Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: rpdome

testapps/testapp/src/main/AndroidManifest.xml

@@ -38,6 +38,7 @@
     <uses-permission android:name="android.permission.MANAGE_ACCOUNTS" />
     <uses-permission android:name="android.permission.USE_CREDENTIALS" />
     <uses-permission android:name="android.permission.REORDER_TASKS" />
+    <uses-permission android:name="android.permission.FOREGROUND_SERVICE" />
 
 
     <application
@@ -96,6 +97,13 @@
                 <action android:name="com.microsoft.identity.client.testapp.SILENT_AUTH" />
             </intent-filter>
         </receiver>
+
+        <!-- Foreground Service for testing silent auth at PROCESS_STATE_FOREGROUND_SERVICE
+             priority (simulates FCM's FirebaseMessagingService). Compare results
+             against SilentAuthReceiver to test Doze dozable-allow propagation. -->
+        <service
+            android:name="com.microsoft.identity.client.testapp.SilentAuthService"
+            android:exported="true" />
     </application>
 
 </manifest>

testapps/testapp/src/main/java/com/microsoft/identity/client/testapp/SilentAuthReceiver.java

@@ -62,14 +62,21 @@ public class SilentAuthReceiver extends BroadcastReceiver {
 
     @Override
     public void onReceive(final Context context, final Intent intent) {
+        if (!ACTION_SILENT_AUTH.equals(intent.getAction())) {
+            Log.w(TAG, "Ignoring broadcast with unexpected action: " + intent.getAction());
+            return;
+        }
+
         Log.w(TAG, "=== SilentAuthReceiver triggered (PROCESS_STATE_RECEIVER) ===");
 
         final String scopes = intent.getStringExtra("scopes");
         final String scopeString = (scopes != null) ? scopes : "https://graph.microsoft.com/.default";
 
         Log.w(TAG, "Scopes: " + scopeString);
 
-        // Use goAsync() to extend the receiver's lifecycle beyond the 10s limit
+        // Use goAsync() so work can continue after onReceive() returns.
+        // The broadcast still has a finite system time budget, so
+        // PendingResult.finish() must be called promptly.
         final PendingResult pendingResult = goAsync();
 
         // Create PCA with default config (uses broker)
@@ -143,6 +150,10 @@ public void onError(MsalException exception) {
                     pendingResult.finish();
                 }
             });
+        } else {
+            Log.e(TAG, "Unexpected app type: " + app.getClass().getName()
+                    + " — neither single nor multiple account mode.");
+            pendingResult.finish();
         }
     }
 
@@ -158,7 +169,7 @@ private void doSilentAuth(
         final AcquireTokenSilentParameters parameters = new AcquireTokenSilentParameters.Builder()
                 .forAccount(account)
                 .fromAuthority(account.getAuthority())
-                .withScopes(Arrays.asList(scopeString.toLowerCase().split(" ")))
+                .withScopes(Arrays.asList(scopeString.trim().split("\\s+")))
                 .forceRefresh(true)  // Force network call to eSTS (no cache)
                 .withCallback(new AuthenticationCallback() {
                     @Override

testapps/testapp/src/main/java/com/microsoft/identity/client/testapp/SilentAuthService.java

@@ -0,0 +1,236 @@
+//  Copyright (c) Microsoft Corporation.
+//  All rights reserved.
+//
+//  This code is licensed under the MIT License.
+//
+//  Permission is hereby granted, free of charge, to any person obtaining a copy
+//  of this software and associated documentation files(the "Software"), to deal
+//  in the Software without restriction, including without limitation the rights
+//  to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+//  copies of the Software, and to permit persons to whom the Software is
+//  furnished to do so, subject to the following conditions :
+//
+//  The above copyright notice and this permission notice shall be included in
+//  all copies or substantial portions of the Software.
+//
+//  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+//  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+//  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+//  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+//  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+//  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+//  THE SOFTWARE.
+package com.microsoft.identity.client.testapp;
+
+import android.app.Notification;
+import android.app.NotificationChannel;
+import android.app.NotificationManager;
+import android.app.Service;
+import android.content.Intent;
+import android.os.Build;
+import android.os.IBinder;
+import android.util.Log;
+
+import androidx.annotation.Nullable;
+
+import com.microsoft.identity.client.AcquireTokenSilentParameters;
+import com.microsoft.identity.client.AuthenticationCallback;
+import com.microsoft.identity.client.IAccount;
+import com.microsoft.identity.client.IAuthenticationResult;
+import com.microsoft.identity.client.IMultipleAccountPublicClientApplication;
+import com.microsoft.identity.client.IPublicClientApplication;
+import com.microsoft.identity.client.ISingleAccountPublicClientApplication;
+import com.microsoft.identity.client.PublicClientApplication;
+import com.microsoft.identity.client.exception.MsalException;
+
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * Foreground Service that triggers acquireTokenSilent from a background context.
+ *
+ * This runs at PROCESS_STATE_FOREGROUND_SERVICE priority, which is the same
+ * priority as FCM's FirebaseMessagingService. This lets us test whether a
+ * foreground Service caller propagates the dozable-allow firewall rule to the
+ * Broker process during Doze mode, matching real-world FCM notification flows.
+ *
+ * Compare results against {@link SilentAuthReceiver} (PROCESS_STATE_RECEIVER)
+ * to determine whether caller process importance affects Broker network access.
+ *
+ * Usage:
+ *   adb shell am start-foreground-service \
+ *     -n com.msft.identity.client.sample.local/com.microsoft.identity.client.testapp.SilentAuthService \
+ *     --es scopes "https://graph.microsoft.com/.default"
+ */
+public class SilentAuthService extends Service {
+
+    private static final String TAG = "SilentAuthService";
+    private static final String CHANNEL_ID = "silent_auth_channel";
+    private static final int NOTIFICATION_ID = 1001;
+
+    @Override
+    public void onCreate() {
+        super.onCreate();
+        createNotificationChannel();
+    }
+
+    @Override
+    public int onStartCommand(final Intent intent, int flags, int startId) {
+        Log.w(TAG, "=== SilentAuthService started (PROCESS_STATE_FOREGROUND_SERVICE) ===");
+
+        // Start as foreground immediately to avoid ANR and to elevate process state.
+        final Notification notification = new Notification.Builder(this, CHANNEL_ID)
+                .setContentTitle("Silent Auth Test")
+                .setContentText("Running silent token acquisition...")
+                .setSmallIcon(android.R.drawable.ic_dialog_info)
+                .build();
+        startForeground(NOTIFICATION_ID, notification);
+
+        final String scopes = (intent != null) ? intent.getStringExtra("scopes") : null;
+        final String scopeString = (scopes != null) ? scopes : "https://graph.microsoft.com/.default";
+
+        Log.w(TAG, "Scopes: " + scopeString);
+
+        final int configResourceId = Constants.getResourceIdFromConfigFile(Constants.ConfigFile.DEFAULT);
+
+        PublicClientApplication.create(getApplicationContext(),
+                configResourceId,
+                new PublicClientApplication.ApplicationCreatedListener() {
+                    @Override
+                    public void onCreated(IPublicClientApplication application) {
+                        application.getConfiguration().setPowerOptCheckEnabled(false);
+
+                        Log.w(TAG, "PCA created, mode: " +
+                                (application instanceof ISingleAccountPublicClientApplication
+                                        ? "SingleAccount" : "MultipleAccount"));
+                        Log.w(TAG, "powerOptCheckEnabled forced to: " +
+                                application.getConfiguration().isPowerOptCheckForEnabled());
+                        loadAccountsAndAcquire(application, scopeString);
+                    }
+
+                    @Override
+                    public void onError(MsalException exception) {
+                        Log.e(TAG, "Failed to create PCA: " + exception.getMessage(), exception);
+                        finish();
+                    }
+                });
+
+        return START_NOT_STICKY;
+    }
+
+    @Nullable
+    @Override
+    public IBinder onBind(Intent intent) {
+        return null;
+    }
+
+    private void loadAccountsAndAcquire(
+            final IPublicClientApplication app,
+            final String scopeString) {
+
+        if (app instanceof ISingleAccountPublicClientApplication) {
+            final ISingleAccountPublicClientApplication singleApp =
+                    (ISingleAccountPublicClientApplication) app;
+            try {
+                final IAccount account = singleApp.getCurrentAccount().getCurrentAccount();
+                if (account == null) {
+                    Log.e(TAG, "No signed-in account found in single-account mode.");
+                    finish();
+                    return;
+                }
+                doSilentAuth(app, account, scopeString);
+            } catch (Exception e) {
+                Log.e(TAG, "Error loading account: " + e.getMessage(), e);
+                finish();
+            }
+        } else if (app instanceof IMultipleAccountPublicClientApplication) {
+            final IMultipleAccountPublicClientApplication multiApp =
+                    (IMultipleAccountPublicClientApplication) app;
+            multiApp.getAccounts(new IPublicClientApplication.LoadAccountsCallback() {
+                @Override
+                public void onTaskCompleted(List<IAccount> result) {
+                    if (result == null || result.isEmpty()) {
+                        Log.e(TAG, "No accounts found in multiple-account mode.");
+                        finish();
+                        return;
+                    }
+                    Log.w(TAG, "Found " + result.size() + " account(s). Using first.");
+                    doSilentAuth(app, result.get(0), scopeString);
+                }
+
+                @Override
+                public void onError(MsalException exception) {
+                    Log.e(TAG, "Error loading accounts: " + exception.getMessage(), exception);
+                    finish();
+                }
+            });
+        } else {
+            Log.e(TAG, "Unexpected app type: " + app.getClass().getName()
+                    + " — neither single nor multiple account mode.");
+            finish();
+        }
+    }
+
+    private void doSilentAuth(
+            final IPublicClientApplication app,
+            final IAccount account,
+            final String scopeString) {
+
+        Log.w(TAG, "Calling acquireTokenSilent for account: " + account.getUsername());
+        Log.w(TAG, "Authority: " + account.getAuthority());
+
+        final AcquireTokenSilentParameters parameters = new AcquireTokenSilentParameters.Builder()
+                .forAccount(account)
+                .fromAuthority(account.getAuthority())
+                .withScopes(Arrays.asList(scopeString.trim().split("\\s+")))
+                .forceRefresh(true)  // Force network call to eSTS (no cache)
+                .withCallback(new AuthenticationCallback() {
+                    @Override
+                    public void onSuccess(IAuthenticationResult authenticationResult) {
+                        Log.w(TAG, "=== SUCCESS === Token acquired silently!");
+                        Log.w(TAG, "Silent token acquisition completed successfully.");
+                        finish();
+                    }
+
+                    @Override
+                    public void onError(MsalException exception) {
+                        Log.e(TAG, "=== FAILED === " + exception.getClass().getSimpleName());
+                        Log.e(TAG, "Error code: " + exception.getErrorCode());
+                        Log.e(TAG, "Message: " + exception.getMessage());
+                        if (exception.getCause() != null) {
+                            Log.e(TAG, "Cause: " + exception.getCause().getClass().getSimpleName()
+                                    + " - " + exception.getCause().getMessage());
+                        }
+                        finish();
+                    }
+
+                    @Override
+                    public void onCancel() {
+                        Log.w(TAG, "=== CANCELLED ===");
+                        finish();
+                    }
+                })
+                .build();
+
+        app.acquireTokenSilentAsync(parameters);
+    }
+
+    private void finish() {
+        stopForeground(true);
+        stopSelf();
+    }
+
+    private void createNotificationChannel() {
+        if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+            final NotificationChannel channel = new NotificationChannel(
+                    CHANNEL_ID,
+                    "Silent Auth Test",
+                    NotificationManager.IMPORTANCE_LOW);
+            channel.setDescription("Notification channel for silent auth Doze test");
+            final NotificationManager manager = getSystemService(NotificationManager.class);
+            if (manager != null) {
+                manager.createNotificationChannel(channel);
+            }
+        }
+    }
+}