fix: move isEstsCloudHost after cross-cloud check; add hasPrtHeaderAttached guard

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/3df0bcf0-ff0c-410c-ad11-23d4c47b5a58

Co-authored-by: somalaya <69237821+somalaya@users.noreply.github.com>

Author: Copilot

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -363,13 +363,14 @@ else if (isRedirectUrl(formattedURL)) {
                 processSSLProtectionCheck(view, url);
             } else if (isHeaderForwardingRequiredUri(url)) {
                 processHeaderForwardingRequiredUri(view, url);
-            } else if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_PRT_HEADER_FOR_ESTS_RETURN_REDIRECT)
-                    && isEstsCloudHost(url)) {
-                Logger.info(methodTag, "Navigation redirects to eSTS cloud host, re-attaching PRT header.");
-                processEstsHostRedirect(view, url);
             } else if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_ATTACH_PRT_HEADER_WHEN_CROSS_CLOUD) && isCrossCloudRedirect(formattedURL)) {
                 Logger.info(methodTag,"Navigation contains cross cloud redirect.");
                 processCrossCloudRedirect(view, url);
+            } else if (CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_PRT_HEADER_FOR_ESTS_RETURN_REDIRECT)
+                    && isEstsCloudHost(url)
+                    && hasPrtHeaderAttached()) {
+                Logger.info(methodTag, "Navigation redirects to eSTS cloud host, re-attaching PRT header.");
+                processEstsHostRedirect(view, url);
             } else if (mInWebCpFlow && isWebCpEnrollmentUrl(url)) {
                 Logger.info(methodTag,"Navigation contains web cp enrollment url.");
                 processWebCpEnrollmentUrl(view, url);
@@ -1165,6 +1166,15 @@ boolean isEstsCloudHost(@NonNull final String url) {
         }
     }
 
+    /**
+     * Returns true if the initial request headers already contained a PRT credential header,
+     * indicating that the original /authorize call was PRT-authenticated.
+     */
+    private boolean hasPrtHeaderAttached() {
+        return mRequestHeaders != null
+                && mRequestHeaders.containsKey(AuthenticationConstants.Broker.PRT_RESPONSE_HEADER);
+    }
+
     /**
      * Processes an eSTS host redirect by generating a fresh PRT credential JWT and attaching it.
      */

common/src/test/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClientEstsHostRedirectTest.java

@@ -36,6 +36,7 @@
 import androidx.annotation.NonNull;
 import androidx.test.core.app.ApplicationProvider;
 
+import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
 import com.microsoft.identity.common.internal.mocks.MockCommonFlightsManager;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SwitchBrowserRequestHandler;
 import com.microsoft.identity.common.java.flighting.CommonFlight;
@@ -99,6 +100,8 @@ public void setPKeyAuthStatus(boolean status) {
                 false);
         final HashMap<String, String> dummyHeaders = new HashMap<>();
         dummyHeaders.put("key", "value");
+        // Include PRT header so tests that verify re-attachment pass the hasPrtHeaderAttached() guard.
+        dummyHeaders.put(AuthenticationConstants.Broker.PRT_RESPONSE_HEADER, "dummy-prt-value");
         mWebViewClient.setRequestHeaders(dummyHeaders);
         mWebViewClient.setRequestUrl(TEST_ESTS_URL);
         AzureActiveDirectory.ensureCloudDiscovery();
@@ -175,6 +178,26 @@ public void handleUrl_whenFlightEnabled_andNonEstsHost_doesNotHandleAsEstsHostRe
         assertFalse(result);
     }
 
+    @Test
+    public void handleUrl_whenFlightEnabled_andEstsHost_butNoPrtHeader_doesNotHandleAsEstsHostRedirect() {
+        final IFlightsProvider mockFlightsProvider = Mockito.mock(IFlightsProvider.class);
+        when(mockFlightsProvider.isFlightEnabled(CommonFlight.ENABLE_PRT_HEADER_FOR_ESTS_RETURN_REDIRECT))
+                .thenReturn(true);
+        final MockCommonFlightsManager mockCommonFlightsManager = new MockCommonFlightsManager();
+        mockCommonFlightsManager.setMockCommonFlightsProvider(mockFlightsProvider);
+        CommonFlightsManager.INSTANCE.initializeCommonFlightsManager(mockCommonFlightsManager);
+
+        // Remove PRT header from request headers to simulate a flow that was not PRT-authenticated.
+        final HashMap<String, String> headersWithoutPrt = new HashMap<>();
+        headersWithoutPrt.put("key", "value");
+        mWebViewClient.setRequestHeaders(headersWithoutPrt);
+
+        final AzureActiveDirectoryWebViewClient spyClient = spy(mWebViewClient);
+        // Without a PRT header in the initial request, the eSTS host redirect should fall through.
+        final boolean result = spyClient.shouldOverrideUrlLoading(mMockWebView, TEST_ESTS_URL);
+        assertFalse(result);
+    }
+
     // ------- setRequestUrl() / mLoginHint extraction tests -------
 
     @Test