Merge branch 'dev' into fadi/publish-libraries-to-newandroid-feed

Author: fadidurah

changelog.txt

@@ -1,7 +1,10 @@
 vNext
 ----------
+- [PATCH] Emit ipc_strategy telemetry attribute for successful device registration IPC strategy and refactor execute flow to pack protocol request once before strategy retries (#3124)
 - [PATCH] Fix Edge browser selection on devices where Microsoft Edge is the default browser: add the rotated Edge signing certificate hash to the Edge BrowserDescriptor and accept multi-signer browsers when any signature intersects the safelist, instead of requiring strict set-equality (resolves MSAL #2414)
 - [MINOR] Refactor Auth Tab integration to use provider-based strategy selection. Adds AuthTabStrategyProvider and BrowserLaunchStrategy with Custom Tabs fallback. Compatible with androidx.browser:browser:1.7.0.
+- [MINOR] Wire onboarding telemetry hooks into AzureActiveDirectoryWebViewClient for page-transition step capture (broker install, MDM enrollment, Company Portal launch, MFA linking) and last-loaded-domain tracking (#3121)
+- [MINOR] Propagate the onboarding telemetry blob through the broker failure path: add BaseException.onboardingBlob and round-trip it through MsalBrokerResultAdapter so callers can emit onboarding telemetry on failure outcomes. Also add an MsalBrokerResultAdapter overload that accepts an onboarding blob on the success path so the broker can attach the finalized blob to the success result bundle (#3123)
 - [MINOR] Add provisionResourceAccountCredentials API to DeviceRegistrationClientApplication with V0 protocol params/response and add IPPhone to AppRegistry (#3086)
 - [PATCH] Extend filter-then-clone optimization to deleteAccessTokensWithIntersectingScopes and add telemetry attributes (#3114)
 - [PATCH] Wire ClientDataInfo through AcquireTokenResult, exceptions (#3109)

common/src/main/java/com/microsoft/identity/common/internal/result/MsalBrokerResultAdapter.java

@@ -152,11 +152,26 @@ public MsalBrokerResultAdapter(boolean shouldStopReturningRtWithAadResponse){
     @Override
     public Bundle bundleFromAuthenticationResult(@NonNull final ILocalAuthenticationResult authenticationResult,
                                                  @Nullable final String negotiatedBrokerProtocolVersion) {
+        return bundleFromAuthenticationResult(authenticationResult, null, negotiatedBrokerProtocolVersion);
+    }
+
+    /**
+     * MSAL-only overload that attaches an onboarding telemetry blob (serialized JSON) to the
+     * success-path result bundle. The broker uses this to ship the finalized onboarding blob
+     * back to the client on a successful interactive token request. Symmetric with
+     * {@link #bundleFromBaseException} which carries the blob via {@link BaseException#getOnboardingBlob()}.
+     *
+     * @param onboardingBlob The finalized onboarding telemetry blob, or null if none.
+     */
+    @NonNull
+    public Bundle bundleFromAuthenticationResult(@NonNull final ILocalAuthenticationResult authenticationResult,
+                                                 @Nullable final String onboardingBlob,
+                                                 @Nullable final String negotiatedBrokerProtocolVersion) {
         final String methodTag = TAG + ":bundleFromAuthenticationResult";
         Logger.info(methodTag, "Constructing result bundle from ILocalAuthenticationResult");
 
         final Bundle resultBundle = bundleFromBrokerResult(
-                buildBrokerResultFromAuthenticationResult(authenticationResult, negotiatedBrokerProtocolVersion),
+                buildBrokerResultFromAuthenticationResult(authenticationResult, onboardingBlob, negotiatedBrokerProtocolVersion),
                 negotiatedBrokerProtocolVersion);
         resultBundle.putBoolean(AuthenticationConstants.Broker.BROKER_REQUEST_V2_SUCCESS, true);
 
@@ -247,6 +262,22 @@ public Bundle bundleFromAuthenticationResultForWebApps(@NonNull final ILocalAuth
     public BrokerResult buildBrokerResultFromAuthenticationResult
             (@NonNull final ILocalAuthenticationResult authenticationResult,
              @Nullable final String negotiatedBrokerProtocolVersion){
+        return buildBrokerResultFromAuthenticationResult(authenticationResult, null, negotiatedBrokerProtocolVersion);
+    }
+
+    /**
+     * Overload that attaches a serialized onboarding telemetry blob to the resulting
+     * {@link BrokerResult}. Used by the broker to ship the finalized onboarding blob
+     * back to the client on a successful interactive token request.
+     *
+     * @param onboardingBlob The finalized onboarding telemetry blob, or null if none.
+     */
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    @NonNull
+    public BrokerResult buildBrokerResultFromAuthenticationResult
+            (@NonNull final ILocalAuthenticationResult authenticationResult,
+             @Nullable final String onboardingBlob,
+             @Nullable final String negotiatedBrokerProtocolVersion){
 
         final IAccountRecord accountRecord = authenticationResult.getAccountRecord();
 
@@ -309,6 +340,12 @@ public Bundle bundleFromAuthenticationResultForWebApps(@NonNull final ILocalAuth
                     .refreshTokenAge(authenticationResult.getRefreshTokenAge());
         }
 
+        // Onboarding telemetry blob (success path) — carried back to the client adapter
+        // which attaches it to AcquireTokenResult. Telemetry-only, never affects auth.
+        if (!StringUtil.isNullOrEmpty(onboardingBlob)) {
+            brokerResultBuilder.onboardingBlob(onboardingBlob);
+        }
+
         return brokerResultBuilder.build();
     }
 
@@ -431,6 +468,13 @@ public Bundle bundleFromBaseException(@NonNull final BaseException exception,
             builder.clientDataInfoRaw(exception.getClientDataInfo().getRaw());
         }
 
+        // Serialize onboarding telemetry blob so it survives the broker IPC boundary on
+        // error paths — symmetric with the success path which carries the blob on
+        // BrokerResult. Telemetry-only — never affects auth logic.
+        if (!StringUtil.isNullOrEmpty(exception.getOnboardingBlob())) {
+            builder.onboardingBlob(exception.getOnboardingBlob());
+        }
+
         if (exception instanceof ServiceException) {
             final ServiceException serviceException = (ServiceException) exception;
             builder.subErrorCode(serviceException.getSubErrorCode())
@@ -563,6 +607,15 @@ public BaseException getBaseExceptionFromBundle(@NonNull final Bundle resultBund
             );
         }
 
+        // Restore onboarding telemetry blob from the broker result so callers catching
+        // the exception (e.g., OneAuth) can include onboarding telemetry for failure
+        // outcomes — symmetric with the success path which attaches the blob to
+        // AcquireTokenResult. Telemetry-only — never affects auth logic.
+        final String onboardingBlob = getOnboardingBlobFromBundle(brokerResult);
+        if (!StringUtil.isNullOrEmpty(onboardingBlob)) {
+            baseException.setOnboardingBlob(onboardingBlob);
+        }
+
         // Set broker app info if available
         if (resultBundle.containsKey(AuthenticationConstants.Broker.BROKER_VERSION)) {
             baseException.setBrokerAppVersion(

common/src/main/java/com/microsoft/identity/common/internal/telemetry/OnboardingTelemetryRecorder.kt

@@ -24,6 +24,7 @@
 package com.microsoft.identity.common.internal.telemetry
 
 import android.content.Context
+import com.microsoft.identity.common.java.telemetry.IOnboardingTelemetryRecorder
 import com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants
 import com.microsoft.identity.common.logging.Logger
 import org.json.JSONArray
@@ -64,7 +65,7 @@ class OnboardingTelemetryRecorder(
     private val clientId: String,
     private val target: String, // sorted, space-joined scopes
     context: Context
-) {
+) : IOnboardingTelemetryRecorder {
 
     // Use applicationContext so this recorder, which may outlive the originating
     // Activity/Fragment, never holds a reference that would leak that context.
@@ -119,7 +120,7 @@ class OnboardingTelemetryRecorder(
      *
      * @param stepId Step ID constant (from OnboardingTelemetryConstants)
      */
-    fun addStep(stepId: String) {
+    override fun addStep(stepId: String) {
         val isoTimestamp = SimpleDateFormat(ISO_TIMESTAMP_FORMAT, Locale.US).format(Date())
         stepsList.add(StepEntry(stepId, isoTimestamp))
     }
@@ -134,7 +135,7 @@ class OnboardingTelemetryRecorder(
      *                  or [OnboardingTelemetryConstants.BLOCKING_ERROR_MDM_FLOW]),
      *                  not a numeric service auth error code.
      */
-    fun addBlockingError(errorCode: String) {
+    override fun addBlockingError(errorCode: String) {
         blockingErrors.add(errorCode)
 
         // Persist session correlation to SharedPreferences immediately on block

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -79,11 +79,18 @@
 import com.microsoft.identity.common.java.ui.webview.authorization.IAuthorizationCompletionCallback;
 import com.microsoft.identity.common.java.challengehandlers.PKeyAuthChallenge;
 import com.microsoft.identity.common.java.challengehandlers.PKeyAuthChallengeFactory;
+import com.microsoft.identity.common.internal.telemetry.OnboardingTelemetryRecorder;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.PKeyAuthChallengeHandler;
 import com.microsoft.identity.common.java.WarningType;
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.exception.ErrorStrings;
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_AUTHENTICATOR_MFA_LINKING_STARTED;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_BROKER_INSTALL_PROMPTED;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_COMPANY_PORTAL_LAUNCHED;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_GOOGLE_ENROLLMENT_STARTED;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_MDM_ENROLLMENT_STARTED;
+import static com.microsoft.identity.common.java.telemetry.OnboardingTelemetryConstants.STEP_WEB_CP_ENROLLMENT_STARTED;
 import com.microsoft.identity.common.java.util.StringUtil;
 import com.microsoft.identity.common.logging.Logger;
 
@@ -154,6 +161,16 @@ public class AzureActiveDirectoryWebViewClient extends OAuth2WebViewClient {
 
     private String mPasskeyRegistrationScript;
 
+    /**
+     * Optional onboarding telemetry recorder. Set via {@link #setOnboardingTelemetryRecorder}
+     * after this client is constructed (the recorder is created by the host fragment/activity
+     * when a seed JSON arrives, which is typically later than WebView construction).
+     * When non-null, key URL transitions (broker install, MDM enrollment, Company Portal
+     * launch, etc.) and {@code lastLoadedDomain} are recorded for the onboarding telemetry blob.
+     */
+    @Nullable
+    private OnboardingTelemetryRecorder mOnboardingTelemetryRecorder;
+
     /**
      * Callback for tracking URL load events.
      */
@@ -201,11 +218,28 @@ public void initializeAuthUxJavaScriptApi(@NonNull final WebView view, final Str
         }
     }
 
+    /**
+     * Attach an onboarding telemetry recorder so subsequent WebView page transitions
+     * (broker install prompts, MDM enrollment redirects, Company Portal launches, etc.)
+     * are recorded into the onboarding telemetry blob.
+     *
+     * Recorder is owned by the host fragment / activity (e.g. OneAuthNavigationFragment
+     * on the OneAuth side, AuthorizationActivity on the broker side). May be null when
+     * no seed JSON is available — in which case all hooks become no-ops.
+     */
+    public void setOnboardingTelemetryRecorder(
+            @Nullable final OnboardingTelemetryRecorder recorder) {
+        mOnboardingTelemetryRecorder = recorder;
+    }
+
     @Override
     public void onPageFinished(final WebView view,
                                final String url) {
         super.onPageFinished(view, url);
 
+        // Onboarding telemetry: record domain navigation (best-effort, no-op if no recorder).
+        recordLastLoadedDomain(url);
+
         if (mAuthUxJavaScriptInterfaceAdded) {
             // Add a function to the api. Must do this to first stringify the dict object, as Android @JavaScriptInterface does not support
             // passing dict objects through Javascript APIs, only Strings and primitive types. Server side will be sending message in a dict
@@ -722,6 +756,9 @@ private void processDeviceCaRequest(@NonNull final WebView view, @NonNull final
         final String methodTag = TAG + ":processDeviceCaRequest";
         Logger.info(methodTag, "This is a device CA request.");
 
+        // Onboarding telemetry: device CA blocking redirect → MDM enrollment phase.
+        recordOnboardingStep(STEP_MDM_ENROLLMENT_STARTED);
+
         if (shouldLaunchCompanyPortal()) {
             // If CP is installed, redirect to CP.
             // TODO: Until we get a signal from eSTS that CP is the MDM app, we cannot assume that.
@@ -831,6 +868,8 @@ private String getHomeTenantIdFromUrl(@NonNull final String url) {
     // This is a special case where the enrollment is not done in the WebView, but rather in the browser.
     private void processWebCpEnrollmentUrl(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processWebCpEnrollmentUrl";
+        // Onboarding telemetry: WebCP enrollment is a distinct enrollment path.
+        recordOnboardingStep(STEP_WEB_CP_ENROLLMENT_STARTED);
         final Span span = createSpanWithAttributesFromParent(SpanName.ProcessWebCpEnrollmentRedirect.name());
         try (final Scope scope = SpanExtension.makeCurrentSpan(span)) {
             view.stopLoading();
@@ -859,6 +898,8 @@ public void run() {
     // Opens the Google enrollment URL in the browser or the default intent handler (like DPC)
     private void openGoogleEnrollmentUrl(@NonNull final String url) {
         final String methodTag = TAG + ":openGoogleEnrollmentUrl";
+        // Onboarding telemetry: Google enrollment redirect is a distinct enrollment path.
+        recordOnboardingStep(STEP_GOOGLE_ENROLLMENT_STARTED);
         Logger.info(methodTag, "Opening Google enrollment URL");
         try {
             final Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
@@ -883,6 +924,7 @@ private boolean processPlayStoreURL(@NonNull final WebView view, @NonNull final
         }
         final String appPackageName = getBrokerAppPackageNameFromUrl(url);
         Logger.info(methodTag, "Request to open PlayStore to install package : '" + appPackageName + "'");
+        recordOnboardingStep(STEP_BROKER_INSTALL_PROMPTED);
 
         try {
             final Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(PLAY_STORE_INSTALL_PREFIX + appPackageName));
@@ -902,6 +944,7 @@ private boolean processPlayStoreURLForBrokerApps(@NonNull final WebView view, @N
 
         final String appPackageName = getBrokerAppPackageNameFromUrl(url);
         Logger.info(methodTag, "Request to open PlayStore to install package : '" + appPackageName + "'");
+        recordOnboardingStep(STEP_BROKER_INSTALL_PROMPTED);
 
         try {
             final Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(PLAY_STORE_INSTALL_APP_PREFIX + appPackageName));
@@ -920,6 +963,8 @@ private boolean processPlayStoreURLForBrokerApps(@NonNull final WebView view, @N
 
     private void processAuthAppMFAUrl(String url) {
         final String methodTag = TAG + ":processAuthAppMFAUrl";
+        // Onboarding telemetry: redirect to Authenticator for MFA linking.
+        recordOnboardingStep(STEP_AUTHENTICATOR_MFA_LINKING_STARTED);
         Logger.verbose(methodTag, "Linking Account in Broker for MFA.");
         try {
             final Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
@@ -964,6 +1009,9 @@ void processAuthenticatorActivationAppLink(@NonNull final WebView view,
     private void launchCompanyPortal() {
         final String methodTag = TAG + ":launchCompanyPortal";
 
+        // Onboarding telemetry: Company Portal launch is a discrete onboarding step.
+        recordOnboardingStep(STEP_COMPANY_PORTAL_LAUNCHED);
+
         Logger.verbose(methodTag, "Sending intent to launch the CompanyPortal.");
         final Intent intent = new Intent();
         intent.setComponent(new ComponentName(
@@ -1051,6 +1099,10 @@ private void processWebCpRequest(@NonNull final WebView view, @NonNull final Str
     private void processInstallRequest(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processInstallRequest";
 
+        // Onboarding telemetry: broker install request reached the WebView client. Record the
+        // step at method entry so we capture intent regardless of the parsed result code.
+        recordOnboardingStep(STEP_BROKER_INSTALL_PROMPTED);
+
         final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(url);
 
         if (result.getResultCode() != RawAuthorizationResult.ResultCode.BROKER_INSTALLATION_TRIGGERED) {
@@ -1108,6 +1160,8 @@ private void processInvalidRedirectUri(@NonNull final WebView view,
      */
     private void processIntentToInstallBrokerApp(@NonNull final WebView view, @NonNull final String intentUrl) {
         final String methodTag = TAG + ":processIntentToInstallBrokerApp";
+        // Onboarding telemetry: alternate broker install path (intent-scheme).
+        recordOnboardingStep(STEP_BROKER_INSTALL_PROMPTED);
         try {
             final Intent intent = Intent.parseUri(intentUrl, Intent.URI_INTENT_SCHEME);
             if (intent != null && intent.getPackage() != null) {
@@ -1430,4 +1484,42 @@ private Span createSpanWithAttributesFromParent(@NonNull final String spanName)
     public void addPasskeyRegistrationJsScript(@NonNull final String script) {
         this.mPasskeyRegistrationScript = script;
     }
+
+    /**
+     * Best-effort onboarding telemetry hook: records a step on the attached recorder
+     * if one is present. No-op when no recorder has been attached. Never throws.
+     */
+    private void recordOnboardingStep(@NonNull final String stepId) {
+        final OnboardingTelemetryRecorder recorder = mOnboardingTelemetryRecorder;
+        if (recorder == null) {
+            return;
+        }
+        try {
+            recorder.addStep(stepId);
+        } catch (final Throwable t) {
+            Logger.warn(TAG, "Onboarding telemetry: failed to record step " + stepId + ": " + t.getMessage());
+        }
+    }
+
+    /**
+     * Best-effort onboarding telemetry hook: records the host of the most recently loaded
+     * page on the attached recorder. No-op when no recorder is attached or the URL has no
+     * extractable host. Never throws.
+     */
+    private void recordLastLoadedDomain(@NonNull final String url) {
+        final OnboardingTelemetryRecorder recorder = mOnboardingTelemetryRecorder;
+        if (recorder == null || url.isEmpty()) {
+            return;
+        }
+        try {
+            final String host = Uri.parse(url).getHost();
+            if (host != null && !host.isEmpty()) {
+                recorder.setLastLoadedDomain(host);
+            } else {
+                Logger.verbose(TAG, "Onboarding telemetry: no host extracted from URL");
+            }
+        } catch (final Throwable t) {
+            Logger.warn(TAG, "Onboarding telemetry: failed to record last loaded domain: " + t.getMessage());
+        }
+    }
 }