Add BrowserRedirectValidator and integrate into AndroidAuthorizationStrategy, Fixes AB#3568776

[Copilot]

Multiple-apps-listening-on-same-URL-scheme validation previously ran at PCA initialization time in MSAL, surfacing errors immediately at startup before any token request was made. This caused false positives in broker flows where the browser path is never taken. This PR moves the check to browser authorization launch time (inside acquireToken) so it only fires when the browser authorization path is actually exercised.

Timing tradeoff: Because the check no longer runs at PCA init, redirect URI conflicts are now caught later — only when the user initiates an interactive browser-based sign-in. Apps that use broker without explicitly setting authorization_user_agent to BROWSER will no longer see false-positive errors at startup, but the tradeoff is that genuine URI conflicts will be detected during acquireToken rather than at initialization.

Changes

common4j — ErrorStrings

• Added MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME = "multiple_apps_listening_url_scheme" constant

common — BrowserRedirectValidator.kt (new)

Kotlin object with validateNoMultipleAppsListening(context, redirectUri, useCurrentTask):

• Builds an ACTION_VIEW intent with DEFAULT/BROWSABLE categories and the redirect URI as data
• Queries PackageManager.queryIntentActivities(intent, GET_RESOLVED_FILTER) for all matching handlers
• Skips the app's own BrowserTabActivity (or CurrentTaskBrowserTabActivity when useCurrentTask=true)
• Throws ClientException(MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME, ...) on any other matching activity
• Returns without throwing if PackageManager is null

common — AuthorizationActivityFactory.kt

• Factory is now a pure fragment-creation utility with no validation logic and no optional context parameter — no caller can inadvertently skip the check
• WebView and SilentWebView paths return the correct fragment type unchanged

common — AndroidAuthorizationStrategy.java

• All URL scheme conflict validation is consolidated in launchIntent() — the single point where throws ClientException is declared — covering both the fragment-embedded and full-Activity paths with a single upfront check
• WebView flows are explicitly excluded from validation
• A null authorizationAgent is treated as a browser flow (default behavior)
• Warning logs emitted when context or redirect URI is null (validation skipped)

// In launchIntent(), before fragment/activity branching:
final AuthorizationAgent authorizationAgent = (AuthorizationAgent)
    intent.getSerializableExtra(AUTHORIZATION_AGENT);
if (authorizationAgent != AuthorizationAgent.WEBVIEW) {
    // validate — throws ClientException on conflict
}

Exception propagation to MsalClientException

ClientException thrown by the validator flows: launchIntent() (throws ClientException) → requestAuthorization() → acquireToken() → InteractiveTokenCommand.execute() → CommandDispatcher.executeCommand() (caught as BaseException) → MSAL's callback adapter → MsalClientException.

Tests

• BrowserRedirectValidatorTest.kt (new): 9 unit tests covering pass/fail/edge cases including null PackageManager, empty resolved list, useCurrentTask flag selecting the correct activity class, and competing-app detection. Test intent registration mirrors the validator's intent shape (CATEGORY_DEFAULT + CATEGORY_BROWSABLE) to ensure Robolectric shadow PM resolution matches the real query.
• AuthorizationActivityFactoryTest.java: Tests confirming the factory returns the correct fragment type for WebView and browser agents (validation is not the factory's concern); duplicate tests removed.
• AndroidAuthorizationStrategyValidationTest.kt (new): 4 tests verifying that browser flows with a competing app throw ClientException from launchIntent(), WebView flows are skipped, null agent is treated as browser, and no-conflict flows pass. Competing-app registration uses the correct intent shape (CATEGORY_DEFAULT + CATEGORY_BROWSABLE) to match the validator's query.

AB#3568776

[github-actions]

✅ Work item link check complete. Description contains link AB#3568776 to an Azure Boards work item.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -Xmx3072m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)
• identitydivision.pkgs.visualstudio.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -Xmx3072m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)
• www.puppycrawl.com
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/working/files-to-index8943149093118371350.list --sourceArchiveDir=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/src --outputDir=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot I don't need you to comment on the PR, i am inquiring with you directly, on how to actually repro the scenario on the dev (original) code, if i take out package name from the manifest, will t...

Yes, the package visibility is the key. To reproduce on API 30+:

Option 1 (recommended): Add the Azure sample's package name to the MSAL test app's <queries> block in AndroidManifest.xml:

<queries>
    <package android:name="com.azure.sample" />  <!-- or whatever the Azure sample package is -->
    ...
</queries>

Once the target app is visible, queryIntentActivities with the scheme-only msauth:// intent will return its BrowserTabActivity, and the original check will throw.

Option 2: Test on a device/emulator running API < 30 — package visibility restrictions don't apply there, so all installed apps are visible without any <queries> declaration.

The <queries> declaration needs to be in the calling app (MSAL test app), not the target app, so removing/adding entries from the target app's manifest has no effect on this.

[fadidurah]

@copilot update the Description, to note that the check previously happened during PCA initialization, but will now happen during the acquire token call. This means that the tradeoff for enabling brokered scenarios without changing authorization_user_agent is that we don't catch the error as early.

[Copilot]

@copilot update the Description, to note that the check previously happened during PCA initialization, but will now happen during the acquire token call. This means that the tradeoff for enabling brok...

Updated the PR description with the tradeoff note: the check previously ran during PCA initialization; it now runs during acquireToken (at browser authorization launch time). This means conflicts are caught later in the flow, but broker flows no longer produce false positives when authorization_user_agent isn't explicitly set to BROWSER.

[github-actions]

❌ Invalid work item number: AB#3568776. Work item number must be a valid integer.

Click here to learn more.

[fadidurah]

@copilot there are compilation errors in AndroidAuthorizationStrategyValidationTest

[fadidurah]

@copilot remove leftover whitespace

[Copilot]

Removed in 62aaa55.

[Copilot]

@copilot there are compilation errors in AndroidAuthorizationStrategyValidationTest

Fixed in 64a048c. The completeAuthorization override was using PropertyBag instead of the RawAuthorizationResult type required by IAuthorizationStrategy.

[fadidurah]

@copilot still getting compilation errors for OAuth2Strategy and AuthorizationRequest declarations in TestAndroidAuthorizationStrategy. Seems there is some expected type arguements

[Copilot]

@copilot still getting compilation errors for OAuth2Strategy and AuthorizationRequest declarations in TestAndroidAuthorizationStrategy. Seems there is some expected type arguements

Fixed in 50c4672. OAuth2Strategy and AuthorizationRequest are generic Java classes — using them as raw types in Kotlin produces "expected type arguments" errors. Replaced with star projections: OAuth2Strategy<*, *, *, *, *, *, *, *, *, *, *, *, *> (13 type params) and AuthorizationRequest<*> (1 type param) in both the supertype declaration and the requestAuthorization override.