private static AuthorizationResult ProcessAuthorizationResult(WebAuthenticationResult webAuthenticationResult)
{
AuthorizationResult result;
switch (webAuthenticationResult.ResponseStatus)
{
case WebAuthenticationStatus.Success:
result = AuthorizationResult.FromUri(webAuthenticationResult.ResponseData);
break;
case WebAuthenticationStatus.ErrorHttp:
result = AuthorizationResult.FromStatus(AuthorizationStatus.ErrorHttp);
result.Code = webAuthenticationResult.ResponseErrorDetail.ToString(CultureInfo.InvariantCulture);
break;
case WebAuthenticationStatus.UserCancel:
result = AuthorizationResult.FromStatus(AuthorizationStatus.UserCancel);
break;
default:
result = AuthorizationResult.FromStatus(
AuthorizationStatus.UnknownError,
MsalError.WABError,
MsalErrorMessage.WABError(
webAuthenticationResult.ResponseStatus.ToString(),
webAuthenticationResult.ResponseErrorDetail.ToString(CultureInfo.InvariantCulture),
webAuthenticationResult.ResponseData));
break;
}
return(result);
}
public async Task <AuthorizationResult> AcquireAuthorizationAsync(
Uri authorizationUri,
Uri redirectUri,
RequestContext requestContext,
CancellationToken cancellationToken)
{
var authCodeUri = await InterceptAuthorizationUriAsync(
authorizationUri,
redirectUri,
cancellationToken)
.ConfigureAwait(true);
if (!authCodeUri.Authority.Equals(redirectUri.Authority, StringComparison.OrdinalIgnoreCase) ||
!authCodeUri.AbsolutePath.Equals(redirectUri.AbsolutePath))
{
throw new MsalClientException(
MsalError.LoopbackResponseUriMisatch,
MsalErrorMessage.RedirectUriMismatch(
authCodeUri.AbsolutePath,
redirectUri.AbsolutePath));
}
return(AuthorizationResult.FromUri(authCodeUri.OriginalString));
}
public async Task <AuthorizationResult> AcquireAuthorizationAsync(
Uri authorizationUri,
Uri redirectUri,
RequestContext requestContext,
CancellationToken cancellationToken)
{
try
{
var authCodeUri = await InterceptAuthorizationUriAsync(
authorizationUri,
redirectUri,
cancellationToken)
.ConfigureAwait(true);
if (!authCodeUri.Authority.Equals(redirectUri.Authority, StringComparison.OrdinalIgnoreCase) ||
!authCodeUri.AbsolutePath.Equals(redirectUri.AbsolutePath))
{
throw new MsalClientException(
MsalError.LoopbackResponseUriMismatch,
MsalErrorMessage.RedirectUriMismatch(
authCodeUri.AbsolutePath,
redirectUri.AbsolutePath));
}
return(AuthorizationResult.FromUri(authCodeUri.OriginalString));
}
catch (System.Net.HttpListenerException) // sometimes this exception sneaks out (see issue 1773)
{
cancellationToken.ThrowIfCancellationRequested();
throw;
}
}
public async Task <MsalTokenResponse> SendTokenRequestAsync(
IDictionary <string, string> additionalBodyParameters,
string scopeOverride = null,
string tokenEndpointOverride = null,
CancellationToken cancellationToken = default)
{
using (_requestParams.RequestContext.Logger.LogMethodDuration())
{
cancellationToken.ThrowIfCancellationRequested();
string tokenEndpoint = tokenEndpointOverride ?? _requestParams.Endpoints.TokenEndpoint;
string scopes = !string.IsNullOrEmpty(scopeOverride) ? scopeOverride : GetDefaultScopes(_requestParams.Scope);
AddBodyParamsAndHeaders(additionalBodyParameters, scopes);
AddThrottlingHeader();
_serviceBundle.ThrottlingManager.TryThrottle(_requestParams, _oAuth2Client.GetBodyParameters());
MsalTokenResponse response;
try
{
response = await SendHttpAndClearTelemetryAsync(tokenEndpoint, _requestParams.RequestContext.Logger)
.ConfigureAwait(false);
}
catch (MsalServiceException e)
{
_serviceBundle.ThrottlingManager.RecordException(_requestParams, _oAuth2Client.GetBodyParameters(), e);
throw;
}
if (string.IsNullOrEmpty(response.Scope))
{
response.Scope = _requestParams.Scope.AsSingleString();
_requestParams.RequestContext.Logger.Info(
"ScopeSet was missing from the token response, so using developer provided scopes in the result. ");
}
if (string.IsNullOrEmpty(response.TokenType))
{
throw new MsalClientException(MsalError.AccessTokenTypeMissing, MsalErrorMessage.AccessTokenTypeMissing);
}
if (!string.Equals(
response.TokenType,
_requestParams.AuthenticationScheme.AccessTokenType,
StringComparison.OrdinalIgnoreCase))
{
throw new MsalClientException(
MsalError.TokenTypeMismatch,
MsalErrorMessage.TokenTypeMismatch(
_requestParams.AuthenticationScheme.AccessTokenType,
response.TokenType));
}
return(response);
}
}
private static byte[] CreateAndStoreBrokerKey(ICoreLogger logger)
{
logger.Info("CreateAndStoreBrokerKey - creating a new key");
byte[] brokerKey;
byte[] rawBytes;
using (AesManaged algo = CreateSymmetricAlgorith(null))
{
algo.GenerateKey();
rawBytes = algo.Key;
}
NSData byteData = NSData.FromArray(rawBytes);
var recordToAdd = new SecRecord(SecKind.GenericPassword)
{
Generic = NSData.FromString(iOSBrokerConstants.LocalSettingsContainerName),
Service = iOSBrokerConstants.BrokerKeyService,
Account = iOSBrokerConstants.BrokerKeyAccount,
Label = iOSBrokerConstants.BrokerKeyLabel,
Comment = iOSBrokerConstants.BrokerKeyComment,
Description = iOSBrokerConstants.BrokerKeyStorageDescription,
ValueData = byteData
};
var result = SecKeyChain.Add(recordToAdd);
if (result == SecStatusCode.DuplicateItem)
{
logger.Info("Could not add the broker key, a key already exists. Trying to delete it first.");
var recordToRemove = new SecRecord(SecKind.GenericPassword)
{
Service = iOSBrokerConstants.BrokerKeyService,
Account = iOSBrokerConstants.BrokerKeyAccount,
};
var removeResult = SecKeyChain.Remove(recordToRemove);
logger.Info("Broker key removal result: " + removeResult);
result = SecKeyChain.Add(recordToAdd);
logger.Info("Broker key re-adding result: " + result);
}
if (result != SecStatusCode.Success)
{
logger.Error("Failed to save the broker key to keychain. Result " + result);
throw new MsalClientException(
MsalError.BrokerKeySaveFailed,
MsalErrorMessage.iOSBrokerKeySaveFailed(result.ToString()));
}
brokerKey = byteData.ToArray();
return(brokerKey);
}
/// <inheritdoc />
public async Task <AuthorizationResult> AcquireAuthorizationAsync(
Uri authorizationUri,
Uri redirectUri,
RequestContext requestContext,
CancellationToken cancellationToken)
{
requestContext.Logger.Info(LogMessages.CustomWebUiAcquiringAuthorizationCode);
try
{
requestContext.Logger.InfoPii(LogMessages.CustomWebUiCallingAcquireAuthorizationCodePii(authorizationUri, redirectUri),
LogMessages.CustomWebUiCallingAcquireAuthorizationCodeNoPii);
var uri = await _customWebUi.AcquireAuthorizationCodeAsync(authorizationUri, redirectUri, cancellationToken)
.ConfigureAwait(false);
if (uri == null || String.IsNullOrWhiteSpace(uri.Query))
{
throw new MsalClientException(
MsalError.CustomWebUiReturnedInvalidUri,
MsalErrorMessage.CustomWebUiReturnedInvalidUri);
}
if (uri.Authority.Equals(redirectUri.Authority, StringComparison.OrdinalIgnoreCase) &&
uri.AbsolutePath.Equals(redirectUri.AbsolutePath))
{
IDictionary <string, string> inputQp = CoreHelpers.ParseKeyValueList(
authorizationUri.Query.Substring(1),
'&',
true,
null);
requestContext.Logger.Info(LogMessages.CustomWebUiRedirectUriMatched);
return(new AuthorizationResult(AuthorizationStatus.Success, uri.OriginalString));
}
throw new MsalClientException(
MsalError.CustomWebUiRedirectUriMismatch,
MsalErrorMessage.CustomWebUiRedirectUriMismatch(
uri.AbsolutePath,
redirectUri.AbsolutePath));
}
catch (OperationCanceledException)
{
requestContext.Logger.Info(LogMessages.CustomWebUiOperationCancelled);
return(new AuthorizationResult(AuthorizationStatus.UserCancel, null));
}
catch (Exception ex)
{
requestContext.Logger.WarningPiiWithPrefix(ex, MsalErrorMessage.CustomWebUiAuthorizationCodeFailed);
throw;
}
}
private static void ValidateTypeMismatch(AuthorityInfo configAuthorityInfo, AuthorityInfo requestAuthorityInfo)
{
if (!configAuthorityInfo.IsDefaultAuthority &&
requestAuthorityInfo != null &&
configAuthorityInfo.AuthorityType != requestAuthorityInfo.AuthorityType)
{
throw new MsalClientException(
MsalError.AuthorityTypeMismatch,
MsalErrorMessage.AuthorityTypeMismatch(
configAuthorityInfo.AuthorityType,
requestAuthorityInfo.AuthorityType));
}
}
/// <summary>
/// Enables Windows broker flows on older platforms, such as .NET framework, where these are not available in the box with Microsoft.Identity.Client
/// For details about Windows broker, see https://aka.ms/msal-net-wam
/// </summary>
public static PublicClientApplicationBuilder WithWindowsBroker(this PublicClientApplicationBuilder builder, bool enableBroker = true)
{
if (!builder.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithWindowsBroker)));
}
builder.Config.IsBrokerEnabled = enableBroker;
AddSupportForWam(builder);
return(builder);
}
/// <summary>
/// Declares that the app is MSA-Passthrough enabled (Microsoft internal only). This is a legacy
/// feature. Required for the functionality of some brokers, like WAM.
/// </summary>
public static PublicClientApplicationBuilder WithMsaPassthrough(
this PublicClientApplicationBuilder builder,
bool enabled = true)
{
if (!builder.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithMsaPassthrough)));
}
builder.Config.IsMsaPassthrough = enabled;
return(builder);
}
/// <summary>
/// Enables Windows broker flows on older platforms, such as .NET framework, where these are not available in the box with Microsoft.Identity.Client
/// For details about Windows broker, see https://aka.ms/msal-net-wam
/// </summary>
public static PublicClientApplicationBuilder WithWindowsBroker(this PublicClientApplicationBuilder builder, bool enableBroker = true)
{
if (!builder.Config.ExperimentalFeaturesEnabled)
{
throw new MsalClientException(
MsalError.ExperimentalFeature,
MsalErrorMessage.ExperimentalFeature(nameof(WithWindowsBroker)));
}
builder.Config.IsBrokerEnabled = true;
builder.Config.BrokerCreatorFunc =
(uiParent, logger) => new Platforms.Features.WamBroker.WamBroker(uiParent, logger);
return(builder);
}
public InstanceDiscoveryMetadataEntry GetMetadataOrThrow(string environment, ICoreLogger logger)
{
_entries.TryGetValue(environment ?? "", out InstanceDiscoveryMetadataEntry entry);
logger.Verbose($"[Instance Discovery] Tried to use user metadata provider for {environment}. Success? {entry != null}");
if (entry == null)
{
throw new MsalClientException(
MsalError.InvalidUserInstanceMetadata,
MsalErrorMessage.NoUserInstanceMetadataEntry(environment));
}
return(entry);
}
public async Task <MsalTokenResponse> SendTokenRequestAsync(
IDictionary <string, string> additionalBodyParameters,
string scopeOverride = null,
string tokenEndpointOverride = null,
CancellationToken cancellationToken = default)
{
string tokenEndpoint = tokenEndpointOverride ?? _requestParams.Endpoints.TokenEndpoint;
string scopes = !string.IsNullOrEmpty(scopeOverride) ? scopeOverride : GetDefaultScopes(_requestParams.Scope);
AddBodyParamsAndHeaders(additionalBodyParameters, scopes);
MsalTokenResponse response = await SendHttpAndClearTelemetryAsync(tokenEndpoint)
.ConfigureAwait(false);
if (string.IsNullOrEmpty(response.Scope))
{
response.Scope = _requestParams.Scope.AsSingleString();
_requestParams.RequestContext.Logger.Info(
"ScopeSet was missing from the token response, so using developer provided scopes in the result. ");
}
if (!string.IsNullOrEmpty(response.TokenType) &&
!string.Equals(
response.TokenType,
_requestParams.AuthenticationScheme.AccessTokenType,
StringComparison.OrdinalIgnoreCase))
{
throw new MsalClientException(
MsalError.TokenTypeMismatch,
MsalErrorMessage.TokenTypeMismatch(
_requestParams.AuthenticationScheme.AccessTokenType,
response.TokenType));
}
return(response);
}
protected async Task <MsalTokenResponse> SendTokenRequestAsync(
string tokenEndpoint,
IDictionary <string, string> additionalBodyParameters,
CancellationToken cancellationToken)
{
OAuth2Client client = new OAuth2Client(ServiceBundle.DefaultLogger, ServiceBundle.HttpManager, ServiceBundle.TelemetryManager);
client.AddBodyParameter(OAuth2Parameter.ClientId, AuthenticationRequestParameters.ClientId);
client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
#if DESKTOP || NETSTANDARD1_3 || NET_CORE
if (AuthenticationRequestParameters.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
AuthenticationRequestParameters.RequestContext.Logger,
ServiceBundle.PlatformProxy.CryptographyManager,
AuthenticationRequestParameters.ClientCredential,
AuthenticationRequestParameters.ClientId,
AuthenticationRequestParameters.Endpoints,
AuthenticationRequestParameters.SendX5C);
foreach (var entry in ccBodyParameters)
{
client.AddBodyParameter(entry.Key, entry.Value);
}
}
#endif
client.AddBodyParameter(OAuth2Parameter.Scope,
GetDecoratedScope(AuthenticationRequestParameters.Scope).AsSingleString());
client.AddQueryParameter(OAuth2Parameter.Claims, AuthenticationRequestParameters.Claims);
foreach (var kvp in additionalBodyParameters)
{
client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in AuthenticationRequestParameters.AuthenticationScheme.GetTokenRequestParams())
{
client.AddBodyParameter(kvp.Key, kvp.Value);
}
MsalTokenResponse response = await SendHttpMessageAsync(client, tokenEndpoint)
.ConfigureAwait(false);
if (!string.Equals(
response.TokenType,
AuthenticationRequestParameters.AuthenticationScheme.AccessTokenType,
StringComparison.OrdinalIgnoreCase))
{
throw new MsalClientException(
MsalError.TokenTypeMismatch,
MsalErrorMessage.TokenTypeMismatch(
AuthenticationRequestParameters.AuthenticationScheme.AccessTokenType,
response.TokenType));
}
return(response);
}
private static void HandleInvalidExternalValueError(string nameOfValue)
{
throw new MsalClientException(MsalError.InvalidTokenProviderResponseValue, MsalErrorMessage.InvalidTokenProviderResponseValue(nameOfValue));
}
/// <summary>
/// Registers security and sets the security values for the process.
/// </summary>
/// <remarks>
/// Workaround to enable WAM Account Picker in an elevated process.
/// </remarks>
public static void InitializeProcessSecurity()
{
int result = CoInitializeSecurity(
IntPtr.Zero, -1, IntPtr.Zero,
IntPtr.Zero, RpcAuthnLevel.None,
RpcImpLevel.Impersonate, IntPtr.Zero,
EoAuthnCap.None, IntPtr.Zero);
if (result != 0)
{
throw new MsalClientException(MsalError.InitializeProcessSecurityError, MsalErrorMessage.InitializeProcessSecurityError($"0x{result:x}"));
}
}
public async Task <MsalTokenResponse> SendTokenRequestAsync(
IDictionary <string, string> additionalBodyParameters,
string scopeOverride = null,
string tokenEndpointOverride = null,
CancellationToken cancellationToken = default)
{
string tokenEndpoint = tokenEndpointOverride ?? _requestParams.Endpoints.TokenEndpoint;
string scopes = !string.IsNullOrEmpty(scopeOverride) ? scopeOverride: GetDefaultScopes(_requestParams.Scope);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientId, _requestParams.ClientId);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.ClientInfo, "1");
#if DESKTOP || NETSTANDARD1_3 || NET_CORE
if (_requestParams.ClientCredential != null)
{
Dictionary <string, string> ccBodyParameters = ClientCredentialHelper.CreateClientCredentialBodyParameters(
_requestParams.RequestContext.Logger,
_serviceBundle.PlatformProxy.CryptographyManager,
_requestParams.ClientCredential,
_requestParams.ClientId,
_requestParams.Endpoints,
_requestParams.SendX5C);
foreach (var entry in ccBodyParameters)
{
_oAuth2Client.AddBodyParameter(entry.Key, entry.Value);
}
}
#endif
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Scope, scopes);
_oAuth2Client.AddBodyParameter(OAuth2Parameter.Claims, _requestParams.ClaimsAndClientCapabilities);
foreach (var kvp in additionalBodyParameters)
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
foreach (var kvp in _requestParams.AuthenticationScheme.GetTokenRequestParams())
{
_oAuth2Client.AddBodyParameter(kvp.Key, kvp.Value);
}
MsalTokenResponse response = await SendHttpMessageAsync(tokenEndpoint)
.ConfigureAwait(false);
if (!string.Equals(
response.TokenType,
_requestParams.AuthenticationScheme.AccessTokenType,
StringComparison.OrdinalIgnoreCase))
{
throw new MsalClientException(
MsalError.TokenTypeMismatch,
MsalErrorMessage.TokenTypeMismatch(
_requestParams.AuthenticationScheme.AccessTokenType,
response.TokenType));
}
return(response);
}
