AzureAD · kaisong1990 · Apr 29, 2025 · Apr 29, 2025 · May 1, 2025 · azure-pipelines
@@ -242,4 +242,9 @@ - (void)acquireTokenWithRequest:(MSIDInteractiveTokenRequest *)request
     }];
 }
 
+- (void)shouldSkipAcquireTokenBasedOn:(NSError *)error
+{
+    // This method is not used in this class.
+}
+
 @end
@@ -31,6 +31,7 @@ NS_ASSUME_NONNULL_BEGIN
 @protocol MSIDRequestControlling <NSObject>
 
 - (void)acquireToken:(nonnull MSIDRequestCompletionBlock)completionBlock;
+- (void)shouldSkipAcquireTokenBasedOn:(nonnull NSError *)error;
 
 @end
 

@@ -111,7 +111,7 @@ - (void)acquireTokenWithRequest:(MSIDSilentTokenRequest *)request
         MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Passed nil completionBlock");
         return;
     }
-
+    
     CONDITIONAL_START_EVENT(CONDITIONAL_SHARED_INSTANCE, self.requestParameters.telemetryRequestId, MSID_TELEMETRY_EVENT_API_EVENT);
     self.currentRequest = request;
     [request executeRequestWithCompletion:^(MSIDTokenResult *result, NSError *error)
@@ -143,19 +143,26 @@ - (void)acquireTokenWithRequest:(MSIDSilentTokenRequest *)request
         self.currentRequest = nil;
         MSIDRequestCompletionBlock completionBlockWrapper = ^(MSIDTokenResult *fallResult, NSError *fallError)
         {
-            // We don't have any meaningful information from fallback controller (edge case of SSO error) so we use the local controller result earlier
-            if (!fallResult && (fallError.code == MSIDErrorSSOExtensionUnexpectedError))
+            // Only return fallback when there is a valid result, otherwise, return error from main controller
+            // (!result && !error) is a special case when using local silent controller and to skip local refreh token (broker first flow). In this case, the main controller is the 1st fallback controller, and should return the error
+            if (fallResult || (!result && !error))
             {
-                completionBlock(result, error);
+                completionBlock(fallResult, fallError);
             }
             else
             {
-                completionBlock(fallResult, fallError);
+                completionBlock(result, error);
             }
         };
-
+
+        [self.fallbackController shouldSkipAcquireTokenBasedOn:error];
         [self.fallbackController acquireToken:completionBlockWrapper];
     }];
 }
 
+- (void)shouldSkipAcquireTokenBasedOn:(NSError *)error
+{
+    // This method is not used in this class.
+}
+
 @end
@@ -118,4 +118,5 @@ - (BOOL)shouldFallback:(NSError *)error
 }
 
 @end
+
 #endif
@@ -478,6 +478,11 @@ - (BOOL)hasCompletionBlock
     return result;
 }
 
+- (void)shouldSkipAcquireTokenBasedOn:(NSError *)error
+{
+    // This method is not used in this class.
+}
+
 #pragma mark - Fallback
 
 - (void)handleFailedOpenURL:(BOOL)shouldFallbackToLocalController

@@ -28,20 +28,44 @@
 #import "MSIDLogger+Internal.h"
 #import "MSIDXpcProviderCache.h"
 
+@interface MSIDXpcSilentTokenRequestController ()
+
+// shouldSkipXpcRequest is used when the fallback is not needed for non ASAuthorizationErrorDomain or MSIDErrorSSOExtensionUnexpectedError
+@property (nonatomic) BOOL shouldSkipAcquireToken;
+
+@end
+
 @implementation MSIDXpcSilentTokenRequestController
 
 - (void)acquireToken:(MSIDRequestCompletionBlock)completionBlock
 {
-    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Beginning silent broker xpc flow.");
-    MSIDRequestCompletionBlock completionBlockWrapper = ^(MSIDTokenResult *result, NSError *error)
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Beginning silent broker xpc flow, should use Xpc flow to acquire token: %@", @(!self.shouldSkipAcquireToken));
+    if (!self.shouldSkipAcquireToken)
     {
-        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Silent broker xpc flow finished. Result %@, error: %ld error domain: %@, shouldFallBack: %@", _PII_NULLIFY(result), (long)error.code, error.domain, @(self.fallbackController != nil));
-        completionBlock(result, error);
-    };
-
-    __auto_type request = [self.tokenRequestProvider silentXpcTokenRequestWithParameters:self.requestParameters
-                                                                            forceRefresh:self.forceRefresh];
-    [self acquireTokenWithRequest:request completionBlock:completionBlockWrapper];
+        MSIDRequestCompletionBlock completionBlockWrapper = ^(MSIDTokenResult *result, NSError *error)
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Silent broker xpc flow finished. Result %@, error: %ld error domain: %@, shouldFallBack: %@", _PII_NULLIFY(result), (long)error.code, error.domain, @(self.fallbackController != nil));
+            completionBlock(result, error);
+        };
+
+        __auto_type request = [self.tokenRequestProvider silentXpcTokenRequestWithParameters:self.requestParameters
+                                                                                forceRefresh:self.forceRefresh];
+        [self acquireTokenWithRequest:request completionBlock:completionBlockWrapper];
+    }
+    else
+    {
+        // self.fallbackController cannot be nil here as it has been validated from caller
+        if (self.fallbackController)
+        {
+            [self.fallbackController acquireToken:completionBlock];
+        }
+        else
+        {
+            // Add handler in case
+            NSError *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Fallback controller is nil", nil, nil, nil, nil, nil, YES);
+            if (completionBlock) completionBlock(nil, error);
+        }
+    }
 }
 
 + (BOOL)canPerformRequest
@@ -55,4 +79,24 @@ + (BOOL)canPerformRequest
     }
 }
 
+- (void)shouldSkipAcquireTokenBasedOn:(NSError *)error
+{
+    self.shouldSkipAcquireToken = YES;
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Looking if we should fallback to Xpc controller, error: %ld error domain: %@.", (long)error.code, error.domain);
+    // If it is MSIDErrorDomain and Sso Extension returns unexpected error, we should fall back to local controler and unblock user
+    if (![error.domain isEqualToString:ASAuthorizationErrorDomain] && ![error.domain isEqualToString:MSIDErrorDomain]) {
-    if (![error.domain isEqualToString:ASAuthorizationErrorDomain] && ![error.domain isEqualToString:MSIDErrorDomain]) {
+    if (![error.domain isEqualToString:ASAuthorizationErrorDomain] && ![error.domain isEqualToString:MSIDErrorDomain]) {
+        // No action is required for error domains other than ASAuthorizationErrorDomain or MSIDErrorDomain.
+        // This block is intentionally left empty.
-    if (![error.domain isEqualToString:ASAuthorizationErrorDomain] && ![error.domain isEqualToString:MSIDErrorDomain]) {
+    if (![error.domain isEqualToString:ASAuthorizationErrorDomain] && ![error.domain isEqualToString:MSIDErrorDomain]) {
+        // No action is required for error domains other than ASAuthorizationErrorDomain or MSIDErrorDomain.
+        // This block is intentionally left empty.
+    }
+
+    switch (error.code)
+    {
+        case ASAuthorizationErrorNotHandled:
+        case ASAuthorizationErrorUnknown:
+        case ASAuthorizationErrorFailed:
+        case MSIDErrorSSOExtensionUnexpectedError:
+            self.shouldSkipAcquireToken = NO;
+    }
+
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, @"Xpc controller should do fallback: %@", !self.shouldSkipAcquireToken ? @"YES" : @"NO");
+}
+
 @end
-Original file line number
+Diff line change
@@ Expand Up @@
         }];
     }
+    - (void)shouldSkipAcquireTokenBasedOn:(NSError *)error
+    {
+        // This method is not used in this class.
+    }
     @end
Original file line number	Diff line number	Diff line change
Expand Up		@@ -118,4 +118,5 @@ - (BOOL)shouldFallback:(NSError *)error
		}

		@end

		#endif