fix: propagate mLoginHint fallback to NonceRedirectHandler for eSTS+sso_nonce redirects

Copilot · somalaya · web-flow · commit d8979bdc40d3 · 2026-04-07T23:04:50.000Z
When an eSTS redirect URL contains sso_nonce (a common scenario), isNonceRedirect fires before isEstsCloudHost in the handleUrl() chain. NonceRedirectHandler now accepts an optional fallbackUsername (passed as mLoginHint from the initial authorize URL), so PRT re-attachment with the new nonce succeeds even when login_hint is absent from the redirect URL. Adds NonceRedirectHandlerTest covering the fallback path and the no-fallback guard. Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/cb6db2b2-56e8-4f9d-ac48-45d3d1aaa520 Co-authored-by: somalaya <69237821+somalaya@users.noreply.github.com>
diff --git a/common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java b/common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
@@ -1111,7 +1111,7 @@ private void processNonceAndReAttachHeaders(@NonNull final WebView view, @NonNul
         if (nonceQueryParam != null) {
             final Span span = OTelUtility.createSpanFromParent(SpanName.ProcessNonceFromEstsRedirect.name(), mSpanContext);
             try (final Scope scope = SpanExtension.makeCurrentSpan(span)) {
-                final NonceRedirectHandler nonceRedirect = new NonceRedirectHandler(view, mRequestHeaders, span);
+                final NonceRedirectHandler nonceRedirect = new NonceRedirectHandler(view, mRequestHeaders, span, mLoginHint);
                 nonceRedirect.processChallenge(new URL(url));
                 span.setStatus(StatusCode.OK);
             } catch (MalformedURLException e) {
diff --git a/common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/NonceRedirectHandler.kt b/common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/NonceRedirectHandler.kt
@@ -38,7 +38,8 @@ import java.net.URL
 class NonceRedirectHandler(
     private val webView: WebView,
     private val headers: HashMap<String, String>,
-    private val span : Span
+    private val span : Span,
+    private val fallbackUsername: String? = null
 ) : IChallengeHandler<URL, Void> {
     private val TAG = NonceRedirectHandler::class.java.simpleName
 
@@ -87,6 +88,6 @@ class NonceRedirectHandler(
 
     private fun getUserNameFromWebViewUrl(url: String): String? {
         val parameters: Map<String, String> = StringExtensions.getUrlParameters(url)
-        return parameters["login_hint"]
+        return parameters["login_hint"] ?: fallbackUsername
     }
 }
diff --git a/common/src/test/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/NonceRedirectHandlerTest.kt b/common/src/test/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/NonceRedirectHandlerTest.kt
@@ -0,0 +1,136 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.ui.webview.challengehandlers
+
+import android.webkit.WebView
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants
+import com.microsoft.identity.common.java.broker.CommonRefreshTokenCredentialProvider
+import com.microsoft.identity.common.java.opentelemetry.AttributeName
+import io.mockk.every
+import io.mockk.mockkObject
+import io.mockk.unmockkAll
+import io.opentelemetry.api.trace.Span
+import org.junit.After
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.mockito.Mockito.mock
+import org.mockito.Mockito.never
+import org.mockito.Mockito.verify
+import org.robolectric.RobolectricTestRunner
+import java.net.URL
+
+@RunWith(RobolectricTestRunner::class)
+class NonceRedirectHandlerTest {
+
+    private lateinit var webView: WebView
+    private lateinit var headers: HashMap<String, String>
+    private lateinit var span: Span
+
+    companion object {
+        private const val ESTS_URL_WITH_NONCE_AND_HINT =
+            "https://login.microsoftonline.com/common/oauth2/authorize?sso_nonce=testnonce&login_hint=user@example.com"
+        private const val ESTS_URL_WITH_NONCE_NO_HINT =
+            "https://login.microsoftonline.com/common/oauth2/authorize?sso_nonce=testnonce"
+        private const val ESTS_URL_NO_NONCE =
+            "https://login.microsoftonline.com/common/oauth2/authorize"
+        private const val FRESH_CREDENTIAL = "freshPrtCredential"
+        private const val FALLBACK_USERNAME = "fallback@example.com"
+    }
+
+    @Before
+    fun setUp() {
+        webView = mock(WebView::class.java)
+        headers = hashMapOf(
+            AuthenticationConstants.Broker.PRT_RESPONSE_HEADER to "existingPrtCredential"
+        )
+        span = mock(Span::class.java)
+    }
+
+    @After
+    fun tearDown() {
+        unmockkAll()
+    }
+
+    @Test
+    fun `processChallenge attaches PRT credential when login_hint is in URL`() {
+        mockkObject(CommonRefreshTokenCredentialProvider)
+        every {
+            CommonRefreshTokenCredentialProvider.getRefreshTokenCredentialUsingNewNonce(
+                ESTS_URL_WITH_NONCE_AND_HINT, "user@example.com", "testnonce"
+            )
+        } returns FRESH_CREDENTIAL
+
+        val handler = NonceRedirectHandler(webView, headers, span)
+        handler.processChallenge(URL(ESTS_URL_WITH_NONCE_AND_HINT))
+
+        verify(span).setAttribute(AttributeName.is_new_refresh_token_cred_header_attached.name, true)
+        verify(webView).loadUrl(ESTS_URL_WITH_NONCE_AND_HINT, headers)
+    }
+
+    @Test
+    fun `processChallenge uses fallbackUsername when login_hint absent from URL`() {
+        mockkObject(CommonRefreshTokenCredentialProvider)
+        every {
+            CommonRefreshTokenCredentialProvider.getRefreshTokenCredentialUsingNewNonce(
+                ESTS_URL_WITH_NONCE_NO_HINT, FALLBACK_USERNAME, "testnonce"
+            )
+        } returns FRESH_CREDENTIAL
+
+        val handler = NonceRedirectHandler(webView, headers, span, fallbackUsername = FALLBACK_USERNAME)
+        handler.processChallenge(URL(ESTS_URL_WITH_NONCE_NO_HINT))
+
+        verify(span).setAttribute(AttributeName.is_new_refresh_token_cred_header_attached.name, true)
+        verify(webView).loadUrl(ESTS_URL_WITH_NONCE_NO_HINT, headers)
+    }
+
+    @Test
+    fun `processChallenge skips PRT attachment when login_hint absent and no fallback provided`() {
+        val handler = NonceRedirectHandler(webView, headers, span)
+        handler.processChallenge(URL(ESTS_URL_WITH_NONCE_NO_HINT))
+
+        verify(span, never()).setAttribute(AttributeName.is_new_refresh_token_cred_header_attached.name, true)
+        verify(webView).loadUrl(ESTS_URL_WITH_NONCE_NO_HINT, headers)
+    }
+
+    @Test
+    fun `processChallenge skips PRT attachment when no sso_nonce in URL`() {
+        val handler = NonceRedirectHandler(webView, headers, span, fallbackUsername = FALLBACK_USERNAME)
+        handler.processChallenge(URL(ESTS_URL_NO_NONCE))
+
+        verify(span, never()).setAttribute(AttributeName.is_new_refresh_token_cred_header_attached.name, true)
+        verify(webView).loadUrl(ESTS_URL_NO_NONCE, headers)
+    }
+
+    @Test
+    fun `processChallenge skips PRT attachment when no PRT header in original headers`() {
+        val headersWithoutPrt = HashMap<String, String>()
+        mockkObject(CommonRefreshTokenCredentialProvider)
+
+        val handler = NonceRedirectHandler(webView, headersWithoutPrt, span, fallbackUsername = FALLBACK_USERNAME)
+        handler.processChallenge(URL(ESTS_URL_WITH_NONCE_NO_HINT))
+
+        verify(span, never()).setAttribute(AttributeName.is_new_refresh_token_cred_header_attached.name, true)
+        verify(webView).loadUrl(ESTS_URL_WITH_NONCE_NO_HINT, headersWithoutPrt)
+    }
+}
