Split authority #151
Split authority #151
Conversation
antrix1989
force-pushed
the
sedemche/split_authorities
branch
from
d34e91b to
12739ce
Compare
| @@ -9,13 +9,21 @@ | |||
| /* Begin PBXBuildFile section */ | |||
| 04930F851FEC8E6800FC4DCD /* MSIDAadAuthorityCache.m in Sources */ = {isa = PBXBuildFile; fileRef = 04930F831FEC8E6800FC4DCD /* MSIDAadAuthorityCache.m */; }; | |||
| 04930F8B1FEC8EB900FC4DCD /* MSIDAadAuthorityCache.m in Sources */ = {isa = PBXBuildFile; fileRef = 04930F831FEC8E6800FC4DCD /* MSIDAadAuthorityCache.m */; }; | |||
| 04930F8C1FEC8EC200FC4DCD /* MSIDAadAuthorityCache+TestUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 04930F881FEC8E9400FC4DCD /* MSIDAadAuthorityCache+TestUtil.m */; }; | |||
| 04930F8D1FEC8EC200FC4DCD /* MSIDAadAuthorityCache+TestUtil.m in Sources */ = {isa = PBXBuildFile; fileRef = 04930F881FEC8E9400FC4DCD /* MSIDAadAuthorityCache+TestUtil.m */; }; | |||
| 04930F8C1FEC8EC200FC4DCD /* (null) in Sources */ = {isa = PBXBuildFile; }; | |||
There was a problem hiding this comment.
Looks like some kind of a project file conflict (null). Can you check this?
|
|
||
| @property (nonatomic, nullable) NSString *aadAuthorityDiscoveryApiVersion; | ||
|
|
||
| @property (nonatomic, nullable) NSString *drsDiscoveryApiVersion; |
There was a problem hiding this comment.
When do we use DRS for AAD authority validation?
There was a problem hiding this comment.
we don't use it for AAD, it is for ADFS authority validation.
IdentityCore/src/MSIDADFSType.h
Outdated
| typedef NS_ENUM(NSInteger, MSIDADFSType) | ||
| { | ||
| MSIDADFSTypeOnPrems, | ||
| MSIDADFSTypeCloud |
There was a problem hiding this comment.
Let's rename MSIDADFSTypeCloud to something more appropriate
IdentityCore/src/MSIDADFSType.h
Outdated
|
|
||
| typedef NS_ENUM(NSInteger, MSIDADFSType) | ||
| { | ||
| MSIDADFSTypeOnPrems, |
| account.authority = [MSIDAuthority cacheUrlForAuthority:refreshToken.authority tenantId:refreshToken.realm]; | ||
|
|
||
| __auto_type authorityFactory = [MSIDAuthorityFactory new]; | ||
| __auto_type authority = [authorityFactory authorityFromUrl:refreshToken.authority rawTenant:refreshToken.realm context:nil error:nil]; |
There was a problem hiding this comment.
will this do authority aliasing?
| { | ||
| if (!validate) | ||
| { | ||
| __auto_type openIdConfigurationEndpoint = [self openIdConfigurationEndpointForAuthority:authority.url]; |
There was a problem hiding this comment.
Not all ADFS versions support openid
There was a problem hiding this comment.
what should we do in such case? In current ADAL/MSAL we assume that adfs is always supports open id.
| drsCloudRequest.context = context; | ||
| [drsCloudRequest sendWithBlock:^(id response, NSError *error) | ||
| { | ||
| if (response) |
There was a problem hiding this comment.
should we return error if there's no response?
| return [@"adfs" isEqualToString:tenant]; | ||
| } | ||
| return NO; | ||
| return [s_trustedHostList containsObject:host.lowercaseString]; |
There was a problem hiding this comment.
if it's a base MSIDAuthority class, AAD authorities shouldn't be known
|
|
||
| if (validate && ![authority isKnown]) | ||
| { | ||
| __auto_type error = MSIDCreateError(MSIDErrorDomain, MSIDErrorServerInvalidRequest, @"Authority validation is not supported for this type of authority", nil, nil, nil, context.correlationId, nil); |
There was a problem hiding this comment.
B2C should also have openid configuration endpoint. Can we reuse the same logic here?
There was a problem hiding this comment.
I suggest to merge current pr first, and then we can add opend id endpoint support to B2C. Currently MSAL doesn't support it anyway.
| @@ -191,7 +192,10 @@ - (void)webView:(WKWebView *)webView decidePolicyForNavigationAction:(WKNavigati | |||
| { | |||
| NSURL *requestURL = navigationAction.request.URL; | |||
|
|
|||
| MSID_LOG_VERBOSE(self.context, @"-decidePolicyForNavigationAction host: %@", [MSIDAuthority isKnownHost:requestURL] ? requestURL.host : @"unknown host"); | |||
| // __auto_type authorityFactory = [MSIDAuthorityFactory new]; | |||
| // __auto_type authority = [authorityFactory authorityFromUrl:account.authority rawTenant:response.idTokenObj.realm context:nil error:nil]; | |||
| @@ -33,6 +35,14 @@ + (void)initialize | |||
| if (self == [MSIDAADNetworkConfiguration self]) | |||
| { | |||
| s_defaultConfiguration = [MSIDAADNetworkConfiguration new]; | |||
|
|
|||
| s_trustedHostList = [NSSet setWithObjects:MSIDTrustedAuthority, | |||
There was a problem hiding this comment.
please see a comment in another PR about making sure the list of authorities is up to date
| extern NSString * _Nonnull const MSID_OS_VER_KEY;//iOS/OSX version | ||
| extern NSString * _Nonnull const MSID_DEVICE_MODEL_KEY;//E.g. iPhone 5S | ||
|
|
||
| extern NSString * _Nonnull const MSIDTrustedAuthority; |
There was a problem hiding this comment.
nit: can we follow the same format as other constants?
There was a problem hiding this comment.
Decided to keep camel case constants and change upper case constants to camel case latter.
|
|
||
| if (authorityUrl) | ||
| { | ||
| requestUrl = [requestUrl msidURLForPreferredHost:[authorityUrl msidHostWithPortIfNecessary] context:nil error:nil]; |
There was a problem hiding this comment.
So, what it does, it tries to replace the host of request url with host from network url. Can we just query for network host and swap the hosts? Or at least add a more thorough comment. This logic is a bit confusing to read.
| - (NSURL *)cacheUrlWithContext:(id<MSIDRequestContext>)context | ||
| { | ||
| __auto_type universalAuthorityURL = [self universalAuthorityURL]; | ||
| __auto_type authority = (MSIDAADAuthority *)[self.authorityFactory authorityFromUrl:universalAuthorityURL context:context error:nil]; |
There was a problem hiding this comment.
nit: why are we ignoring error?
There was a problem hiding this comment.
authorityFactory internally will write to logs if parsing has failed.
|
|
||
| - (nonnull NSString *)authorityType | ||
| { | ||
| return MSID_TELEMETRY_VALUE_AUTHORITY_AAD; |
There was a problem hiding this comment.
nit: it's a bit weird to use a telemetry constant for authority type here. Can we rename the constant or rename the method to telemetryAuthorityType?
There was a problem hiding this comment.
renamed to telemetryAuthorityType
| + (BOOL)isADFSInstanceURL:(nonnull NSURL *)endpointUrl; | ||
| + (BOOL)isConsumerInstanceURL:(nonnull NSURL *)authorityURL; | ||
| + (BOOL)isB2CInstanceURL:(nonnull NSURL *)endpointUrl; | ||
| - (nonnull NSArray<NSURL *> *)cacheAliases; |
There was a problem hiding this comment.
In the new cache we don't operate based on alias URLs, we operate based on environments which are strings. How can we now get a list of environment aliases?
There was a problem hiding this comment.
We still can get them from MSIDOauth2Factory. On the other hand, I don't think that MSIDOauth2Factory is a right place for such logic, that is why I suggest to revise it latter, see #222.
|
|
||
| if (error) | ||
| { | ||
| *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidDeveloperParameter, @"Provided authority url is not a valid authority.", nil, nil, nil, context.correlationId, nil); |
There was a problem hiding this comment.
Should we create a base OIDC authority instead?
Let's create an issue to follow up... (don't block on this)
There was a problem hiding this comment.
Probably we should. Created issue: #224
| if (b2cAuthority) return b2cAuthority; | ||
| } | ||
|
|
||
| if ([MSIDAADAuthority isAuthorityFormatValid:url context:context error:nil]) |
There was a problem hiding this comment.
this checks for MSIDAADAuthority and creates ADFS authority
| { | ||
| if ([MSIDB2CAuthority isAuthorityFormatValid:url context:context error:nil]) | ||
| { | ||
| __auto_type b2cAuthority = [[MSIDB2CAuthority alloc] initWithURL:url rawTenant:rawTenant context:context error:nil]; |
There was a problem hiding this comment.
none of the initializers takes error?
There was a problem hiding this comment.
Added underlyingError.
| context:(id<MSIDRequestContext>)context | ||
| error:(NSError **)error | ||
| { | ||
| if ([MSIDB2CAuthority isAuthorityFormatValid:url context:context error:nil]) |
There was a problem hiding this comment.
this code looks quite similar to the next one except there's no tenant. Can we just pass nil tenant to initializer?
There was a problem hiding this comment.
good point, refactored.
| { | ||
| s_defaultConfiguration = [MSIDAADNetworkConfiguration new]; | ||
|
|
||
| s_trustedHostList = [NSSet setWithObjects:MSIDTrustedAuthority, |
There was a problem hiding this comment.
I think you added more hosts into here in another PR?
|
|
||
| - (NSSet<NSString *> *)trustedHosts | ||
| { | ||
| return s_trustedHostList; |
IdentityCore/src/MSIDCache.m
Outdated
| - (void)setObject:(id)obj forKey:(id)key | ||
| { | ||
| dispatch_barrier_sync(self.synchronizationQueue, ^{ | ||
| [self.container setObject:obj forKey:key]; |
There was a problem hiding this comment.
I think you fixed this to use subscript in another PR?
There was a problem hiding this comment.
yes, it was fixed in another PR.
| @@ -26,8 +26,6 @@ extern NSString *const MSID_OAUTH2_AUTHORIZATION; | |||
| extern NSString *const MSID_OAUTH2_AUTHORIZATION_CODE; | |||
| extern NSString *const MSID_OAUTH2_AUTHORIZATION_URI; | |||
| extern NSString *const MSID_OAUTH2_AUTHORITY; | |||
| extern NSString *const MSID_OAUTH2_AUTHORIZE_SUFFIX; | |||
There was a problem hiding this comment.
those constants are still used in ADAL. Please revert removal...
| @@ -229,8 +231,8 @@ - (MSIDAccessToken *)getAccessTokenForAccount:(MSIDAccountIdentifier *)account | |||
|
|
|||
| MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new]; | |||
| query.homeAccountId = account.homeAccountId; | |||
| query.environment = configuration.authority.msidHostWithPortIfNecessary; | |||
| query.realm = configuration.authority.msidTenant; | |||
| query.environment = configuration.authority.url.msidHostWithPortIfNecessary; | |||
There was a problem hiding this comment.
maybe we can have "host" method in authority object itself? That way we can avoid recalculating it every time through msidHostWithPortIfNecessary.
| query.environment = accessToken.authority.msidHostWithPortIfNecessary; | ||
| query.realm = accessToken.authority.msidTenant; | ||
| query.environment = accessToken.authority.url.msidHostWithPortIfNecessary; | ||
| query.realm = accessToken.authority.url.msidTenant; |
There was a problem hiding this comment.
don't we have tenant in authority object itself?
There was a problem hiding this comment.
We have tenant in MSIDAADAuthority, but since authority here is MSIDAuthority, we can not get tenant without dynamic cast to MSIDAADAuthority.
Default accessor fixes related to authority aliases
| - (id)copyWithZone:(NSZone *)zone | ||
| { | ||
| MSIDAADAuthority *authority = [super copyWithZone:zone]; | ||
| authority->_tenant = [_tenant copyWithZone:zone]; |
No description provided.