private MsalTokenResponse ResultFromBrokerResponse(Dictionary <string, string> responseDictionary) { MsalTokenResponse brokerTokenResponse; if (responseDictionary.ContainsKey(iOSBrokerConstants.Error) || responseDictionary.ContainsKey(iOSBrokerConstants.ErrorDescription)) { return(MsalTokenResponse.CreateFromBrokerResponse(responseDictionary)); } string expectedHash = responseDictionary[iOSBrokerConstants.ExpectedHash]; string encryptedResponse = responseDictionary[iOSBrokerConstants.EncryptedResponsed]; string decryptedResponse = BrokerKeyHelper.DecryptBrokerResponse(encryptedResponse, _logger); string responseActualHash = _cryptoManager.CreateSha256Hash(decryptedResponse); byte[] rawHash = Convert.FromBase64String(responseActualHash); string hash = BitConverter.ToString(rawHash); if (expectedHash.Equals(hash.Replace("-", ""), StringComparison.OrdinalIgnoreCase)) { responseDictionary = CoreHelpers.ParseKeyValueList(decryptedResponse, '&', false, null); brokerTokenResponse = MsalTokenResponse.CreateFromBrokerResponse(responseDictionary); } else { brokerTokenResponse = new MsalTokenResponse { Error = MsalError.BrokerResponseHashMismatch, ErrorDescription = MsalErrorMessage.BrokerResponseHashMismatch }; } return(brokerTokenResponse); }
/// <summary> /// The strict thumbprint is based on: /// ClientId /// Authority (env + tenant) /// Scopes /// hash(RT) or UPN for IWA (not supported) /// </summary> private static string GetRequestStrictThumbprint( IReadOnlyDictionary <string, string> bodyParams, string authority, ICryptographyManager crypto) { StringBuilder sb = new StringBuilder(); if (bodyParams.TryGetValue(OAuth2Parameter.ClientId, out string clientId)) { sb.Append((clientId ?? "") + ThrottleCommon.KeyDelimiter); } sb.Append(authority + ThrottleCommon.KeyDelimiter); if (bodyParams.TryGetValue(OAuth2Parameter.Scope, out string scopes)) { sb.Append((scopes ?? "") + ThrottleCommon.KeyDelimiter); } if (bodyParams.TryGetValue(OAuth2Parameter.RefreshToken, out string rt) && !string.IsNullOrEmpty(rt)) { sb.Append(crypto.CreateSha256Hash(rt) + ThrottleCommon.KeyDelimiter); } return(sb.ToString()); }
private MsalTokenResponse ResultFromBrokerResponse(Dictionary <string, string> responseDictionary) { MsalTokenResponse brokerTokenResponse; string expectedHash = responseDictionary[iOSBrokerConstants.ExpectedHash]; string encryptedResponse = responseDictionary[iOSBrokerConstants.EncryptedResponsed]; string decryptedResponse = BrokerKeyHelper.DecryptBrokerResponse(encryptedResponse, _logger); string responseActualHash = _cryptoManager.CreateSha256Hash(decryptedResponse); byte[] rawHash = Convert.FromBase64String(responseActualHash); string hash = BitConverter.ToString(rawHash); if (expectedHash.Equals(hash.Replace("-", ""), StringComparison.OrdinalIgnoreCase)) { responseDictionary = CoreHelpers.ParseKeyValueList(decryptedResponse, '&', false, null); if (!ValidateBrokerResponseNonceWithRequestNonce(responseDictionary)) { return(new MsalTokenResponse { Error = MsalError.BrokerNonceMismatch, ErrorDescription = MsalErrorMessage.BrokerNonceMismatch }); } if (responseDictionary.ContainsKey(iOSBrokerConstants.ApplicationToken)) { TryWriteBrokerApplicationTokenToKeychain( responseDictionary[BrokerResponseConst.ClientId], responseDictionary[iOSBrokerConstants.ApplicationToken]); } brokerTokenResponse = MsalTokenResponse.CreateFromiOSBrokerResponse(responseDictionary); if (responseDictionary.TryGetValue(BrokerResponseConst.BrokerErrorCode, out string errCode)) { if (errCode == BrokerResponseConst.iOSBrokerUserCancellationErrorCode) { responseDictionary[BrokerResponseConst.BrokerErrorCode] = MsalError.AuthenticationCanceledError; } else if (errCode == BrokerResponseConst.iOSBrokerProtectionPoliciesRequiredErrorCode) { responseDictionary[BrokerResponseConst.BrokerErrorCode] = MsalError.ProtectionPolicyRequired; } } } else { brokerTokenResponse = new MsalTokenResponse { Error = MsalError.BrokerResponseHashMismatch, ErrorDescription = MsalErrorMessage.BrokerResponseHashMismatch }; } return(brokerTokenResponse); }