support federated authentication

Author: MattKiazyk

Sources/XcodesLoginKit/AppleSessionService.swift

@@ -8,9 +8,13 @@ public actor AppleSessionService {
     public typealias KeychainSet = @Sendable (String, String) throws -> Void
     public typealias KeychainRemove = @Sendable (String) throws -> Void
     public typealias ReadLine = @Sendable (String) -> String?
+    public typealias ReadLongLine = @Sendable (String) -> String?
     public typealias ReadSecureLine = @Sendable (String) -> String?
     public typealias ValidateSession = @Sendable () async throws -> Void
     public typealias Login = @Sendable (String, String) async throws -> Void
+    public typealias CheckIsFederated = @Sendable (String) async throws -> FederationResponse
+    public typealias ValidateFederatedCallbackURL = @Sendable (String) async throws -> Void
+    public typealias OpenURL = @Sendable (URL) -> Void
     public typealias Signout = @Sendable () async -> Void
     public typealias LoadData = @Sendable (URLRequest) async throws -> (Data, URLResponse)
     public typealias Log = @Sendable (String) -> Void
@@ -23,9 +27,13 @@ public actor AppleSessionService {
         public var keychainSet: KeychainSet
         public var keychainRemove: KeychainRemove
         public var readLine: ReadLine
+        public var readLongLine: ReadLongLine
         public var readSecureLine: ReadSecureLine
         public var validateSession: ValidateSession
         public var login: Login
+        public var checkIsFederated: CheckIsFederated
+        public var validateFederatedCallbackURL: ValidateFederatedCallbackURL
+        public var openURL: OpenURL
         public var signout: Signout
         public var loadData: LoadData
         public var log: Log
@@ -38,9 +46,13 @@ public actor AppleSessionService {
             keychainSet: @escaping KeychainSet,
             keychainRemove: @escaping KeychainRemove,
             readLine: @escaping ReadLine,
+            readLongLine: @escaping ReadLongLine,
             readSecureLine: @escaping ReadSecureLine,
             validateSession: @escaping ValidateSession,
             login: @escaping Login,
+            checkIsFederated: @escaping CheckIsFederated,
+            validateFederatedCallbackURL: @escaping ValidateFederatedCallbackURL,
+            openURL: @escaping OpenURL,
             signout: @escaping Signout,
             loadData: @escaping LoadData,
             log: @escaping Log = { _ in }
@@ -52,9 +64,13 @@ public actor AppleSessionService {
             self.keychainSet = keychainSet
             self.keychainRemove = keychainRemove
             self.readLine = readLine
+            self.readLongLine = readLongLine
             self.readSecureLine = readSecureLine
             self.validateSession = validateSession
             self.login = login
+            self.checkIsFederated = checkIsFederated
+            self.validateFederatedCallbackURL = validateFederatedCallbackURL
+            self.openURL = openURL
             self.signout = signout
             self.loadData = loadData
             self.log = log
@@ -106,6 +122,12 @@ public actor AppleSessionService {
             }
             guard let username = possibleUsername else { throw Error.missingUsernameOrPassword }
 
+            let federationResponse = try await dependencies.checkIsFederated(username)
+            if federationResponse.federated {
+                try await handleFederatedLogin(username: username, federationResponse: federationResponse)
+                return
+            }
+
             let passwordPrompt: String
             if hasPromptedForUsername {
                 passwordPrompt = "Apple ID Password: "
@@ -131,6 +153,33 @@ public actor AppleSessionService {
         }
     }
 
+    private func handleFederatedLogin(username: String, federationResponse: FederationResponse) async throws {
+        guard let idpURL = federationResponse.idpURL else {
+            throw AuthenticationError.federatedAuthenticationRequired
+        }
+
+        let orgName = federationResponse.federatedAuthIntro?.orgName ?? "your organization"
+        let idpName = federationResponse.federatedAuthIntro?.idpName
+        let orgNameWithIdp = idpName.map { "\(orgName) (\($0))" } ?? orgName
+
+        dependencies.log("\n- This account uses federated authentication via \(orgNameWithIdp)")
+        dependencies.log("- Your browser will open to complete sign-in")
+        dependencies.log("- After signing in, you will be redirected to a blank page")
+        dependencies.log("- Copy the URL from your browser's address bar, then return here and paste it")
+        dependencies.log("\nOpening your browser...")
+        dependencies.openURL(idpURL)
+
+        guard let callbackURLString = dependencies.readLongLine("\nPaste the URL here: ") else {
+            throw Error.missingUsernameOrPassword
+        }
+
+        try await dependencies.validateFederatedCallbackURL(callbackURLString)
+
+        if dependencies.defaultUsername() != username {
+            try? dependencies.setDefaultUsername(username)
+        }
+    }
+
     public func login(_ username: String, password: String) async throws {
         do {
             try await dependencies.login(username, password)

Sources/XcodesLoginKit/AuthenticationError.swift

@@ -23,6 +23,9 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable, Sendabl
     case invalidResult(resultString: String?)
     case srpInvalidPublicKey
     case userCancelledSecurityKeyAuthentication
+    case federatedAuthenticationRequired
+    case invalidFederatedAuthenticationCallback
+    case missingPasswordForNonFederatedAccount
 
     public var errorDescription: String? {
         switch self {
@@ -61,6 +64,12 @@ public enum AuthenticationError: Swift.Error, LocalizedError, Equatable, Sendabl
             return "Invalid Key"
         case .userCancelledSecurityKeyAuthentication:
             return "User cancelled security key authorization"
+        case .federatedAuthenticationRequired:
+            return "This account uses federated authentication. Browser-based sign in is required."
+        case .invalidFederatedAuthenticationCallback:
+            return "The federated authentication callback URL is missing required parameters."
+        case .missingPasswordForNonFederatedAccount:
+            return "This Apple ID does not use federated authentication. Enter your password to continue."
         }
     }
 }

Sources/XcodesLoginKit/AuthenticationState.swift

@@ -6,8 +6,11 @@
 //
 
 
+import Foundation
+
 public enum AuthenticationState: Equatable, Sendable {
     case unauthenticated
+    case waitingForFederatedAuthentication(FederationResponse)
     case waitingForSecondFactor(TwoFactorOption, AuthOptionsResponse, AppleSessionData)
     case authenticated(AppleSession)
     case notAppleDeveloper
@@ -188,3 +191,90 @@ public struct AppleSession: Decodable, Sendable, Equatable {
 public struct AppleSessionUser: Decodable, Sendable, Equatable {
     public let fullName: String?
 }
+
+public struct FederationResponse: Decodable, Equatable, Sendable {
+    public let federated: Bool
+    public let showFederatedIdpConfirmation: Bool?
+    public let federatedIdpRequest: FederatedIdpRequest?
+    public let federatedAuthIntro: FederatedAuthIntro?
+
+    public init(
+        federated: Bool,
+        showFederatedIdpConfirmation: Bool? = nil,
+        federatedIdpRequest: FederatedIdpRequest? = nil,
+        federatedAuthIntro: FederatedAuthIntro? = nil
+    ) {
+        self.federated = federated
+        self.showFederatedIdpConfirmation = showFederatedIdpConfirmation
+        self.federatedIdpRequest = federatedIdpRequest
+        self.federatedAuthIntro = federatedAuthIntro
+    }
+
+    public var idpURL: URL? {
+        guard let idpRequest = federatedIdpRequest else { return nil }
+        var components = URLComponents(string: idpRequest.idPUrl)
+        components?.queryItems = idpRequest.requestParams.map { key, value in
+            URLQueryItem(name: key, value: value)
+        }
+        return components?.url
+    }
+}
+
+public struct FederatedIdpRequest: Decodable, Equatable, Sendable {
+    public let idPUrl: String
+    public let requestParams: [String: String]
+    public let httpMethod: String?
+
+    public init(idPUrl: String, requestParams: [String: String], httpMethod: String?) {
+        self.idPUrl = idPUrl
+        self.requestParams = requestParams
+        self.httpMethod = httpMethod
+    }
+}
+
+public struct FederatedAuthIntro: Decodable, Equatable, Sendable {
+    public let orgName: String?
+    public let idpName: String?
+    public let idpUrl: String?
+    public let orgType: String?
+    public let accountManagementUrl: String?
+
+    public init(orgName: String?, idpName: String?, idpUrl: String?, orgType: String?, accountManagementUrl: String?) {
+        self.orgName = orgName
+        self.idpName = idpName
+        self.idpUrl = idpUrl
+        self.orgType = orgType
+        self.accountManagementUrl = accountManagementUrl
+    }
+}
+
+public struct FederatedAuthenticationCallback: Equatable, Sendable {
+    public let widgetKey: String
+    public let token: String
+    public let relayState: String
+
+    public init(callbackURL: URL) throws {
+        guard let components = URLComponents(url: callbackURL, resolvingAgainstBaseURL: false),
+              let queryItems = components.queryItems else {
+            throw AuthenticationError.invalidFederatedAuthenticationCallback
+        }
+
+        guard let widgetKey = queryItems.first(where: { $0.name == "widgetKey" })?.value,
+              let token = queryItems.first(where: { $0.name == "token" })?.value,
+              let relayState = queryItems.first(where: { $0.name == "relayState" })?.value else {
+            throw AuthenticationError.invalidFederatedAuthenticationCallback
+        }
+
+        self.widgetKey = widgetKey
+        self.token = token
+        self.relayState = relayState
+    }
+
+    public init(callbackURLString: String) throws {
+        guard let callbackURL = URL(string: callbackURLString) else {
+            throw AuthenticationError.invalidFederatedAuthenticationCallback
+        }
+
+        try self.init(callbackURL: callbackURL)
+    }
+}

Sources/XcodesLoginKit/Client.swift

@@ -25,6 +25,19 @@ public final class Client: Sendable {
     }
 
     // MARK: Login
+
+    public func authenticationState(accountName: String, password: String?) async throws -> AuthenticationState {
+        let federationResponse = try await checkIsFederated(accountName: accountName)
+        if federationResponse.federated {
+            return .waitingForFederatedAuthentication(federationResponse)
+        }
+
+        guard let password, !password.isEmpty else {
+            throw AuthenticationError.missingPasswordForNonFederatedAccount
+        }
+
+        return try await srpLogin(accountName: accountName, password: password)
+    }
 
     public func srpLogin(accountName: String, password: String) async throws -> AuthenticationState {
         let client = SRPClient(configuration: SRPConfiguration<SHA256>(.N2048))
@@ -159,6 +172,83 @@ public final class Client: Sendable {
             throw AuthenticationError.badStatusCode(statusCode: code, data: nil, response: response)
         }
     }
+
+    public func checkFederation(accountName: String, serviceKey: String) async throws -> FederationResponse {
+        try await networkService.requestObject(URLRequest.checkFederation(serviceKey: serviceKey, accountName: accountName))
+    }
+
+    public func checkIsFederated(accountName: String) async throws -> FederationResponse {
+        let serviceKeyResponse: ServiceKeyResponse = try await networkService.requestObject(URLRequest.itcServiceKey)
+        return try await checkFederation(accountName: accountName, serviceKey: serviceKeyResponse.authServiceKey)
+    }
+
+    @discardableResult
+    public func validateFederatedToken(widgetKey: String, token: String, relayState: String) async throws -> AuthenticationState {
+        let result = try await networkService.requestData(
+            URLRequest.federateValidate(widgetKey: widgetKey, token: token, relayState: relayState),
+            validators: []
+        )
+
+        guard let response = result.1 as? HTTPURLResponse else {
+            throw NetworkError.invalidResponseFormat
+        }
+
+        switch response.statusCode {
+        case 200..<300:
+            persistSessionOnlyAppleCookies()
+            return try await validateSession()
+        case 409:
+            return try await handleTwoStepOrFactor(data: result.0, response: response, serviceKey: widgetKey)
+        default:
+            throw AuthenticationError.unexpectedSignInResponse(statusCode: response.statusCode, message: nil)
+        }
+    }
+
+    @discardableResult
+    public func validateFederatedCallbackURL(_ callbackURL: URL) async throws -> AuthenticationState {
+        let callback = try FederatedAuthenticationCallback(callbackURL: callbackURL)
+        return try await validateFederatedToken(
+            widgetKey: callback.widgetKey,
+            token: callback.token,
+            relayState: callback.relayState
+        )
+    }
+
+    @discardableResult
+    public func validateFederatedCallbackURLString(_ callbackURLString: String) async throws -> AuthenticationState {
+        let callback = try FederatedAuthenticationCallback(callbackURLString: callbackURLString)
+        return try await validateFederatedToken(
+            widgetKey: callback.widgetKey,
+            token: callback.token,
+            relayState: callback.relayState
+        )
+    }
+
+    public func persistSessionOnlyAppleCookies(expiring expirationDate: Date = Date(timeIntervalSinceNow: 24 * 60 * 60)) {
+        let appleDomains = [".apple.com", ".idmsa.apple.com", "appstoreconnect.apple.com"]
+        guard let cookieStorage = networkService.urlSession.configuration.httpCookieStorage else { return }
+
+        for cookie in cookieStorage.cookies ?? [] where cookie.isSessionOnly {
+            guard appleDomains.contains(where: { cookie.domain.hasSuffix($0) }) else { continue }
+
+            var properties: [HTTPCookiePropertyKey: Any] = [
+                .name: cookie.name,
+                .value: cookie.value,
+                .domain: cookie.domain,
+                .path: cookie.path,
+                .secure: cookie.isSecure,
+                .expires: expirationDate
+            ]
+            if let version = cookie.properties?[.version] {
+                properties[.version] = version
+            }
+
+            cookieStorage.deleteCookie(cookie)
+            if let persistentCookie = HTTPCookie(properties: properties) {
+                cookieStorage.setCookie(persistentCookie)
+            }
+        }
+    }
 
     private func sha256(data : Data) -> Data {
         var hash = [UInt8](repeating: 0,  count: Int(CC_SHA256_DIGEST_LENGTH))

Sources/XcodesLoginKit/URLRequest+Apple.swift

@@ -15,6 +15,7 @@ public extension URL {
     static func submitSecurityCode(_ code: SecurityCode) -> URL { URL(string: "https://idmsa.apple.com/appleauth/auth/verify/\(code.urlPathComponent)/securitycode")! }
     static let trust = URL(string: "https://idmsa.apple.com/appleauth/auth/2sv/trust")!
     static let federate = URL(string: "https://idmsa.apple.com/appleauth/auth/federate")!
+    static let federateValidate = URL(string: "https://idmsa.apple.com/appleauth/auth/federate/validate")!
     static let olympusSession = URL(string: "https://appstoreconnect.apple.com/olympus/v1/session")!
     static let keyAuth = URL(string: "https://idmsa.apple.com/appleauth/auth/verify/security/key")!
 
@@ -161,6 +162,36 @@ public extension URLRequest {
 
         return request
     }
+
+    static func checkFederation(serviceKey: String, accountName: String) -> URLRequest {
+        struct Body: Encodable {
+            let accountName: String
+            let rememberMe = true
+        }
+
+        var request = URLRequest(url: .federate)
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Content-Type"] = "application/json"
+        request.allHTTPHeaderFields?["X-Requested-With"] = "XMLHttpRequest"
+        request.allHTTPHeaderFields?["X-Apple-Widget-Key"] = serviceKey
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        request.httpMethod = "POST"
+        request.httpBody = try? JSONEncoder().encode(Body(accountName: accountName))
+        return request
+    }
+
+    static func federateValidate(widgetKey: String, token: String, relayState: String) -> URLRequest {
+        var components = URLComponents(url: .federateValidate, resolvingAgainstBaseURL: false)!
+        components.queryItems = [
+            URLQueryItem(name: "widgetKey", value: widgetKey),
+            URLQueryItem(name: "token", value: token),
+            URLQueryItem(name: "relayState", value: relayState)
+        ]
+        var request = URLRequest(url: components.url!)
+        request.allHTTPHeaderFields = request.allHTTPHeaderFields ?? [:]
+        request.allHTTPHeaderFields?["Accept"] = "application/json"
+        return request
+    }
 
     static func SRPInit(serviceKey: String, a: String, accountName: String) -> URLRequest {
         struct ServerSRPInitRequest: Encodable {
@@ -208,4 +239,3 @@ public enum SRPProtocol: String, Codable, Sendable {
     case s2k, s2k_fo
 }
 
-