Jennyf/ios13 (#1655)

* Part 1: ios 13
- Generate a nonce to send in the broker request, only if msauthv3 (iOS broker 6.3.19+) is installed on the device
- Check that the nonce in the broker response matches the nonce sent in the request
- Update info.plist in dev app for msauthv3

* more updates

* pr feedback

devApps/XFormsApp.iOS/Info.plist

@@ -24,6 +24,7 @@
     <key>LSApplicationQueriesSchemes</key>
     <array>
       <string>msauth</string>
+      <string>msauthv3</string>
     </array>
 
     <key>CFBundleURLTypes</key>

src/Microsoft.IdentityModel.Clients.ActiveDirectory/Exceptions/AdalError.cs

@@ -272,6 +272,11 @@ public static class AdalError
         /// </summary>
         public const string BrokerReponseHashMismatch = "broker_response_hash_mismatch";
 
+        /// <summary>
+        /// Broker response nonce does not match the request nonce sent by MSAL.NET for iOS broker >= v6.3.19
+        /// </summary>
+        public const string BrokerNonceMismatch = "broker_nonce_mismatch";
+
         /// <summary>
         /// Device certificate not found.
         /// </summary>

src/Microsoft.IdentityModel.Clients.ActiveDirectory/Exceptions/AdalErrorMessage.cs

@@ -89,6 +89,8 @@ internal static class AdalErrorMessage
         public const string RedirectUriContainsFragment = "'redirectUri' must NOT include a fragment component";
         public const string ServiceReturnedError = "Service returned error. Check InnerException for more details";
         public const string BrokerReponseHashMismatch = "Unencrypted broker response hash did not match the expected hash";
+        public const string BrokerNonceMismatch = "Broker response nonce does not match the request nonce sent by MSAL.NET." +
+            "Please see https://aka.ms/adal-net-ios-13-broker for more details. ";
 
         public const string StsMetadataRequestFailed =
             "Metadata request to Access Control service failed. Check InnerException for more details";

src/Microsoft.IdentityModel.Clients.ActiveDirectory/Internal/Flows/BrokerParameter.cs

@@ -1,8 +1,5 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Text;
-using System.Threading.Tasks;
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
 
 namespace Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows
 {
@@ -21,5 +18,6 @@ internal static class BrokerParameter
         public const string Claims = "claims";
         public const string SilentBrokerFlow = "silent_broker_flow";
         public const string BrokerInstallUrl = "broker_install_url";
+        public const string BrokerNonce = "broker_nonce";
     }
 }

src/Microsoft.IdentityModel.Clients.ActiveDirectory/Platforms/iOS/AuthenticationContinuationHelper.cs

@@ -26,6 +26,7 @@
 //------------------------------------------------------------------------------
 
 using System;
+using System.Diagnostics;
 using Foundation;
 using Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform;
 
@@ -44,7 +45,24 @@ public static class AuthenticationContinuationHelper
         /// <returns>True if the response is from broker, False otherwise.</returns>
         public static bool IsBrokerResponse(string sourceApplication)
         {
-            return sourceApplication != null && sourceApplication.Equals("com.microsoft.azureauthenticator", StringComparison.OrdinalIgnoreCase);
+            Debug.WriteLine("IsBrokerResponse called with sourceApplication {0}", sourceApplication);
+
+            if (sourceApplication != null && sourceApplication.Equals("com.microsoft.azureauthenticator", StringComparison.OrdinalIgnoreCase))
+            {
+                return true;
+            }
+            if (string.IsNullOrEmpty(sourceApplication))
+            {
+                // For iOS 13+, SourceApplication will not be returned
+                // Customers will need to install iOS broker >= 6.3.19
+                // ADAL.NET will generate a nonce (guid), which broker will
+                // return in the response. ADAL.NET will validate a match in iOSBroker.cs
+                // So if SourceApplication is null, just return, ADAL.NET will throw a 
+                // specific error message if the nonce does not match.
+                return true;
+            }
+
+            return false;
         }
 
         /// <summary>

src/Microsoft.IdentityModel.Clients.ActiveDirectory/Platforms/iOS/iOSBroker.cs

@@ -49,6 +49,9 @@ internal class iOSBroker : IBroker
 
         private readonly ICoreLogger _logger;
 
+        private string _brokerRequestNonce;
+        private bool _brokerV3Installed = false;
+
         public iOSBroker(ICoreLogger logger)
         {
             _logger = logger;
@@ -66,21 +69,42 @@ public bool CanInvokeBroker
                     return false;
                 }
 
-                var res = false;
+                bool canStartBroker = false;
 
                 if (pp.UseBroker)
                 {
                     pp.CallerViewController.InvokeOnMainThread(() =>
                     {
-                        res = UIApplication.SharedApplication.CanOpenUrl(new NSUrl("msauth://"));
-                        _logger.Info("iOS Broker can be invoked. ");
+                        if (IsBrokerInstalled("msauthv3://"))
+                        {
+                            _logger.Info("iOS Broker (msauthv3://) can be invoked. ");
+                            _brokerV3Installed = true;
+                            canStartBroker = true;
+                        }
                     });
+
+                    if (!canStartBroker)
+                    {
+                        pp.CallerViewController.InvokeOnMainThread(() =>
+                        {
+                            if (IsBrokerInstalled("msauth://"))
+                            {
+                                _logger.Info("iOS Broker (msauth://) can be invoked. ");
+                                canStartBroker = true;
+                            }
+                        });
+                    }
                 }
 
-                return res;
+                return canStartBroker;
             }
         }
 
+        private bool IsBrokerInstalled(string brokerUriScheme)
+        {
+            return UIApplication.SharedApplication.CanOpenUrl(new NSUrl(brokerUriScheme));
+        }
+
         public async Task<AdalResultWrapper> AcquireTokenUsingBrokerAsync(IDictionary<string, string> brokerPayload)
         {
             if (brokerPayload.ContainsKey(BrokerParameter.SilentBrokerFlow))
@@ -105,6 +129,13 @@ public async Task<AdalResultWrapper> AcquireTokenUsingBrokerAsync(IDictionary<st
                 brokerPayload[BrokerParameter.Claims] = claims;
             }
 
+            if (_brokerV3Installed)
+            {
+                _brokerRequestNonce = string.Empty;
+                _brokerRequestNonce = Guid.NewGuid().ToString();
+                brokerPayload[BrokerParameter.BrokerNonce] = _brokerRequestNonce;
+            }
+
             if (brokerPayload.ContainsKey(BrokerParameter.BrokerInstallUrl))
             {
                 string url = brokerPayload[BrokerParameter.BrokerInstallUrl];
@@ -172,6 +203,7 @@ private AdalResultWrapper ResultFromBrokerResponse(IDictionary<string, string> r
                 string responseActualHash = PlatformProxyFactory.GetPlatformProxy().CryptographyManager.CreateSha256Hash(decryptedResponse);
                 byte[] rawHash = Convert.FromBase64String(responseActualHash);
                 string hash = BitConverter.ToString(rawHash);
+
                 if (expectedHash.Equals(hash.Replace("-", ""), StringComparison.OrdinalIgnoreCase))
                 {
                     responseDictionary = EncodingHelper.ParseKeyValueList(decryptedResponse, '&', false, null);
@@ -187,13 +219,35 @@ private AdalResultWrapper ResultFromBrokerResponse(IDictionary<string, string> r
                     };
                     _logger.InfoPii("Broker response hash mismatch: " + response.Error, "Broker response hash mismatch. ");
                 }
+
+                if (!ValidateBrokerResponseNonceWithRequestNonce(responseDictionary))
+                {
+                    response = new TokenResponse
+                    {
+                        Error = AdalError.BrokerReponseHashMismatch,
+                        ErrorDescription = AdalErrorMessage.BrokerReponseHashMismatch
+                    };
+                }
             }
 
             var dateTimeOffset = new DateTimeOffset(new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc));
             dateTimeOffset = dateTimeOffset.AddSeconds(response.ExpiresOn);
             return response.GetResult(dateTimeOffset, dateTimeOffset);
         }
 
+        private bool ValidateBrokerResponseNonceWithRequestNonce(IDictionary<string, string> brokerResponseDictionary)
+        {
+            if (!string.IsNullOrEmpty(_brokerRequestNonce))
+            {
+                string brokerResponseNonce = brokerResponseDictionary.ContainsKey(BrokerParameter.BrokerNonce)
+                   ? brokerResponseDictionary[BrokerParameter.BrokerNonce]
+                   : null;
+
+                return string.Equals(brokerResponseNonce, _brokerRequestNonce);
+            }
+            return false;
+        }
+
         public static void SetBrokerResponse(NSUrl responseUrl)
         {
             brokerResponse = responseUrl;