Skip to content

Commit 7c5f93d

Browse files
gitaumoses4gitaumoses4
authored
Merge pull request #1318 from AzureAD/release/2.0.8
Merge Release/2.0.8 to master
2 parents 65eec62 + c570fc7 commit 7c5f93d

File tree

77 files changed

+2096
-2167
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

77 files changed

+2096
-2167
lines changed

changelog

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,9 @@
11
MSAL Wiki : https://github.com/AzureAD/microsoft-authentication-library-for-android/wiki
22

3+
Version 2.0.8
4+
----------
5+
- [MINOR] Changes to Broker Validation to allow setting whether to trust debug brokers (prod brokers are always trusted).
6+
37
Version 2.0.6
48
----------
59
- Warn if SAPCA used with B2C. Throw Exception if Multiple Policies are Configured (#1270)

common

Submodule common updated 105 files

docs/b2c_required_artifacts_and_claims.md

Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
# Best Practices for Use of MSAL with B2C Policies and the Identity Experience Framework
2+
3+
## Overview
4+
The B2C Identity Experience Framework (IEF) enables a wide variety of experiences and functionalities by offering developers a high degree of policy, journey, and token response customization.
5+
6+
To ensure compatibility with the MSAL client libraries, a core set of response tokens and claims conforming to the OAuth 2.0 and OpenID Connect specifications must be returned by your application's policies.
7+
8+
## Token Response Properties Required by MSAL
9+
The following artifacts must be included in the response from your policy's `/token` endpoint:
10+
11+
| Artifact | Expected Format | Description |
12+
|-------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
13+
| `access_token` | String (JWT) | The requested access token. The app can use this token to authenticate to the secured resource, such as a web API. |
14+
| `token_type` | String | Indicates the token type such a 'Bearer'. |
15+
| `expires_in` | Numeric | How long the access token is valid (in seconds). |
16+
| `scope` | String | The scopes for which the access token is valid. |
17+
| `refresh_token` | String | An OAuth 2.0 refresh token. The app can use this token to acquire additional access tokens after the current access token expires.<br><br>Refresh tokens are long-lived and can be used to retain access to resources for extended periods of time. `offline_access` must be requested to obtain this token.<br><br>**Please Note:** Single Page Applications (SPAs) should not request `offline_access` as these apps will be issued a refresh token with a 24H validity period by default. |
18+
| `id_token` | String (JWT) | The app can decode this token to discover information about the signed-in user. The app may cache this token and use its contents for display purposes. |
19+
| `client_info` | String (base64 encoded JSON) | Automatically provided by B2C IdP. Metadata about the user and their tenant. |
20+
21+
## ID Token Claims Required by MSAL Libraries
22+
The following ID token token claims are required when using MSAL:
23+
24+
| Claim | Expected Format | Description |
25+
|-----------------------------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------------------------------|
26+
| One or more of:<br>- `sub`<br>- `oid` | String | A locally unique identifier within the issuer for the end-user. |
27+
| One or more of:<br>- `preferred_username`<br>- `email`<br>- `emails` (Applies to MSAL-JS only)<br>- `upn` | String | If no value is returned, MSAL client libraries will use a default value: `MISSING_FROM_THE_TOKEN_RESPONSE` |
28+
29+
## Best Practice: Include the Standard Set OpenID Connect Claims
30+
The OpenID Connect Framework (OIDC) defines a set of [standard claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims). To ensure broad compatibility across OAuth 2.0 & OIDC libraries with your application's configured IEF policies, it is recommended that developers include the standard claim set (where possible).
31+
32+
| Claim | Expected Format | Description |
33+
|-------------------------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
34+
| `sub` | String | Subject - Identifier for the End-User at the Issuer. |
35+
| `name` | String | End-User's full name in displayable form. |
36+
| `given_name` | String | Given (first) name(s) of the End-User. |
37+
| `family_name` | String | Surname(s) (last) of the End-User. |
38+
| `middle_name` | String | Middle name(s) of the End-User. |
39+
| `nickname` | String | Casual name of the End-User |
40+
| `preferred_username` | String | Shorthand name by which the End-User wishes to be known at the RP. |
41+
| `profile` | String | URL of the End-User's profile page. |
42+
| `picture` | String | URL of the End-User's profile image; MUST refer to an image file such as PNG, JPG, or GIF. |
43+
| `website` | String | URL of End-User's web page. |
44+
| `email` | String | End-User's preferred email address. |
45+
| `email_verified` | Boolean | True if verified. The process for verification is unspecified. |
46+
| `gender` | String | End-User's gender. Values defined by the specification are `female` and `male`; other values may be used when neither defined value is applicable. |
47+
| `birthdate` | String | ISO 8601:2004 representation of the End-User's birthdate. May be 0000 to indicate omission. |
48+
| `zoneinfo` | String | String representing the End-User's timezone. |
49+
| `locale` | String | End-User's locale, represented as a BCP47 language tag. |
50+
| `phone_number` | String | End-User's preferred telephone number. Suggested format is E.164. |
51+
| `phone_number_verified` | Boolean | True if verified. The process for verification is unspecified. |
52+
| `address` | JSON Object | End-User's preferred postal address. Format is RFC-4627 conformant. |
53+
| `updated_at` | Numeric | Time the End-User's information was last updated. |

docs/maintainer-best-practices.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
# Best Practices for Contributors & Maintainers
2+
This document is meant to serve a repository of helpful hints, best practices, and how-tos for contributing and maintaining the MSAL and AndroidCommon libraries.
3+
4+
# Table of Contents
5+
1. [Supported Deprecated Lifecycle & Event Callbacks](#deprecatedlifecycle)
6+
7+
---
8+
9+
## Supported Deprecated Lifecycle & Event Callbacks <a name="deprecatedlifecycle"></a>
10+
If a system-invoked callback/lifecycle event has been deprecated and your application supports API-levels both _above and below_ the deprecation version, you must implement the method twice; once for each API level's signature. If possible, provide a common implementation to which the new and old method calls can delegate.
11+
12+
Example: <br/>
13+
`WebViewClient#onReceivedError` ([docs](https://developer.android.com/reference/android/webkit/WebViewClient#onReceivedError(android.webkit.WebView,%2520int,%2520java.lang.String,%2520java.lang.String)))
14+
- Deprecated in API23
15+
- Example app config supports APIs `16` - `29`
16+
17+
Example implementation:
18+
```java
19+
public class MyWebViewClient extends WebViewClient {
20+
21+
@Override
22+
@SuppressWarnings("deprecation") // Suppress warnings, if required by your build
23+
public void onReceivedError(@NonNull final WebView view,
24+
final int errorCode,
25+
@NonNull final String description,
26+
@NonNull final String failingUrl) {
27+
handleError();
28+
}
29+
30+
@Override
31+
@RequiresApi(api = Build.VERSION_CODES.M) // Annotate the API where available
32+
public void onReceivedError(@NonNull final WebView view,
33+
@NonNull final WebResourceRequest request,
34+
@NonNull WebResourceError error) {
35+
handleError();
36+
}
37+
38+
private void handleError() {
39+
// Perform whatever action, implementation is now common across API levels
40+
}
41+
}
42+
```

msal/build.gradle

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,19 @@ def bothTestType = "BothTest"
2323

2424
android {
2525

26+
// testOptions {
27+
// compileOptions {
28+
// // Flag to enable support for the new language APIs
29+
// coreLibraryDesugaringEnabled true
30+
// // Sets Java compatibility to Java 8
31+
// sourceCompatibility JavaVersion.VERSION_1_8
32+
// targetCompatibility JavaVersion.VERSION_1_8
33+
// }
34+
// dependencies {
35+
// coreLibraryDesugaring "com.android.tools:desugar_jdk_libs:$rootProject.ext.coreLibraryDesugaringVersion"
36+
// }
37+
// }
38+
2639
/*
2740
//Commenting out until the next major version of common/msal/etc...
2841
compileOptions {
@@ -219,11 +232,13 @@ task javadoc(type: Javadoc) {
219232
task javadocJar(type: Jar, dependsOn: javadoc) {
220233
from javadoc.destinationDir
221234
classifier 'javadoc'
235+
destinationDirectory = reporting.file("$project.buildDir/outputs/jar/")
222236
}
223237

224238
task sourcesJar(type: Jar) {
225239
from android.sourceSets.main.java.srcDirs
226240
classifier 'sources'
241+
destinationDirectory = reporting.file("$project.buildDir/outputs/jar/")
227242
}
228243

229244
dependencies {
@@ -259,9 +274,9 @@ dependencies {
259274
transitive = false
260275
}
261276

262-
snapshotApi(group: 'com.microsoft.identity', name: 'common', version: '3.0.9', changing: true)
277+
snapshotApi(group: 'com.microsoft.identity', name: 'common', version: '3.1.2', changing: true)
263278

264-
distApi("com.microsoft.identity:common:3.0.9") {
279+
distApi("com.microsoft.identity:common:3.1.2") {
265280
transitive = false
266281
}
267282
}

msal/src/main/java/com/microsoft/identity/client/internal/api/BrokerClientIdRefreshTokenAccessor.java

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,6 @@
3838
import com.microsoft.identity.common.internal.logging.Logger;
3939

4040
import static com.microsoft.identity.client.exception.MsalClientException.NOT_ELIGIBLE_TO_USE_BROKER;
41-
import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME;
42-
import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.COMPANY_PORTAL_APP_PACKAGE_NAME;
4341
import static com.microsoft.identity.common.exception.ClientException.TOKEN_CACHE_ITEM_NOT_FOUND;
4442

4543
/**
@@ -59,18 +57,12 @@ public final class BrokerClientIdRefreshTokenAccessor {
5957
* @return an RT, if there's any.
6058
* @throws MsalClientException if the calling app is not a broker app.
6159
*/
62-
public static @Nullable String get(@NonNull final Context context,
63-
@NonNull final String accountObjectId) throws MsalClientException {
60+
public static @Nullable
61+
String get(@NonNull final Context context,
62+
@NonNull final String accountObjectId) throws MsalClientException {
6463
final String methodName = "getBrokerRefreshToken";
6564

66-
if (!AZURE_AUTHENTICATOR_APP_PACKAGE_NAME.equals(context.getPackageName()) &&
67-
!COMPANY_PORTAL_APP_PACKAGE_NAME.equals(context.getPackageName())) {
68-
throw new MsalClientException(NOT_ELIGIBLE_TO_USE_BROKER, "This can only be invoked by Broker apps.");
69-
}
70-
71-
if (!new BrokerValidator(context).verifySignature(context.getPackageName())) {
72-
throw new MsalClientException(NOT_ELIGIBLE_TO_USE_BROKER, "This can only be invoked by Broker apps with a valid signature hash.");
73-
}
65+
throwIfNotValidBroker(context);
7466

7567
final MsalOAuth2TokenCache tokenCache = MsalOAuth2TokenCache.create(context);
7668
final ICacheRecord cacheRecord = getCacheRecordForIdentifier(tokenCache, accountObjectId);
@@ -115,4 +107,12 @@ private static ICacheRecord getCacheRecordForIdentifier(
115107
new BearerAuthenticationSchemeInternal() // Auth scheme is inconsequential - only using RT
116108
);
117109
}
110+
111+
private static void throwIfNotValidBroker(final Context context) throws MsalClientException {
112+
final BrokerValidator brokerValidator = new BrokerValidator(context);
113+
if (!brokerValidator.isValidBrokerPackage(context.getPackageName())) {
114+
// package name not matched so this is not a valid broker.
115+
throw new MsalClientException(NOT_ELIGIBLE_TO_USE_BROKER, "This can only be invoked by Broker apps.");
116+
}
117+
}
118118
}

msal/src/test/java/com/microsoft/identity/client/e2e/shadows/ShadowHttpRequest.java

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)