AzureAD
diff --git a/‎IdentityCore/IdentityCore.xcodeproj/project.pbxproj‎
Lines changed: 6 additions & 0 deletions b/‎IdentityCore/IdentityCore.xcodeproj/project.pbxproj‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDError.h‎
Lines changed: 21 additions & 0 deletions b/‎IdentityCore/src/MSIDError.h‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDError.m‎
Lines changed: 6 additions & 0 deletions b/‎IdentityCore/src/MSIDError.m‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDOAuth2Constants.h‎
Lines changed: 4 additions & 0 deletions b/‎IdentityCore/src/MSIDOAuth2Constants.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDOAuth2Constants.m‎
Lines changed: 3 additions & 1 deletion b/‎IdentityCore/src/MSIDOAuth2Constants.m‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationBrowserTokenRequest.m‎
Lines changed: 39 additions & 1 deletion b/‎IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationBrowserTokenRequest.m‎
Lines changed: 39 additions & 1 deletion
diff --git a/‎IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m‎
Lines changed: 5 additions & 2 deletions b/‎IdentityCore/src/cache/accessor/MSIDDefaultTokenCacheAccessor.m‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎IdentityCore/src/cache/token/MSIDCredentialCacheItem.h‎
Lines changed: 3 additions & 0 deletions b/‎IdentityCore/src/cache/token/MSIDCredentialCacheItem.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎IdentityCore/src/cache/token/MSIDCredentialCacheItem.m‎
Lines changed: 7 additions & 2 deletions b/‎IdentityCore/src/cache/token/MSIDCredentialCacheItem.m‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎IdentityCore/src/configuration/MSIDConfiguration.h‎
Lines changed: 23 additions & 0 deletions b/‎IdentityCore/src/configuration/MSIDConfiguration.h‎
Lines changed: 23 additions & 0 deletions
@@ -872,6 +872,8 @@
 		B21786A023A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.h in Headers */ = {isa = PBXBuildFile; fileRef = B217869E23A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.h */; };
 		B21786A123A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = B217869F23A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.m */; };
 		B21786A223A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.m in Sources */ = {isa = PBXBuildFile; fileRef = B217869F23A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.m */; };
+		B21B4081297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B21B4080297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m */; };
+		B21B4082297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = B21B4080297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m */; };
 		B21FA9DA22063CEA00806B68 /* MSIDAutomationActionConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = B25A39EE21C4CD6300213A62 /* MSIDAutomationActionConstants.h */; };
 		B21FA9DB22063CED00806B68 /* MSIDAutomationActionConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = B25A39EF21C4CD6300213A62 /* MSIDAutomationActionConstants.m */; };
 		B21FA9DC22063CEE00806B68 /* MSIDAutomationActionConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = B25A39EF21C4CD6300213A62 /* MSIDAutomationActionConstants.m */; };
@@ -2524,6 +2526,7 @@
 		B217863723A5994300839CE8 /* MSIDSSOExtensionSignoutController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSOExtensionSignoutController.m; sourceTree = "<group>"; };
 		B217869E23A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDSSOExtensionGetAccountsRequest.h; sourceTree = "<group>"; };
 		B217869F23A710A000839CE8 /* MSIDSSOExtensionGetAccountsRequest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDSSOExtensionGetAccountsRequest.m; sourceTree = "<group>"; };
+		B21B4080297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MSIDBrokerOperationBrowserTokenRequestTests.m; sourceTree = "<group>"; };
 		B223B09922ACBFA400FB8713 /* MSIDMetadataCacheDataSource.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MSIDMetadataCacheDataSource.h; sourceTree = "<group>"; };
 		B223B09D22ADD86500FB8713 /* MSIDCacheItemSerializing.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDCacheItemSerializing.h; sourceTree = "<group>"; };
 		B223B09F22ADD87A00FB8713 /* MSIDExtendedCacheItemSerializing.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MSIDExtendedCacheItemSerializing.h; sourceTree = "<group>"; };
@@ -5274,6 +5277,7 @@
 				589BDB1C2718CD7D00BF3799 /* MSIDBrokerOperationGetSsoCookiesRequestTests.m */,
 				580E254D271A1815003D1795 /* MSIDBrokerOperationGetSsoCookiesResponseTests.m */,
 				586CD77B293FD76100550710 /* MSIDRequestControllerFactoryTests.m */,
+				B21B4080297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m */,
 			);
 			path = tests;
 			sourceTree = "<group>";
@@ -6390,6 +6394,7 @@
 				B2DD4B3D20A9270B0047A66E /* MSIDDefaultCredentialCacheQueryTests.m in Sources */,
 				23CC944A20465CF100AA0551 /* MSIDTokenCacheDataSourceIntegrationTests.m in Sources */,
 				B217860E23A578BE00839CE8 /* MSIDBrokerOperationSignoutFromDeviceRequestTests.m in Sources */,
+				B21B4081297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m in Sources */,
 				B233F8CC219E57AC00DC90E3 /* MSIDLegacyBrokerRequestTests.m in Sources */,
 				238EF08320913D760035ABE6 /* MSIDAADRequestConfiguratorTests.m in Sources */,
 				23419F63239896E500EA78C5 /* MSIDBrokerOperationResponseTests.m in Sources */,
@@ -6870,6 +6875,7 @@
 				B27CCDD6229EF2C000CAD565 /* MSIDDictionaryExtensionsTests.m in Sources */,
 				B86FA7D52383757600E5195A /* MSIDMacTokenCacheTests.m in Sources */,
 				23419F7A2399AD7500EA78C5 /* MSIDBrokerOperationTokenResponseTests.m in Sources */,
+				B21B4082297786A3002607C8 /* MSIDBrokerOperationBrowserTokenRequestTests.m in Sources */,
 				B252913C2096698100E78695 /* MSIDAADIdTokenClaimsFactoryTests.m in Sources */,
 				B2DD5B98204756580084313F /* MSIDAccountTypeTests.m in Sources */,
 				23419F5E23973AAD00EA78C5 /* MSIDBrokerOperationRequestTests.m in Sources */,
 
@@ -272,6 +272,27 @@ typedef NS_ENUM(NSInteger, MSIDErrorCode)
     // JIT - Compliance Check - Device unknown
     MSIDErrorJITComplianceCheckResultUnknown       =   -51823,
 
+    // JIT - Compliance Check - Invalid linkPayload from SSO configuration
+    MSIDErrorJITComplianceCheckInvalidLinkPayload  =   -51824,
+
+    // JIT - Compliance Check - Could not create compliance check web view controller
+    MSIDErrorJITComplianceCheckCreateController    =   -51825,
+
+    // JIT - Link - LinkConfig not found
+    MSIDErrorJITLinkConfigNotFound                 =   -51826,
+
+    // JIT - Link - Invalid LinkTokenConfig
+    MSIDErrorJITInvalidLinkTokenConfig             =   -51827,
+
+    // JIT - WPJ - Device Registration Failed
+    MSIDErrorJITWPJDeviceRegistrationFailed        =   -51828,
+
+    // JIT - WPJ - AccountIdentifier is nil
+    MSIDErrorJITWPJAccountIdentifierNil            =   -51829,
+
+    // JIT - WPJ - Failed to acquire broker token
+    MSIDErrorJITWPJAcquireTokenError               =   -51830,
+    
     // Throttling errors
     MSIDErrorThrottleCacheNoRecord = -51900,
     MSIDErrorThrottleCacheInvalidSignature = -51901,
 
@@ -178,6 +178,12 @@ MSIDErrorCode MSIDErrorCodeForOAuthErrorWithSubErrorCode(NSString *oauthError, M
                       @(MSIDErrorJITComplianceCheckResultNotCompliant),
                       @(MSIDErrorJITComplianceCheckResultTimeout),
                       @(MSIDErrorJITComplianceCheckResultUnknown),
+                      @(MSIDErrorJITComplianceCheckInvalidLinkPayload),
+                      @(MSIDErrorJITLinkConfigNotFound),
+                      @(MSIDErrorJITInvalidLinkTokenConfig),
+                      @(MSIDErrorJITWPJDeviceRegistrationFailed),
+                      @(MSIDErrorJITWPJAccountIdentifierNil),
+                      @(MSIDErrorJITWPJAcquireTokenError),
 
                       ],
               MSIDOAuthErrorDomain : @[// Server Errors
 
@@ -79,6 +79,10 @@ extern NSString *const MSID_OAUTH2_CODE_CHALLENGE;
 extern NSString *const MSID_OAUTH2_CODE_CHALLENGE_METHOD;
 extern NSString *const MSID_OAUTH2_CODE_VERIFIER;
 
+// Nested auth protocol
+extern NSString *const MSID_NESTED_AUTH_BROKER_CLIENT_ID;
+extern NSString *const MSID_NESTED_AUTH_BROKER_REDIRECT_URI;
+
 // AAD user identifiers
 extern NSString *const MSID_OAUTH2_CLIENT_INFO;
 extern NSString *const MSID_OAUTH2_UNIQUE_IDENTIFIER;
 
@@ -22,7 +22,6 @@
 // THE SOFTWARE.
 
 #import "MSIDOAuth2Constants.h"
-#import "MSIDAADNetworkConfiguration.h"
 
 NSString *const MSID_OAUTH2_ACCESS_TOKEN       = @"access_token";
 NSString *const MSID_OAUTH2_AUTHORIZATION      = @"authorization";
@@ -80,6 +79,9 @@
 NSString *const MSID_OAUTH2_CODE_CHALLENGE_METHOD        = @"code_challenge_method";
 NSString *const MSID_OAUTH2_CODE_VERIFIER                = @"code_verifier";
 
+NSString *const MSID_NESTED_AUTH_BROKER_CLIENT_ID        = @"brk_client_id";
+NSString *const MSID_NESTED_AUTH_BROKER_REDIRECT_URI     = @"brk_redirect_uri";
+
 NSString *const MSID_OAUTH2_CLIENT_INFO                  = @"client_info";
 NSString *const MSID_OAUTH2_UNIQUE_IDENTIFIER            = @"uid";
 NSString *const MSID_OAUTH2_UNIQUE_TENANT_IDENTIFIER     = @"utid";
 
@@ -55,11 +55,13 @@ - (instancetype)initWithRequest:(NSURL *)requestURL
 
         _requestURL = requestURL;
 
+        [self printRequestURLInfo:requestURL];
+        
         if (![requestValidator shouldHandleURL:_requestURL])
         {
             if (error)
             {
-                NSString *errorMessage = [NSString stringWithFormat:@"Failed to create browser operation request, %@ is not authorize request", _PII_NULLIFY([requestURL absoluteString])];
+                NSString *errorMessage = [NSString stringWithFormat:@"Failed to create browser operation request, %@ is not a valid request", _PII_NULLIFY([requestURL absoluteString])];
                 *error = MSIDCreateError(MSIDErrorDomain,MSIDErrorInvalidInternalParameter,errorMessage,nil, nil, nil, nil, nil, YES);
             }
 
@@ -90,6 +92,42 @@ - (instancetype)initWithRequest:(NSURL *)requestURL
     return self;
 }
 
++ (NSDictionary *)logProtocolNames
+{
+    static NSDictionary *logProtocolNames = nil;
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        logProtocolNames = @{@"/authorize" : @"OAuth2 Authorize",
+                             @"/token": @"OAuth2 Token",
+                             @"/logout": @"OAuth2 Logout",
+                             @"/saml2": @"SAML2"
+        };
+    });
+    
+    return logProtocolNames;
+}
+
++ (NSString *)protocolLogNameForRequestURL:(NSURL *)requestURL
+{
+    NSString *requestURLString = requestURL.absoluteString;
+    NSDictionary *logProtocolNames = [self logProtocolNames];
+    
+    for (NSString *keyword in logProtocolNames.allKeys)
+    {
+        if ([requestURLString rangeOfString:keyword options:NSCaseInsensitiveSearch].location != NSNotFound)
+        {
+            return logProtocolNames[keyword];
+        }
+    }
+    
+    return @"N/A";
+}
+
+- (void)printRequestURLInfo:(NSURL *)requestURL
+{
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[Browser SSO] Request URL host %@, protocol %@", requestURL.host, [self.class protocolLogNameForRequestURL:requestURL]);
+}
+
 #pragma mark - MSIDBaseBrokerOperationRequest
 
 + (NSString *)operation
 
@@ -211,14 +211,17 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac
 {
     if (credentialType != MSIDRefreshTokenType && credentialType != MSIDPrimaryRefreshTokenType) return nil;
 
+    // For nested auth, get the RT using the broker/hub's client id
+    NSString *clientId = [configuration isNestedAuthProtocol] ? configuration.nestedAuthBrokerClientId : configuration.clientId;
+
     if (![NSString msidIsStringNilOrBlank:accountIdentifier.homeAccountId])
     {
         MSID_LOG_WITH_CTX_PII(MSIDLogLevelVerbose, context, @"(Default accessor) Finding token with user ID %@, clientId %@, familyID %@, authority %@", accountIdentifier.maskedHomeAccountId, configuration.clientId, familyId, configuration.authority);
 
         MSIDDefaultCredentialCacheQuery *query = [MSIDDefaultCredentialCacheQuery new];
         query.homeAccountId = accountIdentifier.homeAccountId;
         query.environmentAliases = [configuration.authority defaultCacheEnvironmentAliases];
-        query.clientId = familyId ? nil : configuration.clientId;
+        query.clientId = familyId ? nil : clientId;
         query.familyId = familyId;
         query.credentialType = credentialType;
 
@@ -240,7 +243,7 @@ - (MSIDRefreshToken *)getRefreshableTokenWithAccount:(MSIDAccountIdentifier *)ac
 
         MSIDRefreshToken *refreshToken = (MSIDRefreshToken *) [self getRefreshableTokenByDisplayableId:accountIdentifier
                                                                                              authority:configuration.authority
-                                                                                              clientId:configuration.clientId
+                                                                                              clientId:clientId
                                                                                               familyId:familyId
                                                                                         credentialType:credentialType
                                                                                                context:context
 
@@ -84,6 +84,9 @@
 // Requested claims for access tokens, currently only used by MSAL C++
 @property (atomic, readwrite, nullable) NSString *requestedClaims;
 
+// Redirect Uri
+@property (atomic, readwrite, nullable) NSString *redirectUri;
+
 - (BOOL)isEqualToItem:(nullable MSIDCredentialCacheItem *)item;
 
 - (BOOL)matchesTarget:(nullable NSString *)target comparisonOptions:(MSIDComparisonOptions)comparisonOptions;
 
@@ -51,9 +51,9 @@ @implementation MSIDCredentialCacheItem
 
 - (NSString *)description
 {
-    return [NSString stringWithFormat:@"MSIDCredentialCacheItem: clientId: %@, credentialType: %@, target: %@, realm: %@, environment: %@, expiresOn: %@, extendedExpiresOn: %@, refreshOn: %@, cachedAt: %@, last recovery attempted at: %@, familyId: %@, homeAccountId: %@, enrollmentId: %@, speInfo: %@, secret: %@",
+    return [NSString stringWithFormat:@"MSIDCredentialCacheItem: clientId: %@, credentialType: %@, target: %@, realm: %@, environment: %@, expiresOn: %@, extendedExpiresOn: %@, refreshOn: %@, cachedAt: %@, last recovery attempted at: %@, familyId: %@, homeAccountId: %@, enrollmentId: %@, speInfo: %@, secret: %@, redirectUri: %@",
             self.clientId, [MSIDCredentialTypeHelpers credentialTypeAsString:self.credentialType], self.target, self.realm, self.environment, self.expiresOn,
-            self.extendedExpiresOn, self.refreshOn, self.cachedAt, self.lastRecoveryAttempt, self.familyId, self.homeAccountId, self.enrollmentId, self.speInfo, [self.secret msidSecretLoggingHash]];
+            self.extendedExpiresOn, self.refreshOn, self.cachedAt, self.lastRecoveryAttempt, self.familyId, self.homeAccountId, self.enrollmentId, self.speInfo, [self.secret msidSecretLoggingHash], MSID_PII_LOG_TRACKABLE(self.redirectUri)];
 }
 
 #pragma mark - MSIDCacheItem
@@ -93,6 +93,7 @@ - (BOOL)isEqualToItem:(MSIDCredentialCacheItem *)item
     result &= (!self.tokenType && !item.tokenType) || [self.tokenType isEqual:item.tokenType];
     result &= (!self.kid && !item.kid) || [self.kid isEqual:item.kid];
     result &= (!self.requestedClaims && !item.requestedClaims) || [self.requestedClaims isEqual:item.requestedClaims];
+    result &= (!self.redirectUri && !item.redirectUri) || [self.redirectUri isEqual:item.redirectUri];
     // Ignore the lastMod properties (two otherwise-identical items with different
     // last modification informational values should be considered equal)
     return result;
@@ -121,6 +122,7 @@ - (NSUInteger)hash
     hash = hash * 31 + self.tokenType.hash;
     hash = hash * 31 + self.kid.hash;
     hash = hash * 31 + self.requestedClaims.hash;
+    hash = hash * 31 + self.redirectUri.hash;
     return hash;
 }
 
@@ -151,6 +153,7 @@ - (id)copyWithZone:(NSZone *)zone
     item.tokenType = [self.tokenType copyWithZone:zone];
     item.kid = [self.kid copyWithZone:zone];
     item.requestedClaims = [self.requestedClaims copyWithZone:zone];
+    item.redirectUri = [self.redirectUri copyWithZone:zone];
     return item;
 }
 
@@ -205,6 +208,7 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(__unused NSEr
     _tokenType = [json msidStringObjectForKey:MSID_OAUTH2_TOKEN_TYPE];
     _expiryInterval = [json msidStringObjectForKey:MSID_EXPIRES_IN_CACHE_KEY];
     _requestedClaims = [json msidStringObjectForKey:MSID_REQUESTED_CLAIMS_CACHE_KEY];
+    _redirectUri = [json msidStringObjectForKey:MSID_OAUTH2_REDIRECT_URI];
     return self;
 }
 
@@ -242,6 +246,7 @@ - (NSDictionary *)jsonDictionary
     dictionary[MSID_KID_CACHE_KEY] = _kid;
     dictionary[MSID_OAUTH2_TOKEN_TYPE] = _tokenType;
     dictionary[MSID_REQUESTED_CLAIMS_CACHE_KEY] = _requestedClaims;
+    dictionary[MSID_OAUTH2_REDIRECT_URI] = _redirectUri;
     return dictionary;
 }
 
 
@@ -30,6 +30,8 @@ extern NSString * const MSID_REDIRECT_URI_JSON_KEY;
 extern NSString * const MSID_CLIENT_ID_JSON_KEY;
 extern NSString * const MSID_SCOPE_JSON_KEY;
 extern NSString * const MSID_TOKEN_TYPE_JSON_KEY;
+extern NSString * const MSID_NESTED_AUTH_BROKER_CLIENT_ID_JSON_KEY;
+extern NSString * const MSID_NESTED_AUTH_BROKER_REDIRECT_URI_JSON_KEY;
 
 @interface MSIDConfiguration : NSObject <NSCopying, MSIDJsonSerializable>
 
@@ -40,6 +42,10 @@ extern NSString * const MSID_TOKEN_TYPE_JSON_KEY;
 @property (atomic, readonly) NSString *target;
 @property (atomic, readwrite) MSIDAuthenticationScheme *authScheme;
 
+// Nested auth protocol
+@property (atomic, readwrite) NSString *nestedAuthBrokerClientId;
+@property (atomic, readwrite) NSString *nestedAuthBrokerRedirectUri;
+
 @property (atomic, readwrite) NSString *applicationIdentifier;
 
 @property (atomic, readonly) NSString *resource;
@@ -56,4 +62,21 @@ extern NSString * const MSID_TOKEN_TYPE_JSON_KEY;
                          resource:(NSString *)resource
                            scopes:(NSOrderedSet<NSString *> *)scopes;
 
+- (instancetype)initWithAuthority:(MSIDAuthority *)authority
+                      redirectUri:(NSString *)redirectUri
+                         clientId:(NSString *)clientId
+                           target:(NSString *)target
+         nestedAuthBrokerClientId:(NSString *)nestedAuthBrokerClientId
+      nestedAuthBrokerRedirectUri:(NSString *)nestedAuthBrokerRedirectUri;
+
+- (instancetype)initWithAuthority:(MSIDAuthority *)authority
+                      redirectUri:(NSString *)redirectUri
+                         clientId:(NSString *)clientId
+                         resource:(NSString *)resource
+                           scopes:(NSOrderedSet<NSString *> *)scopes
+         nestedAuthBrokerClientId:(NSString *)nestedAuthBrokerClientId
+      nestedAuthBrokerRedirectUri:(NSString *)nestedAuthBrokerRedirectUri;
+
+- (BOOL)isNestedAuthProtocol;
+
 @end