a problem hiding this comment.
That is correct. Not supported.
|
|
||
| @interface MSIDOpenIdProviderMetadata : NSObject | ||
|
|
||
| @property (nonatomic) NSURL *authorizationEndpoint; |
There was a problem hiding this comment.
should we have additional fields from the protocol in here?
There was a problem hiding this comment.
We can add additional fields, but we don't use them right now.
IdentityCore/src/MSIDConfiguration.h
Outdated
|
|
||
| #import <Foundation/Foundation.h> | ||
|
|
||
| @interface MSIDConfiguration : NSObject |
There was a problem hiding this comment.
Remember we've moved request params to be a configuration.
Please rename this class.
| @@ -108,3 +107,17 @@ | |||
| NSString *const MSID_LEGACY_TOKEN_CACHE_TYPE = @"legacysingleresourcetoken"; | |||
| NSString *const MSID_ID_TOKEN_CACHE_TYPE = @"idtoken"; | |||
| NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE = @"token"; | |||
|
|
|||
| NSString *MSID_OAUTH2_AUTHORIZE_SUFFIX(void) | |||
There was a problem hiding this comment.
I like the approach, but with Olga in this one, lets move it
| { | ||
| __auto_type apiVersion = MSIDConfiguration.defaultConfiguration.aadApiVersion; | ||
|
|
||
| return [NSString stringWithFormat:@"/oauth2/%@%@authorize", apiVersion ?: @"", apiVersion ? @"/" : @""]; |
There was a problem hiding this comment.
ternary within a ternary is a hard read.
| { | ||
| __auto_type apiVersion = MSIDConfiguration.defaultConfiguration.aadApiVersion; | ||
|
|
||
| return [NSString stringWithFormat:@"/oauth2/%@%@token", apiVersion ?: @"", apiVersion ? @"/" : @""]; |
|
|
||
| @end | ||
|
|
||
| @interface MSIDAADGetAuthorityMetadataRequest : MSIDHttpRequest |
There was a problem hiding this comment.
nit: Lets remove "Get" from the name
| @interface MSIDDRSDiscoveryRequest : MSIDHttpRequest | ||
|
|
||
| - (instancetype)initWithDomain:(NSString *)domain | ||
| adfsType:(MSIDADFSType)adfsType NS_DESIGNATED_INITIALIZER; |
| NSString *oauthError = jsonObject[@"error"]; | ||
| if (![NSString msidIsStringNilOrBlank:oauthError]) | ||
| { | ||
| if (error) *error = MSIDCreateError(MSIDErrorDomain, |
There was a problem hiding this comment.
nit: this could use a bracket and new lines :p
| self = [super init]; | ||
| if (self) | ||
| { | ||
| NSParameterAssert(domain); |
There was a problem hiding this comment.
If you are asserting this, might as well put nonnull at method declaration
| _parameters = parameters; | ||
|
|
||
| NSMutableURLRequest *urlRequest = [NSMutableURLRequest new]; | ||
| urlRequest.URL = [NSURL URLWithString:[NSString stringWithFormat:@"https://%@/.well-known/webfinger", issuer.host]]; |
| @@ -42,4 +54,24 @@ | |||
| + (NSURL *)cacheUrlForAuthority:(NSURL *)authority | |||
| tenantId:(NSString *)tenantId; | |||
|
|
|||
| + (void)discoverAuthority:(NSURL *)authority | |||
There was a problem hiding this comment.
discovery is a part of the process, not the overall definition of what we need to do.
| context:(id<MSIDRequestContext>)context | ||
| completionBlock:(MSIDOpenIdConfigurationInfoBlock)completionBlock; | ||
|
|
||
| + (NSURL *)normalizeAuthority:(NSURL *)authority |
There was a problem hiding this comment.
Why accept URL not string as a parameter here?
There was a problem hiding this comment.
We use authority as NSURL everywhere in common core. In my opinion, in order to be consistent, we should use it as NSURL here as well.
| context:(id<MSIDRequestContext>)context | ||
| error:(NSError * __autoreleasing *)error; | ||
|
|
||
| + (BOOL)isAuthorityFormatValid:(NSURL *)authority |
There was a problem hiding this comment.
What does this serve that normalizeAuthority doesn't? i.e./ does this need to be exposed outside of this class?
There was a problem hiding this comment.
Removed it's declaration from public header.
| @interface MSIDAuthority : NSObject | ||
|
|
||
| @property (class, readonly) NSCache *openIdConfigurationCache; | ||
|
|
||
| + (BOOL)isADFSInstance:(NSString *)endpoint; | ||
| + (BOOL)isADFSInstanceURL:(NSURL *)endpointUrl; |
There was a problem hiding this comment.
This seem very duplicative of one another. do we really need these two methods?
There was a problem hiding this comment.
One accepting NSURL should be enough here.
There was a problem hiding this comment.
These methods weren't added in this pr, I suggest to refactor them during our MSIDAuthority refactoring.
| @@ -137,4 +197,145 @@ + (NSURL *)cacheUrlForAuthority:(NSURL *)authority | |||
| return [NSURL URLWithString:[NSString stringWithFormat:@"https://%@/%@", [authority msidHostWithPortIfNecessary], tenantId]]; | |||
| } | |||
|
|
|||
| + (void)discoverAuthority:(NSURL *)authority | |||
There was a problem hiding this comment.
again, discovery is not what we are solely doing here.
| }]; | ||
| } | ||
|
|
||
| + (NSURL *)normalizeAuthority:(NSURL *)authority |
There was a problem hiding this comment.
as mentioned before, having this authority as a string would be better for our use case, no?
| } | ||
| return NO; | ||
| } | ||
|
|
There was a problem hiding this comment.
also check against login.windows.net, which is not deprecated. Advise to use login.microsoftonline.com instead
| return NO; | ||
| } | ||
|
|
||
| if (authority.pathComponents.count < 2) |
There was a problem hiding this comment.
i agree with possible need for a specific aad check.
However, for check is for all authorities afaik. b2c will have "tfp" as a component, adfs => "adfs" and aad will have it's value.
| { | ||
| if (error) | ||
| { | ||
| *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"authority must specify a tenant or common.", nil, nil, nil, context.correlationId, nil); |
There was a problem hiding this comment.
MSAL also says the same, but we might want to rename this as tenant/common is pretty much AAD only.
| context:(id<MSIDRequestContext>)context | ||
| completionBlock:(MSIDAuthorityInfoBlock)completionBlock | ||
| { | ||
| if (validate && ![MSIDAuthority isKnownHost:authority]) |
There was a problem hiding this comment.
That is correct. Not supported.
…oft-authentication-library-common-for-objc into sedemche/authorityAliases
| @@ -3518,6 +3724,9 @@ | |||
| isa = XCBuildConfiguration; | |||
| baseConfigurationReference = D6CF4E961FC3626A00CD70C5 /* identitycore__tests__ios.xcconfig */; | |||
| buildSettings = { | |||
| CLANG_ENABLE_MODULES = YES; | |||
| LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; | |||
| SWIFT_VERSION = 3.0; | |||
| GCC_OPTIMIZATION_LEVEL = 0; | ||
| LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; | ||
| SWIFT_OPTIMIZATION_LEVEL = "-Onone"; | ||
| SWIFT_VERSION = 3.0; |
| #import <Foundation/Foundation.h> | ||
| #import "MSIDADFSType.h" | ||
|
|
||
| @protocol MSIDAADEndpointProviding <NSObject> |
There was a problem hiding this comment.
nit: endpoint providing should apply also to basic Oauth2 flow, not only to AAD (e.g. we should be able to find an authorize endpoint or openid config for Google). We can take this as a separate issue though.
There was a problem hiding this comment.
Added comment about it in #211
| @property (class, nonnull) MSIDURLSessionManager *defaultManager; | ||
| @property (nonatomic, readonly, nonnull) NSURLSessionConfiguration *configuration; | ||
| @property (nonatomic, readonly, nonnull) NSURLSession *session; | ||
| @property (nonatomic, readonly, nullable) MSIDURLSessionDelegate *delegate; |
There was a problem hiding this comment.
nit: Why do we need to save delegate outside of passing it to NSURLSession?
There was a problem hiding this comment.
you are right, removed it.
| NSError *jsonError; | ||
| NSDictionary *jsonObject = [super responseObjectForResponse:httpResponse data:data context:context error:&jsonError]; | ||
|
|
||
| if (jsonError) |
There was a problem hiding this comment.
I think it would be more accurate to check if (!jsonObject) here and return early if it's nil.
| NSURLComponents *urlComponents = [NSURLComponents componentsWithURL:mutableRequest.URL resolvingAgainstBaseURL:NO]; | ||
| NSMutableDictionary *urlParameters = [[mutableRequest.URL msidQueryParameters] mutableCopy] ?: [NSMutableDictionary new]; | ||
| [urlParameters addEntriesFromDictionary:parameters]; | ||
| urlComponents.percentEncodedQuery = [urlParameters msidURLFormEncode]; |
| ofField:(NSString *)field | ||
| context:(id <MSIDRequestContext>)context | ||
| errorCode:(NSInteger)errorCode | ||
| error:(NSError **)error; |
| nil, nil, context.correlationId, nil); | ||
| } | ||
|
|
||
| MSID_LOG_ERROR_PII(nil, @"%@", message); |
There was a problem hiding this comment.
I don't think field name needs to be PII
| __auto_type drsCloudRequest = [[MSIDDRSDiscoveryRequest alloc] initWithDomain:domain adfsType:MSIDADFSTypeCloud context:context]; | ||
| [drsCloudRequest sendWithBlock:^(id response, NSError *error) | ||
| { | ||
| if (completionBlock) completionBlock(response, error); |
| @"key3": @"value3"}; | ||
|
|
||
| NSError *error; | ||
| BOOL result = [inputDictionary assertType:NSString.class ofField:@"key1" context:nil errorCode:1 error:&error]; |
There was a problem hiding this comment.
nit: please also check that correct error was returned.
No description provided.