Add SwitchBrowserRedirectActivity for non-broker Switch Browser flows, Fixes AB#3590615 (#3133)

Introduces an open SwitchBrowserRedirectActivity in Common that handles
browser redirects for the Switch Browser protocol. This activity catches
the /switch_browser_resume redirect and forwards it to
SwitchBrowserActivity.

BrokerBrowserRedirectActivity now extends this class (updated in
broker). Apps opting into Switch Browser override exported=true and add
intent-filters.

Fixes
[AB#3590615](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3590615)

---------

Co-authored-by: Mohit <mchand@microsoft.com>

Author: mohitc1

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Add SwitchBrowserRedirectActivity for non-broker Switch Browser protocol flows. BrokerBrowserRedirectActivity now extends this shared base class (#3133)
 - [PATCH] Fix Token Endpoint Server Telemetry Parsing (#3128)
 - [MINOR] Enable passkey registration by default in CommonFlight (ENABLE_PASSKEY_REGISTRATION) (#3132)
 - [PATCH] Emit ipc_strategy telemetry attribute for successful device registration IPC strategy and refactor execute flow to pack protocol request once before strategy retries (#3124)

common/src/main/AndroidManifest.xml

@@ -31,6 +31,26 @@
             android:theme="@style/Theme.AppCompat.Light"
             android:configChanges="orientation|keyboardHidden|screenSize|screenLayout|keyboard" />
 
+        <!-- Activity that handles browser-switch operations.
+             Launches the external browser and receives the result from SwitchBrowserRedirectActivity. -->
+        <activity
+            android:name="com.microsoft.identity.common.internal.providers.oauth2.SwitchBrowserActivity"
+            android:configChanges="orientation|keyboardHidden|screenSize|smallestScreenSize|screenLayout|keyboard"
+            android:launchMode="singleTask"
+            android:taskAffinity="" />
+
+        <!-- Activity to handle browser redirects for Switch Browser protocol in non-broker flows.
+             Apps that opt into Switch Browser must override this in their manifest with
+             android:exported="true" and the appropriate intent-filter.
+             taskAffinity="" ensures this activity always creates its own task when launched
+             from the browser (via FLAG_ACTIVITY_NEW_TASK), preventing it from landing in
+             AuthorizationActivity's task where finishAffinity() would kill the WebView. -->
+        <activity
+            android:name="com.microsoft.identity.common.internal.providers.oauth2.SwitchBrowserRedirectActivity"
+            android:launchMode="singleTask"
+            android:taskAffinity=""
+            android:exported="false" />
+
     </application>
 
     <!-- Required for API Level 30 to make sure we can detect browsers and other apps we want to

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/SwitchBrowserActivity.kt

@@ -51,16 +51,16 @@ import io.opentelemetry.api.trace.StatusCode
  * 2. This activity is launched with browser configuration parameters
  * 3. Activity launches the specified browser (Custom Tabs or standard browser)
  * 4. User completes authentication in the external browser
- * 5. BrokerBrowserRedirectActivity is launched when the redirect URI is triggered.
- * 5. BrokerBrowserRedirectActivity redirects back to this activity via onNewIntent()
+ * 5. SwitchBrowserRedirectActivity (or subclass) is launched when the redirect URI is triggered.
+ * 5. SwitchBrowserRedirectActivity redirects back to this activity via onNewIntent()
  * 6. Activity passes the result back to WebViewAuthorizationFragment
  * 7. Activity finishes and removes itself from the task stack
  *
  * Activity back stack behavior:
- * 1 BrokerAuthorizationActivity hosting WebViewAuthorizationFragment --launches--> SwitchBrowserActivity in a new task.
+ * 1 AuthorizationActivity hosting WebViewAuthorizationFragment --launches--> SwitchBrowserActivity in a new task.
  * 2 SwitchBrowserActivity --launches--> 3rd Party Browser (Custom Tabs or standard browser) in current task.
- * 3 3rd Party Browser --redirects to--> BrokerBrowserRedirectActivity in a new task.
- * 4 BrokerBrowserRedirectActivity -- launches--> SwitchBrowserActivity in the existing task, and finishes current task.
+ * 3 3rd Party Browser --redirects to--> SwitchBrowserRedirectActivity (or subclass) in a new task.
+ * 4 SwitchBrowserRedirectActivity -- launches--> SwitchBrowserActivity in the existing task, and finishes current task.
  * 5 SwitchBrowserActivity --passes result to--> WebViewAuthorizationFragment, and finishes current activity stack.
  *
  * **Security Note:** This activity is not exported and can only be launched within the app
@@ -81,8 +81,8 @@ class SwitchBrowserActivity : FragmentActivity() {
         /** Intent extra key for the target browser package name */
         const val BROWSER_PACKAGE_NAME = "browser_package_name"
 
-        /** Intent extra key for the broker redirect URI to use */
-        const val BROKER_REDIRECT_URI = "broker_redirect_uri"
+        /** Intent extra key for the redirect URI to use for the switch-browser callback */
+        const val REDIRECT_URI = "redirect_uri"
 
         /** Intent extra key indicating if the browser supports Custom Tabs */
         const val BROWSER_SUPPORTS_CUSTOM_TABS = "browser_supports_custom_tabs"
@@ -139,7 +139,7 @@ class SwitchBrowserActivity : FragmentActivity() {
          * boundary.
          *
          * @param context                   Application or activity context used to build the intent.
-         * @param brokerRedirectUri          The broker redirect URI used for the switch-browser callback.
+         * @param redirectUri               The redirect URI used for the switch-browser callback.
          * @param browserPackageName         The package name of the browser to launch.
          * @param browserSupportsCustomTabs  Whether the target browser supports Custom Tabs.
          * @param processUri                 The URI to open in the browser for authentication.
@@ -149,14 +149,14 @@ class SwitchBrowserActivity : FragmentActivity() {
         @JvmStatic
         fun buildSwitchBrowserLaunchIntent(
             context: Context,
-            brokerRedirectUri: String,
+            redirectUri: String,
             browserPackageName: String,
             browserSupportsCustomTabs: Boolean,
             processUri: String,
             spanContext: SerializableSpanContext?
         ): Intent {
             return Intent(context, SwitchBrowserActivity::class.java).apply {
-                putExtra(BROKER_REDIRECT_URI, brokerRedirectUri)
+                putExtra(REDIRECT_URI, redirectUri)
                 putExtra(BROWSER_PACKAGE_NAME, browserPackageName)
                 putExtra(BROWSER_SUPPORTS_CUSTOM_TABS, browserSupportsCustomTabs)
                 putExtra(PROCESS_URI, processUri)

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/SwitchBrowserRedirectActivity.kt

@@ -0,0 +1,92 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.providers.oauth2
+
+import android.app.Activity
+import android.content.Intent
+import android.os.Bundle
+import com.microsoft.identity.common.logging.Logger
+
+/**
+ * Activity that handles the browser redirect for Switch Browser protocol in non-broker flows.
+ *
+ * When the browser completes the Switch Browser challenge, it redirects to
+ * `<redirect_uri>/switch_browser_resume?code=...&action_uri=...&state=...`.
+ * This activity catches that redirect via its intent-filter and forwards
+ * the data to [SwitchBrowserActivity], which resumes the WebView flow.
+ *
+ * This activity is declared as `exported="false"` in Common's manifest.
+ * Apps that opt into Switch Browser must override this in their own manifest
+ * with `exported="true"` and the appropriate intent-filter for their redirect URI scheme/host.
+ *
+ * Subclasses (e.g. BrokerBrowserRedirectActivity) can override [getAuthIntent] to handle
+ * additional redirect scenarios beyond Switch Browser resume.
+ */
+open class SwitchBrowserRedirectActivity : Activity() {
+
+    companion object {
+        private val TAG: String = SwitchBrowserRedirectActivity::class.java.simpleName
+    }
+
+    override fun onCreate(savedInstanceState: Bundle?) {
+        super.onCreate(savedInstanceState)
+        if (savedInstanceState == null) {
+            processRedirectIntent(intent)
+        }
+    }
+
+    override fun onNewIntent(intent: Intent) {
+        super.onNewIntent(intent)
+        setIntent(intent)
+        processRedirectIntent(intent)
+    }
+
+    private fun processRedirectIntent(intent: Intent?) {
+        val methodTag = "$TAG:processRedirectIntent"
+        Logger.info(methodTag, "Received redirect from browser.")
+        intent?.dataString?.let { intentDataString ->
+            getAuthIntent(intentDataString)?.let { authIntent ->
+                startActivity(authIntent)
+            }
+        } ?: run {
+            Logger.warn(methodTag, "No data in redirect intent.")
+        }
+        finishAffinity()
+    }
+
+    /**
+     * Build the intent to handle the redirect data.
+     * Default implementation handles Switch Browser resume.
+     * Subclasses can override to handle additional redirect types.
+     *
+     * @param intentDataString The URI data from the browser redirect.
+     * @return The intent to start, or null if the data cannot be handled.
+     */
+    protected open fun getAuthIntent(intentDataString: String): Intent? {
+        val methodTag = "$TAG:getAuthIntent"
+        Logger.info(methodTag, "Switching to WebView via SwitchBrowserActivity.")
+        return SwitchBrowserActivity.buildSwitchBrowserResumeIntent(
+            applicationContext, intentDataString
+        )
+    }
+}

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/SwitchBrowserRequestHandler.kt

@@ -112,7 +112,7 @@ class SwitchBrowserRequestHandler(
             )
             val switchBrowserIntent = SwitchBrowserActivity.buildSwitchBrowserLaunchIntent(
                 context = activity,
-                brokerRedirectUri = switchBrowserChallenge.redirectUri,
+                redirectUri = switchBrowserChallenge.redirectUri,
                 browserPackageName = browser.packageName,
                 browserSupportsCustomTabs = browser.isCustomTabsServiceSupported,
                 processUri = switchBrowserChallenge.processUri.toString(),

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/switchbrowser/SwitchBrowserUriHelper.kt

@@ -104,13 +104,13 @@ object SwitchBrowserUriHelper {
      * @param uri The uri containing the switch browser code and action URL.
      * e.g. msauth://com.microsoft.identity.client/switch_browser?code=code&action_uri=action-uri
      *
-     * @return The process uri constructed from the broker redirect uri.
+     * @return The process uri constructed from the redirect uri.
      * e.g. action_uri?code=code
      */
     @Throws(ClientException::class, IllegalArgumentException::class, NullPointerException::class, UnsupportedOperationException::class)
     fun buildProcessUri(uri: Uri): Uri {
         val methodTag = "$TAG:buildProcessUri"
-        // Get the SwitchBrowser purpose token from the broker redirect uri.
+        // Get the SwitchBrowser purpose token from the redirect uri.
         val code = uri.getQueryParameter(
             SWITCH_BROWSER.CODE
         )
@@ -121,7 +121,7 @@ object SwitchBrowserUriHelper {
             Logger.error(methodTag, errorMessage, exception)
             throw exception
         }
-        // Get the process uri from the broker redirect uri.
+        // Get the process uri from the redirect uri.
         val actionUri = uri.getQueryParameter(
             SWITCH_BROWSER.ACTION_URI
         )

common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/SwitchBrowserRedirectActivityTest.kt

@@ -0,0 +1,171 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.providers.oauth2
+
+import android.content.Intent
+import android.net.Uri
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants.SWITCH_BROWSER
+import org.junit.Assert.assertEquals
+import org.junit.Assert.assertNotNull
+import org.junit.Assert.assertTrue
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.robolectric.Robolectric
+import org.robolectric.RobolectricTestRunner
+import org.robolectric.Shadows.shadowOf
+
+/**
+ * Tests for [SwitchBrowserRedirectActivity].
+ */
+@RunWith(RobolectricTestRunner::class)
+class SwitchBrowserRedirectActivityTest {
+
+    companion object {
+        private const val TEST_ACTION_URI = "https://login.microsoftonline.com/process"
+        private const val TEST_CODE = "test-code-123"
+        private const val TEST_STATE = "test-state-456"
+        private const val REDIRECT_URI = "msauth://com.test.app/signature"
+    }
+
+    @Test
+    fun onCreate_startsActivityWithCorrectExtras_whenValidSwitchBrowserResumeUri() {
+        val intent = buildRedirectIntent(TEST_CODE, TEST_ACTION_URI, TEST_STATE)
+
+        val controller = Robolectric.buildActivity(
+            SwitchBrowserRedirectActivity::class.java, intent
+        ).create()
+        val activity = controller.get()
+
+        val shadow = shadowOf(activity)
+        val startedIntent = shadow.nextStartedActivity
+
+        assertNotNull("Should start SwitchBrowserActivity", startedIntent)
+        assertEquals(TEST_ACTION_URI, startedIntent.getStringExtra(SWITCH_BROWSER.ACTION_URI))
+        assertEquals(TEST_CODE, startedIntent.getStringExtra(SWITCH_BROWSER.CODE))
+        assertEquals(TEST_STATE, startedIntent.getStringExtra(SWITCH_BROWSER.STATE))
+        assertTrue(activity.isFinishing)
+    }
+
+    @Test
+    fun onCreate_finishes_whenIntentHasNoData() {
+        val intent = Intent()
+
+        val controller = Robolectric.buildActivity(
+            SwitchBrowserRedirectActivity::class.java, intent
+        ).create()
+        val activity = controller.get()
+
+        val shadow = shadowOf(activity)
+        val startedIntent = shadow.nextStartedActivity
+
+        // No activity should be started when there's no data
+        assertEquals(null, startedIntent)
+        assertTrue(activity.isFinishing)
+    }
+
+    @Test
+    fun onNewIntent_startsActivityWithNewData() {
+        val initialIntent = buildRedirectIntent(TEST_CODE, TEST_ACTION_URI, TEST_STATE)
+
+        val controller = Robolectric.buildActivity(
+            SwitchBrowserRedirectActivity::class.java, initialIntent
+        ).create()
+        val activity = controller.get()
+
+        // Clear the first started activity
+        val shadow = shadowOf(activity)
+        shadow.nextStartedActivity
+
+        // Deliver a new intent with different params
+        val newCode = "new-code-789"
+        val newState = "new-state-012"
+        val newIntent = buildRedirectIntent(newCode, TEST_ACTION_URI, newState)
+
+        controller.newIntent(newIntent)
+
+        val startedIntent = shadow.nextStartedActivity
+
+        assertNotNull("Should start SwitchBrowserActivity with new data", startedIntent)
+        assertEquals(TEST_ACTION_URI, startedIntent.getStringExtra(SWITCH_BROWSER.ACTION_URI))
+        assertEquals(newCode, startedIntent.getStringExtra(SWITCH_BROWSER.CODE))
+        assertEquals(newState, startedIntent.getStringExtra(SWITCH_BROWSER.STATE))
+    }
+
+    @Test
+    fun onCreate_doesNotStartActivity_onConfigurationChange() {
+        val intent = buildRedirectIntent(TEST_CODE, TEST_ACTION_URI, TEST_STATE)
+
+        val controller = Robolectric.buildActivity(
+            SwitchBrowserRedirectActivity::class.java, intent
+        ).create()
+        val activity = controller.get()
+
+        // Clear first started activity
+        val shadow = shadowOf(activity)
+        shadow.nextStartedActivity
+
+        // Simulate recreation with savedInstanceState (e.g. configuration change)
+        controller.recreate()
+
+        // After recreation with savedInstanceState, it should NOT re-start the activity
+        val startedIntent = shadow.nextStartedActivity
+        assertEquals(null, startedIntent)
+    }
+
+    @Test
+    fun onCreate_parsesEncodedUriParameters() {
+        val encodedActionUri = "https%3A%2F%2Flogin.microsoftonline.com%2Fprocess%3Fparam%3Dvalue"
+        val decodedActionUri = "https://login.microsoftonline.com/process?param=value"
+        val intent = Intent().apply {
+            data = Uri.parse(
+                "$REDIRECT_URI/${SWITCH_BROWSER.RESUME_PATH}?" +
+                        "${SWITCH_BROWSER.ACTION_URI}=$encodedActionUri&" +
+                        "${SWITCH_BROWSER.CODE}=$TEST_CODE&" +
+                        "${SWITCH_BROWSER.STATE}=$TEST_STATE"
+            )
+        }
+
+        val controller = Robolectric.buildActivity(
+            SwitchBrowserRedirectActivity::class.java, intent
+        ).create()
+        val activity = controller.get()
+
+        val shadow = shadowOf(activity)
+        val startedIntent = shadow.nextStartedActivity
+
+        assertNotNull("Should handle encoded URI parameters", startedIntent)
+        assertEquals(decodedActionUri, startedIntent.getStringExtra(SWITCH_BROWSER.ACTION_URI))
+        assertEquals(TEST_CODE, startedIntent.getStringExtra(SWITCH_BROWSER.CODE))
+        assertEquals(TEST_STATE, startedIntent.getStringExtra(SWITCH_BROWSER.STATE))
+    }
+
+    private fun buildRedirectIntent(code: String, actionUri: String, state: String): Intent {
+        val uriString = "$REDIRECT_URI/${SWITCH_BROWSER.RESUME_PATH}?" +
+                "${SWITCH_BROWSER.ACTION_URI}=$actionUri&" +
+                "${SWITCH_BROWSER.CODE}=$code&" +
+                "${SWITCH_BROWSER.STATE}=$state"
+        return Intent().apply {
+            data = Uri.parse(uriString)
+        }
+    }
+}