AzureAD · Veena11 · Nov 19, 2024 · Oct 10, 2024 · Oct 11, 2024 · Oct 14, 2024
@@ -1,3 +1,8 @@
+## [1.6.2]:
+* Add native auth instructions to error description when reset password required is returned (#2582)
+* Save error received from ESTS, and return it to the client on silent broker calls (#2379)
+* Support web_page_uri (#2384)
+
 ## [1.6.1]:
 * Support extra query parameters on logout endpoint (#2339)
 * Add support functions to help broker improve cross cloud experience (#2361)

@@ -2,9 +2,10 @@
 # Unless a later match takes precedence, these users will be requested
 # for review whenever someone opens a pull request.
 *       @AzureAD/AppleIdentityTeam
-# @AzureAD/AppleIdentityTeam and @AzureAD/MSAL-ObjC-CIAM will be the co-owners of MSAL.project and CHANGELOG.md files
+# @AzureAD/AppleIdentityTeam and @AzureAD/MSAL-ObjC-CIAM will be the co-owners of MSAL.project, CHANGELOG.md and all files under azure_pipelines
 /MSAL/MSAL.xcodeproj/project.pbxproj @AzureAD/AppleIdentityTeam @AzureAD/MSAL-ObjC-CIAM
 CHANGELOG.md @AzureAD/AppleIdentityTeam @AzureAD/MSAL-ObjC-CIAM
+/azure_pipelines/ @AzureAD/AppleIdentityTeam @AzureAD/MSAL-ObjC-CIAM
 # @AzureAD/MSAL-ObjC-CIAM owns any files in the */native_auth
 # directories, subdirectories and other files related to native auth.
 /MSAL/module.modulemap @AzureAD/MSAL-ObjC-CIAM

@@ -1,6 +1,6 @@
 Pod::Spec.new do |s|
   s.name         = "MSAL"
-  s.version      = "1.6.1"
+  s.version      = "1.6.2"
   s.summary      = "Microsoft Authentication Library (MSAL) for iOS"
   s.description  = <<-DESC
                    The MSAL library for iOS gives your app the ability to begin using the Microsoft Cloud by supporting Microsoft Azure Active Directory and Microsoft Accounts in a converged experience using industry standard OAuth2 and OpenID Connect. The library also supports Microsoft Azure B2C for those using our hosted identity management service.

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.6.1</string>
+	<string>1.6.2</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSPrincipalClass</key>

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.6.1</string>
+	<string>1.6.2</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSHumanReadableCopyright</key>

@@ -30,6 +30,7 @@
 NSString *MSALErrorDomain = @"MSALErrorDomain";
 NSString *MSALOAuthErrorKey = @"MSALOAuthErrorKey";
 NSString *MSALOAuthSubErrorKey = @"MSALOAuthSubErrorKey";
+NSString *MSALOAuthSubErrorDescriptionKey = @"MSALOAuthSubErrorDescriptionKey";
 NSString *MSALErrorDescriptionKey = @"MSALErrorDescriptionKey";
 NSString *MSALSTSErrorCodesKey = @"MSALSTSErrorCodesKey";
 NSString *MSALInternalErrorCodeKey = @"MSALInternalErrorCodeKey";

@@ -142,6 +142,7 @@ + (void)initialize
                              MSIDSTSErrorCodesKey : MSALSTSErrorCodesKey,
                              MSIDOAuthErrorKey: MSALOAuthErrorKey,
                              MSIDOAuthSubErrorKey: MSALOAuthSubErrorKey,
+                             MSIDOAuthSubErrorDescriptionKey: MSALOAuthSubErrorDescriptionKey,
                              MSIDDeclinedScopesKey: MSALDeclinedScopesKey,
                              MSIDGrantedScopesKey: MSALGrantedScopesKey,
                              MSIDUserDisplayableIdkey: MSALDisplayableUserIdKey,

@@ -27,7 +27,7 @@
 
 #define MSAL_VER_HIGH       1
 #define MSAL_VER_LOW        6
-#define MSAL_VER_PATCH      1
+#define MSAL_VER_PATCH      2
 
 #define STR_HELPER(x) #x
 #define STR(x) STR_HELPER(x)

@@ -28,4 +28,5 @@ enum MSALNativeAuthESTSApiErrorCodes: Int {
     case invalidCredentials = 50126
     case userNotHaveAPassword = 500222
     case invalidRequestParameter = 90100
+    case resetPasswordRequired = 50142
 }
@@ -45,6 +45,7 @@ enum MSALNativeAuthErrorMessage {
     static let unexpectedResponseBody = "Unexpected response body received"
     static let unexpectedChallengeType = "Unexpected challenge type"
     static let refreshTokenMFARequiredError = "Multi-factor authentication is required, which can't be fulfilled as part of this flow. Please sign out and perform a new sign in operation. More information: "
+    static let passwordResetRequired = "User password change is required, which can't be fulfilled as part of this flow. Please reset the password and perform a new sign in operation. More information: "
 }
 
 // swiftlint:enable line_length
@@ -139,6 +139,19 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         apiError: MSALNativeAuthTokenResponseError,
         context: MSIDRequestContext
     ) -> MSALNativeAuthTokenValidatedResponse {
+        var apiError = apiError
+        if apiError.errorCodes?.contains(MSALNativeAuthESTSApiErrorCodes.resetPasswordRequired.rawValue) ?? false {
+            let customErrorDescription = MSALNativeAuthErrorMessage.passwordResetRequired + (apiError.errorDescription ?? "")
+            apiError = MSALNativeAuthTokenResponseError(
+                error: apiError.error,
+                subError: apiError.subError,
+                errorDescription: customErrorDescription,
+                errorCodes: apiError.errorCodes,
+                errorURI: apiError.errorURI,
+                innerErrors: apiError.innerErrors,
+                continuationToken: apiError.continuationToken,
+                correlationId: apiError.correlationId)
+        }
         return handleInvalidResponseErrorCodes(
             apiError,
             context: context,
@@ -206,7 +219,8 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         case .invalidCredentials:
             return .invalidPassword(apiError)
         case .userNotHaveAPassword,
-             .invalidRequestParameter:
+             .invalidRequestParameter,
+             .resetPasswordRequired:
             return .generalError(apiError)
         }
     }
@@ -219,7 +233,8 @@ final class MSALNativeAuthTokenResponseValidator: MSALNativeAuthTokenResponseVal
         case .userNotFound,
             .invalidCredentials,
             .userNotHaveAPassword,
-            .invalidRequestParameter:
+            .invalidRequestParameter,
+            .resetPasswordRequired:
             return .invalidRequest(apiError)
         }
     }

@@ -90,6 +90,8 @@ extension MSALNativeAuthUserAccountResult {
         let errorCodes = error.userInfo[MSALSTSErrorCodesKey] as? [Int] ?? []
         if isMFARequiredError(errorCodes: errorCodes) {
             message = MSALNativeAuthErrorMessage.refreshTokenMFARequiredError + message
+        } else if isResetPasswordRequiredError(errorCodes: errorCodes) {
+            message = MSALNativeAuthErrorMessage.passwordResetRequired + message
         }
         let correlationId = correlationIdFromMSALError(error: error) ?? context.correlationId()
         return RetrieveAccessTokenError(type: .generalError, message: message, correlationId: correlationId, errorCodes: errorCodes)
@@ -103,4 +105,8 @@ extension MSALNativeAuthUserAccountResult {
         let mfaRequiredErrorCode = 50076
         return errorCodes.contains(mfaRequiredErrorCode)
     }
+
+    private func isResetPasswordRequiredError(errorCodes: [Int]) -> Bool {
+        return errorCodes.contains(MSALNativeAuthESTSApiErrorCodes.resetPasswordRequired.rawValue)
+    }
 }
@@ -56,6 +56,11 @@ extern NSString *MSALOAuthErrorKey;
  */
 extern NSString *MSALOAuthSubErrorKey;
 
+/**
+    The suberror description returned by the service.
+ */
+extern NSString *MSALOAuthSubErrorDescriptionKey;
+
 /**
     The extended error description. Note that this string can change and should
     not be relied upon for any error handling logic.
+1 −0		IdentityCore/src/MSIDBrokerConstants.h
+1 −0		IdentityCore/src/MSIDBrokerConstants.m
+1 −0		IdentityCore/src/MSIDError.h
+1 −0		IdentityCore/src/MSIDError.m
+1 −0		IdentityCore/src/broker_operation/request/MSIDBaseBrokerOperationRequest.h
+1 −0		IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.h
+4 −0		IdentityCore/src/broker_operation/request/token_request/MSIDBrokerOperationTokenRequest.m
+1 −0		IdentityCore/src/parameters/MSIDRequestParameters.h
+2 −2		IdentityCore/src/requests/broker/MSIDSSOExtensionGetAccountsRequest.m
+2 −2		IdentityCore/src/requests/broker/MSIDSSOExtensionGetDeviceInfoRequest.m
+2 −2		IdentityCore/src/requests/broker/MSIDSSOExtensionInteractiveTokenRequest.m
+1 −2		IdentityCore/src/requests/broker/MSIDSSOExtensionSignoutRequest.m
+1 −2		IdentityCore/src/requests/broker/MSIDSSOExtensionSilentTokenRequest.m
+4 −1		IdentityCore/tests/automation/ui_tests_lib/MSIDBaseUITest.m
+112 −0		azure_pipelines/msal_submodule_check.yaml
+6 −0		changelog.txt