private MsalTokenResponse ResultFromBrokerResponse(Dictionary <string, string> responseDictionary)
{
MsalTokenResponse brokerTokenResponse;
if (responseDictionary.ContainsKey(iOSBrokerConstants.Error) || responseDictionary.ContainsKey(iOSBrokerConstants.ErrorDescription))
{
return(MsalTokenResponse.CreateFromBrokerResponse(responseDictionary));
}
string expectedHash = responseDictionary[iOSBrokerConstants.ExpectedHash];
string encryptedResponse = responseDictionary[iOSBrokerConstants.EncryptedResponsed];
string decryptedResponse = BrokerKeyHelper.DecryptBrokerResponse(encryptedResponse, _logger);
string responseActualHash = _cryptoManager.CreateSha256Hash(decryptedResponse);
byte[] rawHash = Convert.FromBase64String(responseActualHash);
string hash = BitConverter.ToString(rawHash);
if (expectedHash.Equals(hash.Replace("-", ""), StringComparison.OrdinalIgnoreCase))
{
responseDictionary = CoreHelpers.ParseKeyValueList(decryptedResponse, '&', false, null);
brokerTokenResponse = MsalTokenResponse.CreateFromBrokerResponse(responseDictionary);
}
else
{
brokerTokenResponse = new MsalTokenResponse
{
Error = MsalError.BrokerResponseHashMismatch,
ErrorDescription = MsalErrorMessage.BrokerResponseHashMismatch
};
}
return(brokerTokenResponse);
}
/// <summary>
/// The strict thumbprint is based on:
/// ClientId
/// Authority (env + tenant)
/// Scopes
/// hash(RT) or UPN for IWA (not supported)
/// </summary>
private static string GetRequestStrictThumbprint(
IReadOnlyDictionary <string, string> bodyParams,
string authority,
ICryptographyManager crypto)
{
StringBuilder sb = new StringBuilder();
if (bodyParams.TryGetValue(OAuth2Parameter.ClientId, out string clientId))
{
sb.Append((clientId ?? "") + ThrottleCommon.KeyDelimiter);
}
sb.Append(authority + ThrottleCommon.KeyDelimiter);
if (bodyParams.TryGetValue(OAuth2Parameter.Scope, out string scopes))
{
sb.Append((scopes ?? "") + ThrottleCommon.KeyDelimiter);
}
if (bodyParams.TryGetValue(OAuth2Parameter.RefreshToken, out string rt) &&
!string.IsNullOrEmpty(rt))
{
sb.Append(crypto.CreateSha256Hash(rt) + ThrottleCommon.KeyDelimiter);
}
return(sb.ToString());
}
private MsalTokenResponse ResultFromBrokerResponse(Dictionary <string, string> responseDictionary)
{
MsalTokenResponse brokerTokenResponse;
string expectedHash = responseDictionary[iOSBrokerConstants.ExpectedHash];
string encryptedResponse = responseDictionary[iOSBrokerConstants.EncryptedResponsed];
string decryptedResponse = BrokerKeyHelper.DecryptBrokerResponse(encryptedResponse, _logger);
string responseActualHash = _cryptoManager.CreateSha256Hash(decryptedResponse);
byte[] rawHash = Convert.FromBase64String(responseActualHash);
string hash = BitConverter.ToString(rawHash);
if (expectedHash.Equals(hash.Replace("-", ""), StringComparison.OrdinalIgnoreCase))
{
responseDictionary = CoreHelpers.ParseKeyValueList(decryptedResponse, '&', false, null);
if (!ValidateBrokerResponseNonceWithRequestNonce(responseDictionary))
{
return(new MsalTokenResponse
{
Error = MsalError.BrokerNonceMismatch,
ErrorDescription = MsalErrorMessage.BrokerNonceMismatch
});
}
if (responseDictionary.ContainsKey(iOSBrokerConstants.ApplicationToken))
{
TryWriteBrokerApplicationTokenToKeychain(
responseDictionary[BrokerResponseConst.ClientId],
responseDictionary[iOSBrokerConstants.ApplicationToken]);
}
brokerTokenResponse = MsalTokenResponse.CreateFromiOSBrokerResponse(responseDictionary);
if (responseDictionary.TryGetValue(BrokerResponseConst.BrokerErrorCode, out string errCode))
{
if (errCode == BrokerResponseConst.iOSBrokerUserCancellationErrorCode)
{
responseDictionary[BrokerResponseConst.BrokerErrorCode] = MsalError.AuthenticationCanceledError;
}
else if (errCode == BrokerResponseConst.iOSBrokerProtectionPoliciesRequiredErrorCode)
{
responseDictionary[BrokerResponseConst.BrokerErrorCode] = MsalError.ProtectionPolicyRequired;
}
}
}
else
{
brokerTokenResponse = new MsalTokenResponse
{
Error = MsalError.BrokerResponseHashMismatch,
ErrorDescription = MsalErrorMessage.BrokerResponseHashMismatch
};
}
return(brokerTokenResponse);
}
