SsoPolicy support for PCA. (#4659)

* SsoPolicy initial * Remove SSOPolicy project * Update LibsAndSamples.sln * Delete files not needed * Introduce WithSSoPolicy in broker project and rename RuntimeBroker to MsalCppRuntime * Revert "Introduce WithSSoPolicy in broker project and rename RuntimeBroker to MsalCppRuntime" This reverts commit 5e9f794. * Update ApplicationConfiguration.cs * Update InternalsVisibleTo.cs * Hook up the E2E for adding SsoPolicy headers in OAuth2 implementation * Update NuGet.Config * Inject headers in RequestBase * Update src/client/Microsoft.Identity.Client/Platforms/Features/RuntimeBroker/RuntimeBroker.cs Co-authored-by: Gladwin Johnson <[email protected]> * Update src/client/Microsoft.Identity.Client/MsalErrorMessage.cs Co-authored-by: Bogdan Gavril <[email protected]> * Fix for review comments * Fix for review comments * Update src/client/Microsoft.Identity.Client/MsalErrorMessage.cs Co-authored-by: Bogdan Gavril <[email protected]> * Update src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs Co-authored-by: Peter <[email protected]> * Update src/client/Microsoft.Identity.Client/Platforms/Features/WinFormsLegacyWebUi/WindowsFormsWebAuthenticationDialogBase.cs Co-authored-by: Peter <[email protected]> * Update src/client/Microsoft.Identity.Client/Internal/Broker/NullBroker.cs Co-authored-by: Peter <[email protected]> * Fix for review comments * Update RuntimeBroker.cs * Fix mobile build breaks --------- Co-authored-by: Bogdan Gavril <[email protected]> Co-authored-by: Gladwin Johnson <[email protected]> Co-authored-by: Peter <[email protected]>
AzureAD · Mar 26, 2024 · 80faef7 · 80faef7
1 parent e065471
commit 80faef7
Show file tree

Hide file tree

Showing 14 changed files with 128 additions and 11 deletions.
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -2,7 +2,7 @@
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <!-- Version of the Microsoft.Identity.Client.NativeInterop package. -->
-    <MSALRuntimeNativeInteropVersion>0.13.14</MSALRuntimeNativeInteropVersion>
+    <MSALRuntimeNativeInteropVersion>0.16.0</MSALRuntimeNativeInteropVersion>
     <!-- Version of MSAL if not defined by the CI-->
     <MsalInternalVersion>4.51.0</MsalInternalVersion>
   </PropertyGroup>

diff --git a/src/client/Microsoft.Identity.Client.Broker/BrokerExtension.cs b/src/client/Microsoft.Identity.Client.Broker/BrokerExtension.cs
@@ -47,20 +47,35 @@ public static PublicClientApplicationBuilder WithBrokerPreview(this PublicClient
         /// parameters, and to create a public client application instance</returns>
         public static PublicClientApplicationBuilder WithBroker(this PublicClientApplicationBuilder builder, BrokerOptions brokerOptions)
         {
-            AddRuntimeSupportForWam(builder);
+            AddRuntimeSupport(builder);
             builder.Config.BrokerOptions = brokerOptions;
             builder.Config.IsBrokerEnabled = brokerOptions.IsBrokerEnabledOnCurrentOs();
             return builder;
         }
 
-        private static void AddRuntimeSupportForWam(PublicClientApplicationBuilder builder)
+        /// <summary>
+        /// Use this API to enable SsoPolicy enforcement. 
+        /// Should only be utilized by Microsoft 1st party applications.
+        /// This is applicable only when broker is not enabled and embedded webview is the preferred choice.
+        /// By default, the broker supports SsoPolicy, and system webview SsoPolicy is also supported at the OS level. 
+        /// <param name="builder"></param>
+        /// <returns>A <see cref="PublicClientApplicationBuilder"/> from which to set more
+        /// parameters, and to create a public client application instance</returns>
+        public static PublicClientApplicationBuilder WithSsoPolicy(this PublicClientApplicationBuilder builder)
+        {
+            AddRuntimeSupport(builder);
+            builder.Config.IsWebviewSsoPolicyEnabled = true;
+            return builder;
+        }
+
+        private static void AddRuntimeSupport(PublicClientApplicationBuilder builder)
         {
             if (DesktopOsHelper.IsWin10OrServerEquivalent())
             {
-                builder.Config.BrokerCreatorFunc =
+                 builder.Config.BrokerCreatorFunc =
                      (uiParent, appConfig, logger) =>
                      {
-                         logger.Info("[RuntimeBroker] WAM supported OS.");
+                         logger.Info("[Runtime] WAM supported OS.");
                          return new RuntimeBroker(uiParent, appConfig, logger);
                      };
             }
@@ -69,7 +84,7 @@ private static void AddRuntimeSupportForWam(PublicClientApplicationBuilder build
                 builder.Config.BrokerCreatorFunc =
                    (uiParent, appConfig, logger) =>
                    {
-                       logger.Info("[RuntimeBroker] Not a Windows 10 or Server equivalent machine. WAM is not available.");
+                       logger.Info("[RuntimeBroker] Not a Windows 10 or Server equivalent machine. Runtime broker or SsoPolicy support is not available.");
                        return new NullBroker(logger);
                    };
             }

diff --git a/src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs b/src/client/Microsoft.Identity.Client/AppConfig/ApplicationConfiguration.cs
@@ -66,6 +66,11 @@ public string ClientVersion
 
         public bool IsBrokerEnabled { get; internal set; }
 
+        /// <summary>
+        /// Applicable to only public client applications to enforce SSO policy with embedded webview.
+        /// </summary>
+        public bool IsWebviewSsoPolicyEnabled { get; internal set; }
+
         // Legacy options for UWP. .NET broker options are in BrokerOptions
         public WindowsBrokerOptions UwpBrokerOptions { get; set; } 
 
@@ -121,6 +126,9 @@ public string ClientVersion
         public ManagedIdentityId ManagedIdentityId { get; internal set; }
 
         public bool IsManagedIdentity { get; }
+        public bool IsConfidentialClient { get; }
+        public bool IsPublicClient => !IsConfidentialClient && !IsManagedIdentity;
+
 
         public Func<AppTokenProviderParameters, Task<AppTokenProviderResult>> AppTokenProvider;
 
@@ -201,8 +209,7 @@ public X509Certificate2 ClientCredentialCertificate
         public ITokenCacheInternal UserTokenCacheInternalForTest { get; set; }
         public ITokenCacheInternal AppTokenCacheInternalForTest { get; set; }
 
-        public IDeviceAuthManager DeviceAuthManagerForTest { get; set; }
-        public bool IsConfidentialClient { get; }
+        public IDeviceAuthManager DeviceAuthManagerForTest { get; set; }        
         public bool IsInstanceDiscoveryEnabled { get; internal set; } = true;
         #endregion
 

diff --git a/src/client/Microsoft.Identity.Client/Internal/Broker/IBroker.cs b/src/client/Microsoft.Identity.Client/Internal/Broker/IBroker.cs
@@ -31,6 +31,7 @@ Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(
             AuthenticationRequestParameters authenticationRequestParameters,
             AcquireTokenByUsernamePasswordParameters acquireTokenByUsernamePasswordParameters);
 
+        IReadOnlyDictionary<string, string> GetSsoPolicyHeaders();
         /// <summary>
         /// If device auth is required but the broker is not enabled, AAD will
         /// signal this by returning an URL pointing to the broker app that needs to be installed.

diff --git a/src/client/Microsoft.Identity.Client/Internal/Broker/NullBroker.cs b/src/client/Microsoft.Identity.Client/Internal/Broker/NullBroker.cs
@@ -12,6 +12,7 @@
 using Microsoft.Identity.Client.Utils;
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Threading.Tasks;
 
 namespace Microsoft.Identity.Client.Internal.Broker
@@ -80,5 +81,10 @@ public Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(Authenticatio
             _logger.Info("NullBroker - returning null on ROPC request.");
             return Task.FromResult<MsalTokenResponse>(null);
         }
+
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            return CollectionHelpers.GetEmptyDictionary<string, string>();
+        }
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/Internal/Requests/RequestBase.cs b/src/client/Microsoft.Identity.Client/Internal/Requests/RequestBase.cs
@@ -21,6 +21,7 @@
 using Microsoft.IdentityModel.Abstractions;
 using Microsoft.Identity.Client.TelemetryCore.TelemetryClient;
 using Microsoft.Identity.Client.TelemetryCore.OpenTelemetry;
+using Microsoft.Identity.Client.Internal.Broker;
 
 namespace Microsoft.Identity.Client.Internal.Requests
 {
@@ -422,13 +423,32 @@ protected Task<MsalTokenResponse> SendTokenRequestAsync(
                 tokenClient.AddHeaderToClient(CcsHeader.Value.Key, CcsHeader.Value.Value);
             }
 
+            InjectPcaSsoPolicyHeader(tokenClient);
+
             return tokenClient.SendTokenRequestAsync(
                 additionalBodyParameters,
                 scopes,
                 tokenEndpoint,
                 cancellationToken);
         }
 
+        private void InjectPcaSsoPolicyHeader(TokenClient tokenClient)
+        {
+            if (ServiceBundle.Config.IsPublicClient && ServiceBundle.Config.IsWebviewSsoPolicyEnabled)
+            {
+                IBroker broker = ServiceBundle.Config.BrokerCreatorFunc(
+                    null,
+                    ServiceBundle.Config,
+                    AuthenticationRequestParameters.RequestContext.Logger);
+
+                var ssoPolicyHeaders = broker.GetSsoPolicyHeaders();
+                foreach (KeyValuePair<string, string> kvp in ssoPolicyHeaders)
+                {
+                    tokenClient.AddHeaderToClient(kvp.Key, kvp.Value);
+                }
+            }
+        }
+
         //The AAD backup authentication system header is used by the AAD backup authentication system service
         //to help route requests to resources in Azure during requests to speed up authentication.
         //It consists of either the ObjectId.TenantId or the upn of the account signing in.
@@ -570,6 +590,6 @@ private static RegionDetails CreateRegionDetails(ApiEvent apiEvent)
                 apiEvent.RegionOutcome,
                 apiEvent.RegionUsed,
                 apiEvent.RegionDiscoveryFailureReason);
-        }
+        }       
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/OAuth2/OAuth2Client.cs b/src/client/Microsoft.Identity.Client/OAuth2/OAuth2Client.cs
@@ -15,6 +15,8 @@
 using Microsoft.Identity.Client.Instance.Oidc;
 using Microsoft.Identity.Client.Internal;
 using Microsoft.Identity.Client.Utils;
+using Microsoft.Identity.Client.Internal.Broker;
+
 #if SUPPORTS_SYSTEM_TEXT_JSON
 using System.Text.Json;
 #else

diff --git a/src/client/Microsoft.Identity.Client/Platforms/Android/Broker/AndroidAccountManagerBroker.cs b/src/client/Microsoft.Identity.Client/Platforms/Android/Broker/AndroidAccountManagerBroker.cs
@@ -459,5 +459,10 @@ public Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(Authenticatio
         {
             return Task.FromResult<MsalTokenResponse>(null); // nop
         }
+
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            return CollectionHelpers.GetEmptyDictionary<string, string>();
+        }
     }
 }
diff --git a/...client/Microsoft.Identity.Client/Platforms/Android/Broker/AndroidContentProviderBroker.cs b/...client/Microsoft.Identity.Client/Platforms/Android/Broker/AndroidContentProviderBroker.cs
@@ -400,5 +400,10 @@ public Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(Authenticatio
         {
             return Task.FromResult<MsalTokenResponse>(null); // nop
         }
+
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            return CollectionHelpers.GetEmptyDictionary<string, string>();
+        }
     }
 }
diff --git a/src/client/Microsoft.Identity.Client/Platforms/Features/RuntimeBroker/RuntimeBroker.cs b/src/client/Microsoft.Identity.Client/Platforms/Features/RuntimeBroker/RuntimeBroker.cs
@@ -552,6 +552,32 @@ public async Task<IReadOnlyList<IAccount>> GetAccountsAsync(
                 }
             }
         }
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            using LogEventWrapper logEventWrapper = new LogEventWrapper(this);
+            Debug.Assert(s_lazyCore.Value != null, "Should not call this API if MSAL runtime init failed");
+
+            NativeInterop.SsoPolicy ssoPolicy = new SsoPolicy();
+            _logger.Info(() => $"[RuntimeBroker] Broker returned SsoPolicyType {ssoPolicy.SsoPolicyType} and errorCode {ssoPolicy.ErrorCode}.");
+
+            var ssoPolicyHeaders = new Dictionary<string, string>();
+            if (ssoPolicy.SsoPolicyType == SsoPolicyType.PermissionRequired)
+            {
+                ssoPolicyHeaders.Add("x-ms-SsoFlags", "SsoRestr");
+            }
+            else if (ssoPolicy.SsoPolicyType == SsoPolicyType.Error)
+            {
+                ssoPolicyHeaders.Add("x-ms-SsoFlags", "SsoPolicyError");
+                string subStatusValue = "SsoRestrError:" + ssoPolicy.ErrorCode.ToString();
+                ssoPolicyHeaders.Add("x-ms-SsoFlagsSubstatus", Base64UrlHelpers.Encode(subStatusValue));
+            }
+            else if (ssoPolicy.SsoPolicyType == SsoPolicyType.Unknown)
+            {
+                ssoPolicyHeaders.Add("x-ms-SsoFlags", "SsoRestrUndefined");
+            }
+
+            return ssoPolicyHeaders;
+        }
 
         public void HandleInstallUrl(string appLink)
         {

diff --git a/....Client/Platforms/Features/WinFormsLegacyWebUi/WindowsFormsWebAuthenticationDialogBase.cs b/....Client/Platforms/Features/WinFormsLegacyWebUi/WindowsFormsWebAuthenticationDialogBase.cs
@@ -2,15 +2,20 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Collections.Generic;
 using System.ComponentModel;
+using System.Configuration;
 using System.Diagnostics;
 using System.Drawing;
 using System.Globalization;
+using System.Net.Http;
 using System.Runtime.InteropServices;
 using System.Threading;
 using System.Windows.Forms;
 using Microsoft.Identity.Client.Core;
+using Microsoft.Identity.Client.Http;
 using Microsoft.Identity.Client.Internal;
+using Microsoft.Identity.Client.Internal.Broker;
 using Microsoft.Identity.Client.Platforms.Features.DesktopOs;
 using Microsoft.Identity.Client.UI;
 using Microsoft.Identity.Client.Utils;
@@ -276,7 +281,21 @@ internal AuthorizationResult AuthenticateAAD(Uri requestUri, Uri callbackUri, Ca
             _webBrowser.Navigated += WebBrowserNavigatedHandler;
             _webBrowser.NavigateError += WebBrowserNavigateErrorHandler;
 
-            _webBrowser.Navigate(requestUri);
+            if(RequestContext.ServiceBundle.Config.IsWebviewSsoPolicyEnabled)
+            {
+                IBroker broker = RequestContext.ServiceBundle.Config.BrokerCreatorFunc(null, RequestContext.ServiceBundle.Config, RequestContext.Logger);
+                var ssoPolicyHeaders = broker.GetSsoPolicyHeaders();
+                string ssoPolicyHeadersString="";
+                foreach (KeyValuePair<string, string> kvp in ssoPolicyHeaders)
+                {
+                    ssoPolicyHeadersString += kvp.Key + ":" + kvp.Value + Environment.NewLine;
+                }
+                _webBrowser.Navigate(requestUri, null, null, ssoPolicyHeadersString);
+            }
+            else
+            {
+                _webBrowser.Navigate(requestUri);
+            }
             OnAuthenticate(cancellationToken);
 
             return Result;

diff --git a/src/client/Microsoft.Identity.Client/Platforms/iOS/Broker/iOSBroker.cs b/src/client/Microsoft.Identity.Client/Platforms/iOS/Broker/iOSBroker.cs
@@ -392,6 +392,11 @@ public static void SetBrokerResponse(NSUrl responseUrl)
             s_brokerResponseReady?.Release();
         }
 
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            return CollectionHelpers.GetEmptyDictionary<string, string>();
+        }
+
         #region Silent Flow - not supported
         /// <summary>
         /// iOS broker does not handle silent flow

diff --git a/src/client/Microsoft.Identity.Client/Platforms/uap/WamBroker/WamBroker.cs b/src/client/Microsoft.Identity.Client/Platforms/uap/WamBroker/WamBroker.cs
@@ -927,5 +927,10 @@ public Task<MsalTokenResponse> AcquireTokenByUsernamePasswordAsync(Authenticatio
         {
             return Task.FromResult<MsalTokenResponse>(null); // nop
         }
+
+        public IReadOnlyDictionary<string, string> GetSsoPolicyHeaders()
+        {
+            return CollectionHelpers.GetEmptyDictionary<string, string>();
+        }
     }
 }
diff --git a/tests/devapps/WAM/NetCoreWinFormsWam/Form1.cs b/tests/devapps/WAM/NetCoreWinFormsWam/Form1.cs
@@ -125,7 +125,8 @@ private IPublicClientApplication CreatePca(AuthMethod? authMethod)
                     break;
                 case AuthMethod.SystemBrowser:
                     builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.None));
-                    builder = builder.WithBroker(false);
+                    builder = builder.WithBroker(false)
+                                     .WithSsoPolicy();
                     break;
                 case AuthMethod.EmbeddedBrowser:
                     builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.None));