Merge pull request #1548 from AzureAD/ameyapat/bound-refresh-token-object

Adding Bound refresh token class and cache item

Author: ameyapat

IdentityCore/IdentityCore.xcodeproj/project.pbxproj

@@ -758,6 +758,14 @@
 		7293580E2DDFADDF0001D03C /* MSIDNonceHttpRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = 7293580D2DDFADC80001D03C /* MSIDNonceHttpRequest.h */; };
 		729358102DDFADE70001D03C /* MSIDNonceHttpRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 7293580F2DDFADE50001D03C /* MSIDNonceHttpRequest.m */; };
 		729358112DDFADE70001D03C /* MSIDNonceHttpRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = 7293580F2DDFADE50001D03C /* MSIDNonceHttpRequest.m */; };
+		72C1EBF52DE91AC8004C40A4 /* MSIDBoundRefreshToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 72C1EBF42DE91ABE004C40A4 /* MSIDBoundRefreshToken.h */; };
+		72C1EBF72DE91AD0004C40A4 /* MSIDBoundRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C1EBF62DE91ACC004C40A4 /* MSIDBoundRefreshToken.m */; };
+		72C1EBF82DE91AD0004C40A4 /* MSIDBoundRefreshToken.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C1EBF62DE91ACC004C40A4 /* MSIDBoundRefreshToken.m */; };
+		72C1EBFC2DEA8199004C40A4 /* MSIDBoundRefreshTokenCacheItem.h in Headers */ = {isa = PBXBuildFile; fileRef = 72C1EBFB2DEA8185004C40A4 /* MSIDBoundRefreshTokenCacheItem.h */; };
+		72C1EBFE2DEA81A1004C40A4 /* MSIDBoundRefreshTokenCacheItem.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C1EBFD2DEA819E004C40A4 /* MSIDBoundRefreshTokenCacheItem.m */; };
+		72C1EBFF2DEA81A1004C40A4 /* MSIDBoundRefreshTokenCacheItem.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C1EBFD2DEA819E004C40A4 /* MSIDBoundRefreshTokenCacheItem.m */; };
+		72C764F92E09CFB800043AB1 /* MSIDBoundRefreshTokenTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C764F82E09CFA400043AB1 /* MSIDBoundRefreshTokenTests.m */; };
+		72C764FA2E09CFB800043AB1 /* MSIDBoundRefreshTokenTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 72C764F82E09CFA400043AB1 /* MSIDBoundRefreshTokenTests.m */; };
 		72D961AE2DE12F1F005DED66 /* MSIDCachedNonce.h in Headers */ = {isa = PBXBuildFile; fileRef = 72D961AD2DE12F19005DED66 /* MSIDCachedNonce.h */; };
 		72D961B02DE12F30005DED66 /* MSIDCachedNonce.m in Sources */ = {isa = PBXBuildFile; fileRef = 72D961AF2DE12F2E005DED66 /* MSIDCachedNonce.m */; };
 		72D961B12DE12F30005DED66 /* MSIDCachedNonce.m in Sources */ = {isa = PBXBuildFile; fileRef = 72D961AF2DE12F2E005DED66 /* MSIDCachedNonce.m */; };
@@ -2668,6 +2676,11 @@
 		729357F22DDBD3F60001D03C /* MSIDNonceTokenRequestTest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDNonceTokenRequestTest.m; sourceTree = "<group>"; };
 		7293580D2DDFADC80001D03C /* MSIDNonceHttpRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDNonceHttpRequest.h; sourceTree = "<group>"; };
 		7293580F2DDFADE50001D03C /* MSIDNonceHttpRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDNonceHttpRequest.m; sourceTree = "<group>"; };
+		72C1EBF42DE91ABE004C40A4 /* MSIDBoundRefreshToken.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDBoundRefreshToken.h; sourceTree = "<group>"; };
+		72C1EBF62DE91ACC004C40A4 /* MSIDBoundRefreshToken.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBoundRefreshToken.m; sourceTree = "<group>"; };
+		72C1EBFB2DEA8185004C40A4 /* MSIDBoundRefreshTokenCacheItem.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDBoundRefreshTokenCacheItem.h; sourceTree = "<group>"; };
+		72C1EBFD2DEA819E004C40A4 /* MSIDBoundRefreshTokenCacheItem.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBoundRefreshTokenCacheItem.m; sourceTree = "<group>"; };
+		72C764F82E09CFA400043AB1 /* MSIDBoundRefreshTokenTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBoundRefreshTokenTests.m; sourceTree = "<group>"; };
 		72D961AD2DE12F19005DED66 /* MSIDCachedNonce.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDCachedNonce.h; sourceTree = "<group>"; };
 		72D961AF2DE12F2E005DED66 /* MSIDCachedNonce.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDCachedNonce.m; sourceTree = "<group>"; };
 		740340B72460E5C400DFCF27 /* MSIDCurrentRequestTelemetrySerializedItem.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDCurrentRequestTelemetrySerializedItem.h; sourceTree = "<group>"; };
@@ -4809,6 +4822,8 @@
 		B226D85B1FFB07840012BF8B /* token */ = {
 			isa = PBXGroup;
 			children = (
+				72C1EBFD2DEA819E004C40A4 /* MSIDBoundRefreshTokenCacheItem.m */,
+				72C1EBFB2DEA8185004C40A4 /* MSIDBoundRefreshTokenCacheItem.h */,
 				B4A5ACD021F7F1DF00D2A780 /* Matchers */,
 				0570FE7D219B8C8C00958ECF /* MSIDCredentialCacheItem+MSIDBaseToken.h */,
 				0570FE7C219B8C8C00958ECF /* MSIDCredentialCacheItem+MSIDBaseToken.m */,
@@ -4911,6 +4926,8 @@
 		B251CC232041050E005E0179 /* token */ = {
 			isa = PBXGroup;
 			children = (
+				72C1EBF62DE91ACC004C40A4 /* MSIDBoundRefreshToken.m */,
+				72C1EBF42DE91ABE004C40A4 /* MSIDBoundRefreshToken.h */,
 				B2675689228CE6FC000F01D7 /* protocols */,
 				B251CC4E204105AD005E0179 /* MSIDCredentialType.h */,
 				B251CC4F204105AD005E0179 /* MSIDCredentialType.m */,
@@ -5717,6 +5734,7 @@
 		D6DA89731FBA6A4E004C56C7 /* tests */ = {
 			isa = PBXGroup;
 			children = (
+				72C764F82E09CFA400043AB1 /* MSIDBoundRefreshTokenTests.m */,
 				720B5B572DD58A6A00318FE5 /* MSIDJWECryptoTests.m */,
 				729357F22DDBD3F60001D03C /* MSIDNonceTokenRequestTest.m */,
 				A0410E4F25E88B5E004D80FD /* MSIDThrottlingMetaDataTest.m */,
@@ -6364,6 +6382,7 @@
 				B2F671EC2467AB4500649855 /* MSIDInteractiveRequestControlling.h in Headers */,
 				B443F0002AD6327700782168 /* MSIDBrokerOperationPasskeyCredentialRequest.h in Headers */,
 				23AE20982342D3BF00108F76 /* MSIDSilentController+Internal.h in Headers */,
+				72C1EBF52DE91AC8004C40A4 /* MSIDBoundRefreshToken.h in Headers */,
 				23B39A8620993572000AA905 /* MSIDAADAuthorityMetadataRequest.h in Headers */,
 				B28D90AA218FD1F800E230D6 /* MSIDDefaultTokenResponseValidator.h in Headers */,
 				B2F671E82467A34400649855 /* MSIDAuthorizationCodeResult.h in Headers */,
@@ -6408,6 +6427,7 @@
 				B286B9CB2389DE9F007833AD /* MSIDKeyGenerator.h in Headers */,
 				B26CEB022367B3B9009E6E54 /* MSIDSystemWebViewControllerFactory.h in Headers */,
 				8878C62929DCA054002F5F4B /* MSIDCIAMOauth2Factory.h in Headers */,
+				72C1EBFC2DEA8199004C40A4 /* MSIDBoundRefreshTokenCacheItem.h in Headers */,
 				B2C7088D2198E48E00D917B8 /* NSData+MSIDAES.h in Headers */,
 				2394F2052D4894FF00E44F6E /* MSIDWebUpgradeRegOperation.h in Headers */,
 				B251CC3B2041058D005E0179 /* MSIDRefreshToken.h in Headers */,
@@ -7077,6 +7097,7 @@
 				9668B6F72148796A0039AB0A /* MSIDDataExtensionsTests.m in Sources */,
 				B286B9F12389F866007833AD /* MSIDWebviewFactoryTests.m in Sources */,
 				B252913B2096698100E78695 /* MSIDAADIdTokenClaimsFactoryTests.m in Sources */,
+				72C764FA2E09CFB800043AB1 /* MSIDBoundRefreshTokenTests.m in Sources */,
 				B2BE923121A0EFB100F5AB8C /* MSIDDefaultTokenRequestProviderTests.m in Sources */,
 				729357F42DDBD3F80001D03C /* MSIDNonceTokenRequestTest.m in Sources */,
 				23FB5C20225516FB002BF1EB /* MSIDClaimsRequestTests.m in Sources */,
@@ -7274,6 +7295,7 @@
 				583BFCA924D87BA40035B901 /* MSIDRedirectUri.m in Sources */,
 				E656E07B2C2627B80011FB23 /* MSIDWebUpgradeRegResponse.m in Sources */,
 				580E2547271A014F003D1795 /* MSIDDeviceHeader.m in Sources */,
+				72C1EBFF2DEA81A1004C40A4 /* MSIDBoundRefreshTokenCacheItem.m in Sources */,
 				583BFCAB24D88CED0035B901 /* MSIDRedirectUriVerifier.m in Sources */,
 				B253152723DD61FB00432133 /* MSIDSSOExtensionGetDeviceInfoRequest.m in Sources */,
 				2A24815F2CB08344006FCB34 /* MSIDXpcSilentTokenRequestController.m in Sources */,
@@ -7304,6 +7326,7 @@
 				1E7DC42A2405A95400740BAD /* MSIDBaseBrokerOperationRequest.m in Sources */,
 				B286B97F2389DC08007833AD /* MSIDBrokerOperationRequest.m in Sources */,
 				23FB5C3122551866002BF1EB /* MSIDClaimsRequest+ClientCapabilities.m in Sources */,
+				72C1EBF72DE91AD0004C40A4 /* MSIDBoundRefreshToken.m in Sources */,
 				23B39ACD209CF317000AA905 /* MSIDAADNetworkConfiguration.m in Sources */,
 				23FB5C462255A135002BF1EB /* MSIDIndividualClaimRequest.m in Sources */,
 				2A2481582CB08050006FCB34 /* MSIDXpcSingleSignOnProvider.m in Sources */,
@@ -7755,6 +7778,7 @@
 				B2BE926221A25A8600F5AB8C /* MSIDInteractiveControllerIntegrationTests.m in Sources */,
 				B2BE923521A0F80100F5AB8C /* MSIDLegacyTokenRequestProviderTests.m in Sources */,
 				B48FC0632D7A90FA007B80DB /* MSIDBrokerFlightProviderTests.m in Sources */,
+				72C764F92E09CFB800043AB1 /* MSIDBoundRefreshTokenTests.m in Sources */,
 				23FB5C21225516FB002BF1EB /* MSIDClaimsRequestTests.m in Sources */,
 				E75DD02625D5E474007664A6 /* MSIDThrottlingServiceIntegrationTests.m in Sources */,
 				B286BA07238A110A007833AD /* MSIDOIDCSignoutRequestTests.m in Sources */,
@@ -7984,6 +8008,7 @@
 				2394F1F92D4890BD00E44F6E /* MSIDWebOAuth2AuthCodeOperation.m in Sources */,
 				238EF03E208FE4740035ABE6 /* MSIDRefreshTokenGrantRequest.m in Sources */,
 				230C2C472CF95DBC00E767B6 /* MSIDSwitchBrowserResumeResponse.m in Sources */,
+				72C1EBFE2DEA81A1004C40A4 /* MSIDBoundRefreshTokenCacheItem.m in Sources */,
 				A0C7DDA425D1EA0D00F5B5B6 /* NSError+MSIDThrottlingExtension.m in Sources */,
 				235480C720DDF81000246F72 /* MSIDAuthorityFactory.m in Sources */,
 				239DF9C920E05847002D428B /* MSIDAADRequestConfigurator.m in Sources */,
@@ -8210,6 +8235,7 @@
 				B286B96323861852007833AD /* MSIDSignoutWebRequestConfiguration.m in Sources */,
 				B49323982AD4DA4800E0CBC0 /* MSIDBrokerOperationGetPasskeyAssertionResponse.m in Sources */,
 				B2C708182195283500D917B8 /* MSIDBrokerTokenRequest.m in Sources */,
+				72C1EBF82DE91AD0004C40A4 /* MSIDBoundRefreshToken.m in Sources */,
 				232173E22182A998009852C6 /* NSDictionary+MSIDJsonSerializable.m in Sources */,
 				B2C707F42192524700D917B8 /* MSIDDefaultTokenRequestProvider.m in Sources */,
 				B20657BE1FC9254800412B7D /* MSIDTelemetryCacheEvent.m in Sources */,

IdentityCore/src/MSIDOAuth2Constants.h

@@ -157,6 +157,7 @@ extern NSString *const MSID_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_PRT_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_FRT_TOKEN_CACHE_TYPE;
+extern NSString *const MSID_BOUND_RT_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE;
 extern NSString *const MSID_GENERAL_CACHE_ITEM_TYPE;
 extern NSString *const MSID_APP_METADATA_CACHE_TYPE;
@@ -177,3 +178,4 @@ extern NSString *const MSID_CCS_REQUEST_ID_RESPONSE;
 
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY;
 extern NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE;
+extern NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY;

IdentityCore/src/MSIDOAuth2Constants.m

@@ -151,6 +151,7 @@
 NSString *const MSID_LEGACY_ID_TOKEN_CACHE_TYPE          = @"V1IdToken";
 NSString *const MSID_PRT_TOKEN_CACHE_TYPE                = @"PrimaryRefreshToken";
 NSString *const MSID_FRT_TOKEN_CACHE_TYPE                = @"FamilyRefreshToken";
+NSString *const MSID_BOUND_RT_TOKEN_CACHE_TYPE           = @"BoundRefreshToken";
 NSString *const MSID_GENERAL_TOKEN_CACHE_TYPE            = @"token";
 NSString *const MSID_GENERAL_CACHE_ITEM_TYPE             = @"general_cache_item";
 NSString *const MSID_APP_METADATA_CACHE_TYPE             = @"appmetadata";
@@ -177,3 +178,5 @@
 
 NSString *const MSID_CCS_REQUEST_SEQUENCE_KEY            = @"x-ms-srs";
 NSString *const MSID_CCS_REQUEST_SEQUENCE_RESPONSE       = @"ccs-request-sequence";
+
+NSString *const MSID_BOUND_DEVICE_ID_CACHE_KEY           = @"bound_device_id";

IdentityCore/src/cache/accessor/MSIDAccountCredentialCache.m

@@ -388,7 +388,7 @@ - (BOOL)removeCredential:(nonnull MSIDCredentialCacheItem *)credential
 
     BOOL result = [_dataSource removeTokensWithKey:key context:context error:error];
 
-    if (result && (credential.credentialType == MSIDRefreshTokenType || credential.credentialType == MSIDFamilyRefreshTokenType))
+    if (result && (credential.credentialType == MSIDRefreshTokenType || credential.credentialType == MSIDFamilyRefreshTokenType || credential.credentialType == MSIDBoundRefreshTokenType))
     {
         [_dataSource saveWipeInfoWithContext:context error:nil];
     }

IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m

@@ -299,18 +299,18 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac
             NSString *credentialTypeString = nil;
             if (credentialType == MSIDPrimaryRefreshTokenType)
             {
-                credentialTypeString = @"primary ";
+                credentialTypeString = @"primary";
             }
             else if (credentialType == MSIDFamilyRefreshTokenType)
             {
-                credentialTypeString = @"single family ";
+                credentialTypeString = @"single family";
             }
             else
             {
-                credentialTypeString = @"";
+                credentialTypeString = [MSIDCredentialTypeHelpers credentialTypeAsString:credentialType];
             }
 
-            MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@refresh token by legacy account id", credentialTypeString);
+            MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, context, @"(Default accessor) Found %@ refresh token by legacy account id", credentialTypeString);
             return refreshToken;
         }
     }

IdentityCore/src/cache/token/MSIDBoundRefreshTokenCacheItem.h

@@ -0,0 +1,42 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.  
+
+#import <Foundation/Foundation.h>
+#import "MSIDCredentialCacheItem.h"
+
+/**
+ * @class MSIDBoundRefreshTokenCacheItem
+ * @brief Represents a bound refresh token cache item that is bound to the device.
+ */
+@interface MSIDBoundRefreshTokenCacheItem : MSIDCredentialCacheItem <NSSecureCoding>
+
+/**
+ * @property boundDeviceId
+ * @brief The unique identifier of the device to which the refresh token is bound.
+ */
+@property (atomic) NSString *boundDeviceId;
+
+@property (nonatomic, readonly) NSString *boundRefreshToken;
+
+@end

IdentityCore/src/cache/token/MSIDBoundRefreshTokenCacheItem.m

@@ -0,0 +1,145 @@
+//
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.  
+
+#import "MSIDBoundRefreshTokenCacheItem.h"
+#import "NSString+MSIDExtensions.h"
+#import "NSData+MSIDExtensions.h"
+
+@implementation MSIDBoundRefreshTokenCacheItem
+
+- (NSString *)boundRefreshToken
+{
+    return self.secret;
+}
+
+#pragma mark - NSSecureCoding
+
++ (BOOL)supportsSecureCoding
+{
+    return YES;
+}
+
+- (void)encodeWithCoder:(NSCoder *)coder
+{
+    [coder encodeObject:[self jsonDictionary] forKey:@"cacheItem"];
+}
+
+- (id)initWithCoder:(NSCoder *)decoder
+{
+    if (!(self = [super init]))
+    {
+        return nil;
+    }
+    NSDictionary *json = [decoder decodeObjectOfClass:[NSDictionary class] forKey:@"cacheItem"];
+    if (json)
+    {
+        self = [self initWithJSONDictionary:json error:nil];
+    }
+    return self;
+}
+
+#pragma mark - MSIDJsonSerializable
+
+- (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__autoreleasing*)error
+{
+    if (!(self = [super initWithJSONDictionary:json error:error]))
+    {
+        return nil;
+    }
+    
+    if (!self.secret)
+    {
+        if (error) *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidInternalParameter, @"Couldn't read bound refresh token.", nil, nil, nil, nil, nil, YES);
+        return nil;
+    }
+    
+    _boundDeviceId = [json msidObjectForKey:MSID_BOUND_DEVICE_ID_CACHE_KEY ofClass:[NSString class]];
+    if (!_boundDeviceId)
+    {
+        if (error) *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInvalidInternalParameter, @"Bound device ID is nil. Cannot initialize bound refresh token cache item without bound device id", nil, nil, nil, nil, nil, YES);
+        return nil;
+    }
+    
+    return self;
+}
+
+- (NSDictionary *)jsonDictionary
+{
+    NSMutableDictionary *dictionary = [[super jsonDictionary] mutableCopy];
+    
+    if (!dictionary)
+    {
+        dictionary = [NSMutableDictionary new];
+    }
+
+    dictionary[MSID_BOUND_DEVICE_ID_CACHE_KEY] = self.boundDeviceId;
+    return dictionary;
+}
+
+#pragma mark - NSObject
+
+- (BOOL)isEqual:(id)object
+{
+    if (self == object)
+    {
+        return YES;
+    }
+    
+    if (![object isKindOfClass:self.class])
+    {
+        return NO;
+    }
+    
+    return [self isEqualToItem:(MSIDBoundRefreshTokenCacheItem *)object];
+}
+
+- (BOOL)isEqualToItem:(MSIDBoundRefreshTokenCacheItem *)item
+{
+    BOOL result = [super isEqualToItem:item];
+    result &= (!self.boundDeviceId && !item.boundDeviceId) || [self.boundDeviceId isEqualToString:item.boundDeviceId];
+    return result;
+}
+
+- (NSUInteger)hash
+{
+    NSUInteger hash = [super hash];
+    hash = hash * 31 + self.boundDeviceId.hash;
+    return hash;
+}
+
+- (NSString *)description
+{
+    NSString *baseDescription = [super description];
+    return [NSString stringWithFormat:@"%@, boundDeviceId: %@", baseDescription, self.boundDeviceId ? self.boundDeviceId : @"<nil>"];
+}
+
+#pragma mark - NSCopying
+
+- (id)copyWithZone:(NSZone *)zone
+{
+    MSIDBoundRefreshTokenCacheItem *item = (MSIDBoundRefreshTokenCacheItem *)[super copyWithZone:zone];
+    item.boundDeviceId = [self.boundDeviceId copyWithZone:zone];
+    return item;
+}
+@end

IdentityCore/src/cache/token/MSIDCredentialCacheItem+MSIDBaseToken.m

@@ -34,6 +34,7 @@
 #import "MSIDFamilyRefreshToken.h"
 #import "MSIDV1IdToken.h"
 #import "MSIDAccessTokenWithAuthScheme.h"
+#import "MSIDBoundRefreshToken.h"
 
 @implementation MSIDCredentialCacheItem (MSIDBaseToken)
 
@@ -73,6 +74,10 @@ - (MSIDBaseToken *)tokenWithType:(MSIDCredentialType)credentialType
         {
             return [[MSIDFamilyRefreshToken alloc] initWithTokenCacheItem:self];
         }
+        case MSIDBoundRefreshTokenType:
+        {
+            return [[MSIDBoundRefreshToken alloc] initWithTokenCacheItem:self];
+        }
         default:
             return [[MSIDBaseToken alloc] initWithTokenCacheItem:self];
     }