Merge branch 'dev' into rapong/reject

Author: rpdome

.github/copilot-instructions.md

@@ -554,6 +554,11 @@ See [changelog.txt](../changelog.txt) for the changelog format.
 
 ## 11. Dependencies & Versioning
 
+When any change is made to a `common/build.gradle` file or the shared dependency versions file at `gradle/versions.gradle` that adds a new dependency or changes a dependency version, always display the following warning message:
+> ⚠️ **Warning:** Changes detected ⚠️
+>
+> Please follow the recommendations in [Adding or Updating Gradle Dependencies](https://eng.ms/docs/microsoft-security/identity/entra-developer-application-platform/auth-client/authn-sdk-msal-android/android-auth-libraries/how-tos/adding-or-updating-gradle-dependencies).
+
 Flag:
 - Security library downgrade.
 - Major upgrade without referenced release notes.
@@ -674,4 +679,4 @@ Always cite specific code and give a minimal, actionable fix; use an assumption
 
 ---
 
-Thank you for contributing to this project!
+Thank you for contributing to this project!

azure-pipelines/pull-request-validation/build-consumers.yml

@@ -132,6 +132,37 @@ stages:
         tasks: msal:testLocalDebugUnitTest -Plabtest -PlabSecret=$(LabVaultAppCert) -ProbolectricSdkVersion=${{variables.robolectricSdkVersion}} -PmockApiUrl=$(MOCK_API_URL) -PnativeAuthConfigString=$(NATIVE_AUTH_CONFIG_STRING)
         jdkArchitecture: x64
         jdkVersionOption: "1.17"
+  # msalautomationapp
+  - job: msalAutomationAppValidation
+    displayName: MSAL Automation App
+    dependsOn:
+      - setupBranch
+    variables:
+      commonBranch: $[ dependencies.setupBranch.outputs['setvarStep.commonBranch'] ]  # map in the variable
+    condition: and( succeeded(), not(contains(variables['prLabels'], variables['skipConsumerValidationLabel'])) )
+    steps:
+    - checkout: msal
+      displayName: Checkout msal repository
+      clean: true
+      submodules: recursive
+      persistCredentials: True
+    - task: CmdLine@2
+      displayName: Checkout common submodule $(commonBranch)
+      inputs:
+        script: |
+          git fetch
+          git checkout $(commonBranch)
+          git pull
+          git status
+          git rev-parse HEAD
+        workingDirectory: $(Agent.BuildDirectory)/s/common
+    - template: ../templates/steps/automation-cert.yml
+    - task: Gradle@3
+      displayName: Assemble msalautomationapp
+      inputs:
+        jdkArchitecture: x64
+        jdkVersionOption: "1.17"
+        tasks: clean msalautomationapp:assembleLocal
   # broker
   - job: brokerValidation
     displayName: Broker

changelog.txt

@@ -3,6 +3,7 @@ vNext
 - [PATCH] Handle app_link Intent redirection by validating broker install links and rejecting unsupported redirect URIs with appropriate error responses (#3102)
 - [PATCH] Extend filter-then-clone optimization to load() and getIdTokensForAccountRecord() in MsalOAuth2TokenCache: when ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE flight is enabled, skip clone-all preload and call direct flight-gated overloads that clone only matching credentials; add new getCredentialsFilteredBy overload with kid support (#3100)
 - [PATCH] Move Multiple Listening apps check to the authorization layer (#3070)
+- [PATCH] Edge TB: Fix lookup mode (#3108)
 
 Version 24.2.0
 ----------

common/src/test/java/com/microsoft/identity/common/MicrosoftStsAccountCredentialAdapterTest.java

@@ -22,6 +22,7 @@
 // THE SOFTWARE.
 package com.microsoft.identity.common;
 
+import com.microsoft.identity.common.java.AuthenticationConstants;
 import com.microsoft.identity.common.java.authorities.Authority;
 import com.microsoft.identity.common.java.base64.Base64Flags;
 import com.microsoft.identity.common.java.base64.Base64Util;
@@ -39,6 +40,7 @@
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsAuthorizationRequest;
 import com.microsoft.identity.common.java.providers.microsoft.microsoftsts.MicrosoftStsTokenResponse;
 import com.microsoft.identity.common.java.request.SdkType;
+import com.microsoft.identity.common.java.util.SchemaUtil;
 import com.microsoft.identity.common.java.util.StringUtil;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
@@ -288,4 +290,34 @@ static String createRawClientInfo(final String uid, final String utid) {
         final String claims = "{\"uid\":\"" + uid + "\",\"utid\":\"" + utid + "\"}";
         return Base64Util.encodeToString(StringUtil.toByteArray(claims), Base64Flags.URL_SAFE);
     }
+
+    @Test
+    public void testCreateAccountRecord_LookupModeWithRealIdToken_ParsesUsername() throws ServiceException {
+        // In lookup mode, if the ID token is a real JWT (not "none"), username should still be parsed.
+        // This covers the interactive fallback scenario where lookup mode params are preserved
+        // but eSTS returns a real ID token.
+        when(mockParameters.isLookupMode()).thenReturn(true);
+        when(mockResponse.getIdToken()).thenReturn(MOCK_ID_TOKEN_WITH_CLAIMS);
+
+        final AccountRecord account = mAccountCredentialAdapter.createAccountRecord(
+                mockParameters, SdkType.MSAL, mockResponse);
+
+        assertNotNull(account);
+        assertEquals("Username should be parsed from real ID token even in lookup mode",
+                MOCK_PREFERRED_USERNAME, account.getUsername());
+    }
+
+    @Test
+    public void testCreateAccountRecord_LookupModeWithNoneIdToken_UsernameIsMissing() throws ServiceException {
+        // In lookup mode with id_token="none", username cannot be derived from the token.
+        when(mockParameters.isLookupMode()).thenReturn(true);
+        when(mockResponse.getIdToken()).thenReturn(AuthenticationConstants.Broker.LOOKUP_MODE_ID_TOKEN_VALUE);
+
+        final AccountRecord account = mAccountCredentialAdapter.createAccountRecord(
+                mockParameters, SdkType.MSAL, mockResponse);
+
+        assertNotNull(account);
+        assertEquals("Username should be MISSING_FROM_THE_TOKEN_RESPONSE when id_token is 'none'",
+                SchemaUtil.MISSING_FROM_THE_TOKEN_RESPONSE, account.getUsername());
+    }
 }

common/src/test/java/com/microsoft/identity/common/MsalOAuth2TokenCacheTest.java

@@ -1642,6 +1642,8 @@ private void enableFilterThenCloneFlight() {
         final IFlightsProvider mockFlightsProvider = Mockito.mock(IFlightsProvider.class);
         when(mockFlightsProvider.isFlightEnabled(CommonFlight.ENABLE_FILTER_THEN_CLONE_IN_MEMORY_CACHE))
                 .thenReturn(true);
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.USE_IN_MEMORY_CACHE_FOR_ACCOUNTS_AND_CREDENTIALS))
+                .thenReturn(true);
         final MockCommonFlightsManager mockFlightsManager = new MockCommonFlightsManager();
         mockFlightsManager.setMockCommonFlightsProvider(mockFlightsProvider);
         CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(mockFlightsManager);
@@ -1764,4 +1766,72 @@ public void getIdTokensForAccountRecord_flightDisabled_returnsCorrectIdTokens()
         assertEquals(1, idTokens.size());
         assertEquals(defaultTestBundleV2.mGeneratedIdToken, idTokens.get(0));
     }
+
+    /**
+     * Regression test for ClassCastException: both flights enabled but the cache was constructed
+     * with a plain {@link SharedPreferencesAccountCredentialCache} (not the memory-cache subclass).
+     * The instanceof guard must cause load() to fall back to the legacy path without throwing.
+     */
+    @Test
+    public void load_flightEnabled_withNonMemoryCache_doesNotThrowAndReturnsCorrectResult()
+            throws ClientException {
+        enableFilterThenCloneFlight();
+        try {
+            // mOauth2TokenCache uses SharedPreferencesAccountCredentialCache (non-memory) from setUp()
+            configureMocksForTestBundle(defaultTestBundleV2);
+            final ICacheRecord saved = mOauth2TokenCache.save(
+                    mockStrategy,
+                    mockRequest,
+                    mockResponse
+            );
+
+            final ICacheRecord loaded = mOauth2TokenCache.load(
+                    CLIENT_ID,
+                    APPLICATION_IDENTIFIER_SHA512,
+                    MAM_ENROLLMENT_IDENTIFIER,
+                    TARGET,
+                    defaultTestBundleV2.mGeneratedAccount,
+                    BEARER_AUTHENTICATION_SCHEME
+            );
+
+            assertNotNull(loaded);
+            assertEquals(saved.getAccount(), loaded.getAccount());
+            assertEquals(saved.getAccessToken(), loaded.getAccessToken());
+            assertEquals(saved.getRefreshToken(), loaded.getRefreshToken());
+            assertEquals(saved.getIdToken(), loaded.getIdToken());
+        } finally {
+            resetFlight();
+        }
+    }
+
+    /**
+     * Regression test for ClassCastException: both flights enabled but the cache was constructed
+     * with a plain {@link SharedPreferencesAccountCredentialCache} (not the memory-cache subclass).
+     * The instanceof guard must cause getIdTokensForAccountRecord() to fall back to the legacy path
+     * without throwing.
+     */
+    @Test
+    public void getIdTokensForAccountRecord_flightEnabled_withNonMemoryCache_doesNotThrowAndReturnsCorrectResult()
+            throws ClientException {
+        enableFilterThenCloneFlight();
+        try {
+            // mOauth2TokenCache uses SharedPreferencesAccountCredentialCache (non-memory) from setUp()
+            configureMocksForTestBundle(defaultTestBundleV2);
+            mOauth2TokenCache.save(
+                    mockStrategy,
+                    mockRequest,
+                    mockResponse
+            );
+
+            final List<IdTokenRecord> idTokens = mOauth2TokenCache.getIdTokensForAccountRecord(
+                    CLIENT_ID,
+                    defaultTestBundleV2.mGeneratedAccount
+            );
+
+            assertEquals(1, idTokens.size());
+            assertEquals(defaultTestBundleV2.mGeneratedIdToken, idTokens.get(0));
+        } finally {
+            resetFlight();
+        }
+    }
 }

common4j/src/main/com/microsoft/identity/common/java/AuthenticationConstants.java

@@ -624,6 +624,11 @@ public static final class Broker {
          * Value for nativebroker mode sent in the extra query param by ESTS when the request is from lookup.
          */
         public static final String LOOKUP_MODE_VALUE = "Lookup";
+
+        /**
+         * When a Lookup mode request is forwarded to ESTS, the ID token in the response will have the value "none".
+         */
+        public static final String LOOKUP_MODE_ID_TOKEN_VALUE = "none";
     }
 
     @NoArgsConstructor(access = AccessLevel.PRIVATE)

common4j/src/main/com/microsoft/identity/common/java/cache/MicrosoftStsAccountCredentialAdapter.java

@@ -26,6 +26,7 @@
 
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
+import com.microsoft.identity.common.java.AuthenticationConstants;
 import com.microsoft.identity.common.java.authorities.Authority;
 import com.microsoft.identity.common.java.authscheme.AbstractAuthenticationScheme;
 import com.microsoft.identity.common.java.authscheme.PopAuthenticationSchemeInternal;
@@ -306,7 +307,7 @@ public AccountRecord createAccountRecord(
         } else {
             final String idTokenValue = microsoftStsTokenResponse.getIdToken();
             final MicrosoftStsAccount microsoftStsAccount = new MicrosoftStsAccount(
-                    parameters.isLookupMode() ?
+                    parameters.isLookupMode() && AuthenticationConstants.Broker.LOOKUP_MODE_ID_TOKEN_VALUE.equals(idTokenValue) ?
                             IDToken.createForLookup(idTokenValue) : new IDToken(idTokenValue),
                     clientInfo
             );

common4j/src/main/com/microsoft/identity/common/java/cache/MsalOAuth2TokenCache.java

@@ -675,11 +675,16 @@ public ICacheRecord load(@NonNull final String clientId,
         final List<Credential> v1IdTokens;
         List<Credential> refreshTokens;
 
-        if (useFilterThenClone) {
+        // The instanceof guard is necessary because the cache type is fixed at construction time,
+        // but flights are evaluated at runtime. For example, BrokerClientIdRefreshTokenAccessor
+        // always calls MsalOAuth2TokenCache.create(components) with useInMemoryCache=false,
+        // producing a plain SharedPreferencesAccountCredentialCache regardless of flight state.
+        // If both flights are later enabled at runtime, casting without this guard would throw
+        // a ClassCastException.
+        if (useFilterThenClone
+                && mAccountCredentialCache instanceof SharedPreferencesAccountCredentialCacheWithMemoryCache) {
             // Wrap all reads under one lock to ensure a consistent snapshot and prevent
             // a concurrent removal from causing partial/inconsistent cache records.
-            // Safe to cast — USE_IN_MEMORY_CACHE_FOR_ACCOUNTS_AND_CREDENTIALS guarantees
-            // mAccountCredentialCache is SharedPreferencesAccountCredentialCacheWithMemoryCache.
             final Object cacheLock = ((SharedPreferencesAccountCredentialCacheWithMemoryCache)
                     mAccountCredentialCache).getCacheLock();
             synchronized (cacheLock) {
@@ -965,7 +970,10 @@ public List<IdTokenRecord> getIdTokensForAccountRecord(@Nullable String clientId
 
         final List<Credential> idTokens;
 
-        if (useFilterThenClone) {
+        // See the same instanceof guard in load() for a full explanation of why the cache type
+        // may not match the flight state at runtime.
+        if (useFilterThenClone
+                && mAccountCredentialCache instanceof SharedPreferencesAccountCredentialCacheWithMemoryCache) {
             // Wrap under one lock for snapshot consistency (same rationale as load()).
             final Object cacheLock = ((SharedPreferencesAccountCredentialCacheWithMemoryCache)
                     mAccountCredentialCache).getCacheLock();