From 9498f9fc1cf5e0e6f9eb01e7730041f83e52ccfa Mon Sep 17 00:00:00 2001
From: Dome Pongmongkol <rapong@microsoft.com>
Date: Wed, 29 Apr 2026 15:46:12 -0700
Subject: [PATCH 1/7] handle app_link Intent Redirection

---
 .../providers/BrokerInstallLinkValidator.kt   | 164 +++++++++
 .../providers/RawAuthorizationResult.java     |   7 +
 .../BrokerInstallLinkValidatorTest.kt         | 311 ++++++++++++++++++
 .../common/java/providers/Constants.java      |   5 +
 .../providers/RawAuthorizationResultTest.java |  51 +++
 5 files changed, 538 insertions(+)
 create mode 100644 common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
 create mode 100644 common4j/src/test/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidatorTest.kt

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
new file mode 100644
index 0000000000..382496a1bf
--- /dev/null
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
@@ -0,0 +1,164 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.java.providers
+
+import java.io.UnsupportedEncodingException
+import java.net.URI
+import java.net.URISyntaxException
+import java.net.URLDecoder
+
+/**
+ * Strict allowlist validator for the `app_link` query-parameter value carried on
+ * a broker-installation redirect URI (`msauth://...?app_link=<url>`).
+ *
+ * The classifier in [RawAuthorizationResult.fromRedirectUri] uses this to decide
+ * whether to return [RawAuthorizationResult.ResultCode.BROKER_INSTALLATION_TRIGGERED]
+ * (which downstream Android sinks turn into `startActivity(ACTION_VIEW, app_link)`).
+ *
+ * The Microsoft identity service (eSTS) only ever emits one of three concrete
+ * `app_link` values today:
+ *  1. `https://play.google.com/store/apps/details?id=com.azure.authenticator`
+ *  2. `https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal`
+ *  3. `https://go.microsoft.com/fwlink/?linkid=2134649` (China Company Portal)
+ * Each may carry an optional `referrer` parameter set by the server.
+ */
+object BrokerInstallLinkValidator {
+
+    private const val SCHEME_HTTPS = "https"
+    private const val HOST_PLAY = "play.google.com"
+    private const val HOST_FWLINK = "go.microsoft.com"
+    private const val PATH_PLAY = "/store/apps/details"
+    private const val PATH_FWLINK = "/fwlink"
+    private const val PATH_FWLINK_TRAILING = "/fwlink/"
+
+    private const val PARAM_ID = "id"
+    private const val PARAM_LINKID = "linkid"
+    private const val PARAM_REFERRER = "referrer"
+
+    private val ALLOWED_PACKAGE_IDS = setOf(
+        "com.azure.authenticator",
+        "com.microsoft.windowsintune.companyportal"
+    )
+
+    private val ALLOWED_FWLINK_IDS = setOf("2134649")
+
+    /**
+     * @return `true` iff [url] decodes to one of the allowlisted broker-install
+     * destinations defined above; `false` for any other input (including null,
+     * blank, malformed, or attacker-controlled values).
+     */
+    @JvmStatic
+    fun isSafeBrokerInstallLink(url: String?): Boolean {
+        if (url.isNullOrBlank()) return false
+
+        val uri: URI = try {
+            URI(url)
+        } catch (e: URISyntaxException) {
+            return false
+        }
+
+        // Scheme must be exactly https (case-insensitive).
+        if (!SCHEME_HTTPS.equals(uri.scheme, ignoreCase = true)) return false
+
+        // Reject embedded credentials, fragments, and non-default ports.
+        if (uri.rawUserInfo != null) return false
+        if (uri.rawFragment != null) return false
+        if (uri.port != -1) return false
+
+        val host = uri.host?.lowercase() ?: return false
+        val path = uri.rawPath ?: return false
+        val params = parseQuery(uri.rawQuery) ?: return false
+
+        return when (host) {
+            HOST_PLAY -> isValidPlayLink(path, params)
+            HOST_FWLINK -> isValidFwlink(path, params)
+            else -> false
+        }
+    }
+
+    private fun isValidPlayLink(path: String, params: Map<String, String>): Boolean {
+        if (path != PATH_PLAY) return false
+        val id = params[PARAM_ID] ?: return false
+        if (id !in ALLOWED_PACKAGE_IDS) return false
+        return hasOnlyAllowedExtras(params, PARAM_ID)
+    }
+
+    private fun isValidFwlink(path: String, params: Map<String, String>): Boolean {
+        if (path != PATH_FWLINK && path != PATH_FWLINK_TRAILING) return false
+        val linkId = params[PARAM_LINKID] ?: return false
+        if (linkId !in ALLOWED_FWLINK_IDS) return false
+        return hasOnlyAllowedExtras(params, PARAM_LINKID)
+    }
+
+    private fun hasOnlyAllowedExtras(params: Map<String, String>, requiredKey: String): Boolean {
+        for (key in params.keys) {
+            if (key == requiredKey) continue
+            if (key == PARAM_REFERRER) continue
+            return false
+        }
+        return true
+    }
+
+    /**
+     * Parse a URI query string into a key/value map.
+     *
+     * Returns `null` if any key appears more than once — this defends against
+     * parameter-smuggling attacks such as `?id=safe&id=evil` where a permissive
+     * parser might pick the wrong value.
+     */
+    private fun parseQuery(rawQuery: String?): Map<String, String>? {
+        if (rawQuery.isNullOrEmpty()) return emptyMap()
+        val out = LinkedHashMap<String, String>()
+        for (pair in rawQuery.split('&')) {
+            if (pair.isEmpty()) return null
+            val eq = pair.indexOf('=')
+            val rawKey: String
+            val rawValue: String
+            if (eq < 0) {
+                rawKey = pair
+                rawValue = ""
+            } else {
+                rawKey = pair.substring(0, eq)
+                rawValue = pair.substring(eq + 1)
+            }
+            if (rawKey.isEmpty()) return null
+            val key = try {
+                URLDecoder.decode(rawKey, "UTF-8")
+            } catch (e: UnsupportedEncodingException) {
+                return null
+            } catch (e: IllegalArgumentException) {
+                return null
+            }
+            val value = try {
+                URLDecoder.decode(rawValue, "UTF-8")
+            } catch (e: UnsupportedEncodingException) {
+                return null
+            } catch (e: IllegalArgumentException) {
+                return null
+            }
+            if (out.containsKey(key)) return null
+            out[key] = value
+        }
+        return out
+    }
+}
diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
index 47f30c6402..e184927845 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
@@ -225,6 +225,13 @@ private static ResultCode getResultCodeFromFinalRedirectUri(@NonNull final URI u
             // i.e. (Browser) msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator
             //      (WebView) msauth://wpj/?username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator%26referrer%3dcom.msft.identity.client.sample.local
             if (parameters.containsKey(APP_LINK_KEY)) {
+                // Only the eSTS-emitted Play Store and China fwlink targets
+                // are accepted; anything else is treated as a malformed redirect.
+                final String appLink = parameters.get(APP_LINK_KEY);
+                if (!BrokerInstallLinkValidator.isSafeBrokerInstallLink(appLink)) {
+                    Logger.warn(methodTag, "Rejected app_link that is not on the broker-install allowlist; treating redirect as malformed.");
+                    throw new URISyntaxException(uri.toString(), "app_link rejected by allowlist");
+                }
                 Logger.info(methodTag, "Return to caller with BROWSER_CODE_WAIT_FOR_BROKER_INSTALL, and waiting for result.");
                 return ResultCode.BROKER_INSTALLATION_TRIGGERED;
             }
diff --git a/common4j/src/test/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidatorTest.kt b/common4j/src/test/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidatorTest.kt
new file mode 100644
index 0000000000..ecc58b47a7
--- /dev/null
+++ b/common4j/src/test/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidatorTest.kt
@@ -0,0 +1,311 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.java.providers
+
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertTrue
+import org.junit.Test
+
+class BrokerInstallLinkValidatorTest {
+
+    // region Positive cases
+
+    @Test
+    fun acceptsAuthenticatorPlayLink() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsCompanyPortalPlayLink() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsPlayLinkWithReferrer() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.azure.authenticator&referrer=com.contoso.app"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsChinaFwlinkWithTrailingSlash() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://go.microsoft.com/fwlink/?linkid=2134649"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsChinaFwlinkWithoutTrailingSlash() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://go.microsoft.com/fwlink?linkid=2134649"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsHttpsCaseInsensitiveScheme() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "HTTPS://play.google.com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun acceptsMixedCaseHost() {
+        assertTrue(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://Play.Google.Com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    // endregion
+
+    // region Negative cases - input shape
+
+    @Test
+    fun rejectsNull() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink(null))
+    }
+
+    @Test
+    fun rejectsEmpty() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink(""))
+    }
+
+    @Test
+    fun rejectsWhitespace() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("   "))
+    }
+
+    @Test
+    fun rejectsMalformedUri() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink(":/"))
+    }
+
+    // endregion
+
+    // region Negative cases - scheme
+
+    @Test
+    fun rejectsHttpScheme() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "http://play.google.com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsJavascriptScheme() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("javascript:alert(1)"))
+    }
+
+    @Test
+    fun rejectsIntentScheme() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "intent://x#Intent;scheme=https;end"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsFileScheme() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("file:///etc/passwd"))
+    }
+
+    @Test
+    fun rejectsDataScheme() {
+        // data: with literal '<' is not even a valid URI; should be rejected without throwing.
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("data:text/html,<script>"))
+    }
+
+    @Test
+    fun rejectsContentScheme() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("content://x"))
+    }
+
+    @Test
+    fun rejectsAppScheme() {
+        assertFalse(BrokerInstallLinkValidator.isSafeBrokerInstallLink("app://x"))
+    }
+
+    @Test
+    fun rejectsMarketScheme() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "market://details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    // endregion
+
+    // region Negative cases - host
+
+    @Test
+    fun rejectsArbitraryHost() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://attacker.com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsHostSuffixAttack() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com.attacker.tld/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsEmbeddedUserInfo() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://attacker.com@play.google.com/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsNonDefaultPort() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com:8443/store/apps/details?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    // endregion
+
+    // region Negative cases - path
+
+    @Test
+    fun rejectsWrongPathOnPlayHost() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/some/other/path?id=com.azure.authenticator"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsWrongPathOnFwlinkHost() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://go.microsoft.com/anything?linkid=2134649"
+            )
+        )
+    }
+
+    // endregion
+
+    // region Negative cases - query
+
+    @Test
+    fun rejectsNonAllowlistedPackage() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.attacker.malware"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsMissingId() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsDuplicateId() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.azure.authenticator&id=com.attacker"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsUnknownExtraParameter() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.azure.authenticator&unexpected=x"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsNonAllowlistedFwlinkId() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://go.microsoft.com/fwlink/?linkid=99999"
+            )
+        )
+    }
+
+    @Test
+    fun rejectsMissingLinkId() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://go.microsoft.com/fwlink/"
+            )
+        )
+    }
+
+    // endregion
+
+    // region Negative cases - fragment
+
+    @Test
+    fun rejectsFragment() {
+        assertFalse(
+            BrokerInstallLinkValidator.isSafeBrokerInstallLink(
+                "https://play.google.com/store/apps/details?id=com.azure.authenticator#fragment"
+            )
+        )
+    }
+
+    // endregion
+}
diff --git a/common4j/src/test/com/microsoft/identity/common/java/providers/Constants.java b/common4j/src/test/com/microsoft/identity/common/java/providers/Constants.java
index c5c713b4d3..993931d14a 100644
--- a/common4j/src/test/com/microsoft/identity/common/java/providers/Constants.java
+++ b/common4j/src/test/com/microsoft/identity/common/java/providers/Constants.java
@@ -65,6 +65,11 @@ public class Constants {
     public static final String MOCK_FRAGMENT_STRING = "#_=_";
     public static final String BROKER_INSTALLATION_REQUIRED_BROWSER_REDIRECT_URI = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator";
     public static final String BROKER_INSTALLATION_REQUIRED_WEBVIEW_REDIRECT_URI = "msauth://wpj/?username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator%26referrer%3dcom.msft.identity.client.sample.local";
+    public static final String BROKER_INSTALL_REDIRECT_URI_COMPANY_PORTAL = "msauth://wpj/?username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.microsoft.windowsintune.companyportal";
+    public static final String BROKER_INSTALL_REDIRECT_URI_CHINA_FWLINK = "msauth://wpj/?username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fgo.microsoft.com%2ffwlink%2f%3flinkid%3d2134649";
+    public static final String BROKER_INSTALL_REDIRECT_URI_HOSTILE_HOST = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fattacker.example%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator";
+    public static final String BROKER_INSTALL_REDIRECT_URI_JS_SCHEME = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=mock%40test.onmicrosoft.com&app_link=javascript%3aalert(1)";
+    public static final String BROKER_INSTALL_REDIRECT_URI_FAKE_PACKAGE = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=mock%40test.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.attacker.malware";
     public static final String WPJ_REQUIRED_REDIRECT_URI = "msauth://wpj/?username=mock%40test.onmicrosoft.com&client_info=SOME_GUID";
     public static final String SUCCEED_REDIRECT_URI = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?code=[SOME_CODE]&state=1254%3af57ca8fb-94f5-4ddc-8e84-4fa0ec9d6320-643fd790-537f-423d-b943-9024c6e249ac&session_state=a7c008dc-3820-493a-82e8-680a45a53ebc";
     public static final String ERROR_RESPONSE_REDIRECT_URI = "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?error=invalid_request&error_description=AADSTS900144%3a+The+request+body+must+contain+the+following+parameter%3a+%27response_type%27.%0d%0aTrace+ID%3a+9bee0922-7158-44b3-8b22-4addd9225901%0d%0aCorrelation+ID%3a+6abae31d-3a08-4b95-8299-7d7ace789a59%0d%0aTimestamp%3a+2021-07-19+23%3a21%3a09Z&error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d900144&state=1254%3a0ea28b21-8a94-4e5d-a0ff-3a5d3cc07720-9536ce32-aabc-4b0e-98f8-e55cf00e7cfe";
diff --git a/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java b/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
index aa57fd49c4..0530c0abfa 100644
--- a/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
+++ b/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
@@ -29,6 +29,11 @@
 
 import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALLATION_REQUIRED_BROWSER_REDIRECT_URI;
 import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALLATION_REQUIRED_WEBVIEW_REDIRECT_URI;
+import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALL_REDIRECT_URI_CHINA_FWLINK;
+import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALL_REDIRECT_URI_COMPANY_PORTAL;
+import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALL_REDIRECT_URI_FAKE_PACKAGE;
+import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALL_REDIRECT_URI_HOSTILE_HOST;
+import static com.microsoft.identity.common.java.providers.Constants.BROKER_INSTALL_REDIRECT_URI_JS_SCHEME;
 import static com.microsoft.identity.common.java.providers.Constants.CANCEL_RESPONSE_REDIRECT_URI;
 import static com.microsoft.identity.common.java.providers.Constants.ERROR_RESPONSE_REDIRECT_URI;
 import static com.microsoft.identity.common.java.providers.Constants.MALFORMED_REDIRECT_URI;
@@ -170,4 +175,50 @@ public void testFromWebViewBrokerInstallationRedirectUri() {
         Assert.assertEquals(BROKER_INSTALLATION_TRIGGERED, result.getResultCode());
         Assert.assertEquals(BROKER_INSTALLATION_REQUIRED_WEBVIEW_REDIRECT_URI, result.getAuthorizationFinalUri().toString());
     }
+
+    @Test
+    public void testFromCompanyPortalBrokerInstallationRedirectUri() {
+        final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(BROKER_INSTALL_REDIRECT_URI_COMPANY_PORTAL);
+
+        Assert.assertEquals(BROKER_INSTALLATION_TRIGGERED, result.getResultCode());
+        Assert.assertEquals(BROKER_INSTALL_REDIRECT_URI_COMPANY_PORTAL, result.getAuthorizationFinalUri().toString());
+    }
+
+    @Test
+    public void testFromChinaFwlinkBrokerInstallationRedirectUri() {
+        final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(BROKER_INSTALL_REDIRECT_URI_CHINA_FWLINK);
+
+        Assert.assertEquals(BROKER_INSTALLATION_TRIGGERED, result.getResultCode());
+        Assert.assertEquals(BROKER_INSTALL_REDIRECT_URI_CHINA_FWLINK, result.getAuthorizationFinalUri().toString());
+    }
+
+    @Test
+    public void testFromHostileAppLink_HostileHost() {
+        final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(BROKER_INSTALL_REDIRECT_URI_HOSTILE_HOST);
+
+        Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
+        Assert.assertNull(result.getAuthorizationFinalUri());
+        Assert.assertNotNull(result.getException());
+        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+    }
+
+    @Test
+    public void testFromHostileAppLink_JsScheme() {
+        final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(BROKER_INSTALL_REDIRECT_URI_JS_SCHEME);
+
+        Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
+        Assert.assertNull(result.getAuthorizationFinalUri());
+        Assert.assertNotNull(result.getException());
+        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+    }
+
+    @Test
+    public void testFromHostileAppLink_FakePackage() {
+        final RawAuthorizationResult result = RawAuthorizationResult.fromRedirectUri(BROKER_INSTALL_REDIRECT_URI_FAKE_PACKAGE);
+
+        Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
+        Assert.assertNull(result.getAuthorizationFinalUri());
+        Assert.assertNotNull(result.getException());
+        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+    }
 }

From b7f6052307beb88055742b7d32310368645372c4 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 29 Apr 2026 22:57:49 +0000
Subject: [PATCH 2/7] Update changelog with PR #3102

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/6ce19e27-5d80-4cc3-a775-6b67b229bdc6

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 changelog.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/changelog.txt b/changelog.txt
index 49ec66f8a7..1cddfa39b2 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -1,5 +1,6 @@
 vNext
 ----------
+- [PATCH] Handle app_link Intent redirection by validating broker install links and rejecting unsupported redirect URIs with appropriate error responses (#3102)
 - [PATCH] Move Multiple Listening apps check to the authorization layer (#3070)
 - [PATCH] Add support for Authenticator app activation links in WebView, enabling account pairing/MFA flows to launch Microsoft Authenticator directly instead of redirecting to the Play Store (#3090)
 - [PATCH] Fix: WPJ's BrokerDiscovery cache crash due to shared predefined encryption key with MSAL (#3081)

From bc1a86ef0d99cd7fecbc76a440900f41b64a8941 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 29 Apr 2026 23:12:30 +0000
Subject: [PATCH 3/7] Fix app_link rejection: use UNSUPPORTED_URL, avoid URI
 leak in exception

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/661d7c1b-a1b8-4568-b694-4d3117aee265

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 .../providers/RawAuthorizationResult.java     | 23 +++++++++++++------
 .../providers/RawAuthorizationResultTest.java |  6 ++---
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
index e184927845..3a502565cb 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
@@ -187,8 +187,24 @@ public static RawAuthorizationResult fromException(@NonNull final BaseException
 
     @NonNull
     public static RawAuthorizationResult fromRedirectUri(@NonNull final String redirectUri) {
+        final String methodTag = TAG + "fromRedirectUri";
         try {
             final URI uri = new URI(redirectUri);
+            // Validate the app_link allowlist before classifying the redirect.
+            // This is handled here (rather than inside getResultCodeFromFinalRedirectUri)
+            // so that a policy rejection is returned as UNSUPPORTED_URL and is
+            // distinguishable from a genuine URI parse error (MALFORMED_URL).
+            if (REDIRECT_PREFIX.equalsIgnoreCase(uri.getScheme())) {
+                final Map<String, String> parameters = UrlUtil.getParameters(uri);
+                if (parameters.containsKey(APP_LINK_KEY)) {
+                    final String appLink = parameters.get(APP_LINK_KEY);
+                    if (!BrokerInstallLinkValidator.isSafeBrokerInstallLink(appLink)) {
+                        Logger.warn(methodTag, "Rejected app_link that is not on the broker-install allowlist.");
+                        return fromException(new ClientException(ClientException.UNSUPPORTED_URL,
+                                "app_link rejected by allowlist"));
+                    }
+                }
+            }
             return RawAuthorizationResult.builder()
                     .resultCode(getResultCodeFromFinalRedirectUri(uri))
                     .authorizationFinalUri(uri)
@@ -225,13 +241,6 @@ private static ResultCode getResultCodeFromFinalRedirectUri(@NonNull final URI u
             // i.e. (Browser) msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator
             //      (WebView) msauth://wpj/?username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator%26referrer%3dcom.msft.identity.client.sample.local
             if (parameters.containsKey(APP_LINK_KEY)) {
-                // Only the eSTS-emitted Play Store and China fwlink targets
-                // are accepted; anything else is treated as a malformed redirect.
-                final String appLink = parameters.get(APP_LINK_KEY);
-                if (!BrokerInstallLinkValidator.isSafeBrokerInstallLink(appLink)) {
-                    Logger.warn(methodTag, "Rejected app_link that is not on the broker-install allowlist; treating redirect as malformed.");
-                    throw new URISyntaxException(uri.toString(), "app_link rejected by allowlist");
-                }
                 Logger.info(methodTag, "Return to caller with BROWSER_CODE_WAIT_FOR_BROKER_INSTALL, and waiting for result.");
                 return ResultCode.BROKER_INSTALLATION_TRIGGERED;
             }
diff --git a/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java b/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
index 0530c0abfa..f5adbfbdc2 100644
--- a/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
+++ b/common4j/src/test/com/microsoft/identity/common/java/providers/RawAuthorizationResultTest.java
@@ -199,7 +199,7 @@ public void testFromHostileAppLink_HostileHost() {
         Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
         Assert.assertNull(result.getAuthorizationFinalUri());
         Assert.assertNotNull(result.getException());
-        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+        Assert.assertEquals(ClientException.UNSUPPORTED_URL, result.getException().getErrorCode());
     }
 
     @Test
@@ -209,7 +209,7 @@ public void testFromHostileAppLink_JsScheme() {
         Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
         Assert.assertNull(result.getAuthorizationFinalUri());
         Assert.assertNotNull(result.getException());
-        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+        Assert.assertEquals(ClientException.UNSUPPORTED_URL, result.getException().getErrorCode());
     }
 
     @Test
@@ -219,6 +219,6 @@ public void testFromHostileAppLink_FakePackage() {
         Assert.assertEquals(NON_OAUTH_ERROR, result.getResultCode());
         Assert.assertNull(result.getAuthorizationFinalUri());
         Assert.assertNotNull(result.getException());
-        Assert.assertEquals(ClientException.MALFORMED_URL, result.getException().getErrorCode());
+        Assert.assertEquals(ClientException.UNSUPPORTED_URL, result.getException().getErrorCode());
     }
 }

From 31321d1c249ae63c1788d796b5e21448371bff20 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 30 Apr 2026 20:37:25 +0000
Subject: [PATCH 4/7] Move app_link allowlist check into
 getResultCodeFromFinalRedirectUri

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/49c8165b-3274-40c7-8f95-d6443af2d739

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 .../providers/RawAuthorizationResult.java     | 28 ++++++++-----------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
index 3a502565cb..f117bfefd8 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/RawAuthorizationResult.java
@@ -187,28 +187,14 @@ public static RawAuthorizationResult fromException(@NonNull final BaseException
 
     @NonNull
     public static RawAuthorizationResult fromRedirectUri(@NonNull final String redirectUri) {
-        final String methodTag = TAG + "fromRedirectUri";
         try {
             final URI uri = new URI(redirectUri);
-            // Validate the app_link allowlist before classifying the redirect.
-            // This is handled here (rather than inside getResultCodeFromFinalRedirectUri)
-            // so that a policy rejection is returned as UNSUPPORTED_URL and is
-            // distinguishable from a genuine URI parse error (MALFORMED_URL).
-            if (REDIRECT_PREFIX.equalsIgnoreCase(uri.getScheme())) {
-                final Map<String, String> parameters = UrlUtil.getParameters(uri);
-                if (parameters.containsKey(APP_LINK_KEY)) {
-                    final String appLink = parameters.get(APP_LINK_KEY);
-                    if (!BrokerInstallLinkValidator.isSafeBrokerInstallLink(appLink)) {
-                        Logger.warn(methodTag, "Rejected app_link that is not on the broker-install allowlist.");
-                        return fromException(new ClientException(ClientException.UNSUPPORTED_URL,
-                                "app_link rejected by allowlist"));
-                    }
-                }
-            }
             return RawAuthorizationResult.builder()
                     .resultCode(getResultCodeFromFinalRedirectUri(uri))
                     .authorizationFinalUri(uri)
                     .build();
+        } catch (final ClientException e) {
+            return fromException(e);
         } catch (final URISyntaxException e) {
             return fromException(new ClientException(ClientException.MALFORMED_URL,
                     "Failed to parse redirect URL", e));
@@ -233,7 +219,7 @@ public static RawAuthorizationResult fromPropertyBag(@NonNull final PropertyBag
                 .build();
     }
 
-    private static ResultCode getResultCodeFromFinalRedirectUri(@NonNull final URI uri) throws URISyntaxException {
+    private static ResultCode getResultCodeFromFinalRedirectUri(@NonNull final URI uri) throws URISyntaxException, ClientException {
         final String methodTag = TAG + "getResultCodeFromFinalRedirectUri";
         final Map<String, String> parameters = UrlUtil.getParameters(uri);
 
@@ -241,6 +227,14 @@ private static ResultCode getResultCodeFromFinalRedirectUri(@NonNull final URI u
             // i.e. (Browser) msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D?wpj=1&username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator
             //      (WebView) msauth://wpj/?username=idlab1%40msidlab4.onmicrosoft.com&app_link=https%3a%2f%2fplay.google.com%2fstore%2fapps%2fdetails%3fid%3dcom.azure.authenticator%26referrer%3dcom.msft.identity.client.sample.local
             if (parameters.containsKey(APP_LINK_KEY)) {
+                // Only the eSTS-emitted Play Store and China fwlink targets are accepted;
+                // anything else is rejected as an unsupported redirect (UNSUPPORTED_URL).
+                final String appLink = parameters.get(APP_LINK_KEY);
+                if (!BrokerInstallLinkValidator.isSafeBrokerInstallLink(appLink)) {
+                    Logger.warn(methodTag, "Rejected app_link that is not on the broker-install allowlist.");
+                    throw new ClientException(ClientException.UNSUPPORTED_URL,
+                            "app_link rejected by allowlist");
+                }
                 Logger.info(methodTag, "Return to caller with BROWSER_CODE_WAIT_FOR_BROKER_INSTALL, and waiting for result.");
                 return ResultCode.BROKER_INSTALLATION_TRIGGERED;
             }

From 1d17878f6083022fc829fef346a1308a84e7f617 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 1 May 2026 03:53:10 +0000
Subject: [PATCH 5/7] Replace custom URL parser in BrokerInstallLinkValidator
 with CommonURIBuilder

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/13a906dc-73b5-4f22-bcfa-0f4590d7b9b3

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 .../providers/BrokerInstallLinkValidator.kt   | 68 ++++++-------------
 1 file changed, 22 insertions(+), 46 deletions(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
index 382496a1bf..e64d0044cb 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
@@ -22,17 +22,16 @@
 // THE SOFTWARE.
 package com.microsoft.identity.common.java.providers
 
-import java.io.UnsupportedEncodingException
-import java.net.URI
+import com.microsoft.identity.common.java.util.CommonURIBuilder
+import org.apache.hc.core5.http.NameValuePair
 import java.net.URISyntaxException
-import java.net.URLDecoder
 
 /**
  * Strict allowlist validator for the `app_link` query-parameter value carried on
  * a broker-installation redirect URI (`msauth://...?app_link=<url>`).
  *
- * The classifier in [RawAuthorizationResult.fromRedirectUri] uses this to decide
- * whether to return [RawAuthorizationResult.ResultCode.BROKER_INSTALLATION_TRIGGERED]
+ * The classifier in [RawAuthorizationResult.getResultCodeFromFinalRedirectUri] uses this to
+ * decide whether to return [RawAuthorizationResult.ResultCode.BROKER_INSTALLATION_TRIGGERED]
  * (which downstream Android sinks turn into `startActivity(ACTION_VIEW, app_link)`).
  *
  * The Microsoft identity service (eSTS) only ever emits one of three concrete
@@ -71,23 +70,27 @@ object BrokerInstallLinkValidator {
     fun isSafeBrokerInstallLink(url: String?): Boolean {
         if (url.isNullOrBlank()) return false
 
-        val uri: URI = try {
-            URI(url)
+        val builder: CommonURIBuilder = try {
+            CommonURIBuilder(url)
         } catch (e: URISyntaxException) {
             return false
         }
 
         // Scheme must be exactly https (case-insensitive).
-        if (!SCHEME_HTTPS.equals(uri.scheme, ignoreCase = true)) return false
+        if (!SCHEME_HTTPS.equals(builder.scheme, ignoreCase = true)) return false
 
         // Reject embedded credentials, fragments, and non-default ports.
-        if (uri.rawUserInfo != null) return false
-        if (uri.rawFragment != null) return false
-        if (uri.port != -1) return false
+        if (builder.userInfo != null) return false
+        if (builder.fragment != null) return false
+        if (builder.port != -1) return false
 
-        val host = uri.host?.lowercase() ?: return false
-        val path = uri.rawPath ?: return false
-        val params = parseQuery(uri.rawQuery) ?: return false
+        val host = builder.host?.lowercase() ?: return false
+        val path = builder.path ?: return false
+
+        // Use getQueryParams() from CommonURIBuilder to parse query parameters.
+        // toUniqueParamMap returns null if any key appears more than once, defending
+        // against parameter-smuggling attacks such as ?id=safe&id=evil.
+        val params = toUniqueParamMap(builder.queryParams) ?: return false
 
         return when (host) {
             HOST_PLAY -> isValidPlayLink(path, params)
@@ -120,44 +123,17 @@ object BrokerInstallLinkValidator {
     }
 
     /**
-     * Parse a URI query string into a key/value map.
+     * Converts a [NameValuePair] list (from [CommonURIBuilder.getQueryParams]) into a map.
      *
      * Returns `null` if any key appears more than once — this defends against
      * parameter-smuggling attacks such as `?id=safe&id=evil` where a permissive
      * parser might pick the wrong value.
      */
-    private fun parseQuery(rawQuery: String?): Map<String, String>? {
-        if (rawQuery.isNullOrEmpty()) return emptyMap()
+    private fun toUniqueParamMap(pairs: List<NameValuePair>): Map<String, String>? {
         val out = LinkedHashMap<String, String>()
-        for (pair in rawQuery.split('&')) {
-            if (pair.isEmpty()) return null
-            val eq = pair.indexOf('=')
-            val rawKey: String
-            val rawValue: String
-            if (eq < 0) {
-                rawKey = pair
-                rawValue = ""
-            } else {
-                rawKey = pair.substring(0, eq)
-                rawValue = pair.substring(eq + 1)
-            }
-            if (rawKey.isEmpty()) return null
-            val key = try {
-                URLDecoder.decode(rawKey, "UTF-8")
-            } catch (e: UnsupportedEncodingException) {
-                return null
-            } catch (e: IllegalArgumentException) {
-                return null
-            }
-            val value = try {
-                URLDecoder.decode(rawValue, "UTF-8")
-            } catch (e: UnsupportedEncodingException) {
-                return null
-            } catch (e: IllegalArgumentException) {
-                return null
-            }
-            if (out.containsKey(key)) return null
-            out[key] = value
+        for (pair in pairs) {
+            if (out.containsKey(pair.name)) return null
+            out[pair.name] = pair.value ?: ""
         }
         return out
     }

From 60a9cc734956a644fcf7cc250a72ad5545f840f2 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 8 May 2026 21:51:58 +0000
Subject: [PATCH 6/7] Case-insensitive comparison for Play Store package ID in
 BrokerInstallLinkValidator

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/13ceb94d-f89c-41c5-bceb-26cefc278826

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 .../common/java/providers/BrokerInstallLinkValidator.kt         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
index e64d0044cb..70bccfbda9 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
@@ -101,7 +101,7 @@ object BrokerInstallLinkValidator {
 
     private fun isValidPlayLink(path: String, params: Map<String, String>): Boolean {
         if (path != PATH_PLAY) return false
-        val id = params[PARAM_ID] ?: return false
+        val id = params[PARAM_ID]?.lowercase() ?: return false
         if (id !in ALLOWED_PACKAGE_IDS) return false
         return hasOnlyAllowedExtras(params, PARAM_ID)
     }

From 84b5ca69f3d9f8a771d26aef9039a38bf9e29b5f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 11 May 2026 20:04:29 +0000
Subject: [PATCH 7/7] Use equals(ignoreCase=true) consistently for all
 comparisons in BrokerInstallLinkValidator

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-common-for-android/sessions/06a6deb1-8715-4eca-b8ce-37327d9c84dc

Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
---
 .../java/providers/BrokerInstallLinkValidator.kt     | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
index 70bccfbda9..0589c6a945 100644
--- a/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
+++ b/common4j/src/main/com/microsoft/identity/common/java/providers/BrokerInstallLinkValidator.kt
@@ -84,7 +84,7 @@ object BrokerInstallLinkValidator {
         if (builder.fragment != null) return false
         if (builder.port != -1) return false
 
-        val host = builder.host?.lowercase() ?: return false
+        val host = builder.host ?: return false
         val path = builder.path ?: return false
 
         // Use getQueryParams() from CommonURIBuilder to parse query parameters.
@@ -92,17 +92,17 @@ object BrokerInstallLinkValidator {
         // against parameter-smuggling attacks such as ?id=safe&id=evil.
         val params = toUniqueParamMap(builder.queryParams) ?: return false
 
-        return when (host) {
-            HOST_PLAY -> isValidPlayLink(path, params)
-            HOST_FWLINK -> isValidFwlink(path, params)
+        return when {
+            HOST_PLAY.equals(host, ignoreCase = true) -> isValidPlayLink(path, params)
+            HOST_FWLINK.equals(host, ignoreCase = true) -> isValidFwlink(path, params)
             else -> false
         }
     }
 
     private fun isValidPlayLink(path: String, params: Map<String, String>): Boolean {
         if (path != PATH_PLAY) return false
-        val id = params[PARAM_ID]?.lowercase() ?: return false
-        if (id !in ALLOWED_PACKAGE_IDS) return false
+        val id = params[PARAM_ID] ?: return false
+        if (!ALLOWED_PACKAGE_IDS.any { it.equals(id, ignoreCase = true) }) return false
         return hasOnlyAllowedExtras(params, PARAM_ID)
     }