Showing webcp flow in webview , Fixes AB#3135912 #2673
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enables showing the Company Portal (webCP) enrollment and authorization flows inside an in-app WebView rather than redirecting to the external browser.
- Added new OpenTelemetry span names and attributes for webCP flows.
- Introduced a flight flag to toggle webCP-in-webview behavior.
- Replaced the cross-cloud PRT header challenge handler with a generalized
ReAttachPrtHeaderHandlerand updated URL handling in the WebView client.
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| common4j/src/main/com/microsoft/identity/common/java/opentelemetry/SpanName.java | Added ProcessWebCpRedirects span name |
| common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java | Added is_webcp_* attributes |
| common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java | New flight ENABLE_WEB_CP_IN_WEBVIEW |
| common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/ReAttachPrtHeaderHandler.kt | Renamed and generalized challenge handler |
| common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java | Handle webCP enrollment and authorize URLs in WebView |
| common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java | Defined WEBCP_ENROLLMENT_URL and WEBCP_AUTHORIZE_REDIRECT_URL |
| common/src/test/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/ReAttachPrtHeaderHandlerTest.kt | Updated tests for renamed handler |
| common/src/test/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClientTest.java | Updated imports, added enrollment test |
Comments suppressed due to low confidence (6)
common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java:374
- The Javadoc for
is_webcp_enrollment_requestis incorrect (it duplicates the authorize description). Please update it to clearly describe the enrollment request.
* Records if the request is a webcp authorize request.
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java:120
- [nitpick] This constant holds a number of seconds but is named
*_MS. Consider renaming toTHREAD_SLEEP_FOR_INTENT_LAUNCH_SECONDSfor clarity.
private static final int THREAD_SLEEP_FOR_INTENT_LAUNCH_MS = 3;
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java:90
- The code uses
new Handler()inprocessWebCpEnrollmentUrlbutandroid.os.Handleris not imported. Please addimport android.os.Handler;.
// imports include TimeUnit but no Handler
common/src/test/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClientTest.java:226
- [nitpick] The variable name
mockCrossCloudChallengeHandlerno longer matches its typeReAttachPrtHeaderHandler. Consider renaming the variable tomockReAttachPrtHandlerfor consistency.
ReAttachPrtHeaderHandler mockCrossCloudChallengeHandler = Mockito.mock(ReAttachPrtHeaderHandler.class);
common/src/test/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClientTest.java:223
- You added an enrollment URL override test, but there's no corresponding test for the new WebCP authorize URL flow. Consider adding a
testUrlOverrideHandleWebCPAuthorizeUrl()to cover that branch.
@Test public void testUrlOverrideHandleWebCPEnrollmentUrl() {
common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java:332
- After handling the WebCP enrollment URL, the method does not return immediately, which may cause unintended fall-through. Consider adding an explicit
return true;(or appropriate return) here.
processWebCpEnrollmentUrl(view, url);
somalaya
changed the title
|
✅ Work item link check complete. Description contains link AB#3135912 to an Azure Boards work item. |
somalaya
force-pushed
the
somalaya/showWebCpInWebview
branch
from
5765cdf to
8e4d488
Compare
shahzaibj
reviewed
Jun 16, 2025
common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java
Outdated
Show resolved
Hide resolved
shahzaibj
reviewed
Jun 16, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
shahzaibj
reviewed
Jun 16, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
shahzaibj
reviewed
Jun 16, 2025
common4j/src/main/com/microsoft/identity/common/java/opentelemetry/AttributeName.java
Outdated
Show resolved
Hide resolved
rpdome
reviewed
Jun 19, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Outdated
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Outdated
Show resolved
Hide resolved
mohitc1
reviewed
Jun 19, 2025
common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java
Outdated
Show resolved
Hide resolved
somalaya
force-pushed
the
somalaya/showWebCpInWebview
branch
from
f6604e1 to
542d334
Compare
mohitc1
reviewed
Jun 23, 2025
| return false; | ||
| } | ||
|
|
||
| if (!path.contains("/authorize")) { |
Contributor
rpdome
approved these changes
Jun 23, 2025
…etry/AttributeName.java Co-authored-by: Shahzaib <[email protected]>
somalaya
force-pushed
the
somalaya/showWebCpInWebview
branch
from
88e7ca7 to
9d0cb68
Compare
mohitc1
approved these changes
Jun 24, 2025
shahzaibj
reviewed
Jun 24, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
somalaya
added
the
Skip-Consumers-Check
shahzaibj
reviewed
Jun 24, 2025
| openLinkInBrowser(url); | ||
| returnResult(RawAuthorizationResult.ResultCode.CANCELLED); | ||
| // We need to return MDM_FLOW result code as the enrollment is done in browser. But this may sometimes take a few seconds to launch the intent. | ||
| // So we will wait for a few seconds before returning the result so that the current page in webview does not get closed immediately. |
Contributor
There was a problem hiding this comment.
What are we showing on screen while waiting? I hope a spinner is there
Contributor
Author
There was a problem hiding this comment.
This wait is for not immediately killing the existing webview which would have previous URL loaded and just looks like its buffering.
- When the google enrollment page is immediately opened before 3 secs, this would not even be visible because it automatically opens up the enrollment intent.
- When its slower than 3 secs, I don't think we can do much, we will have to kill the webview as we don't want the user to be waiting on the same old URL for a long time.
A similar wait time is present in existing code if you want to get a reference in method processInstallRequest of same class.
shahzaibj
reviewed
Jun 24, 2025
common4j/src/main/com/microsoft/identity/common/java/opentelemetry/SpanName.java
Show resolved
Hide resolved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Intune's support for web enrollment for Android is scheduled to GA in Q3 CY2025.
For the many customers who set up conditional access, users enter the web enrollment flow by being blocked from accessing a productivity app such as Teams or Outlook.
From that block page, they are pushed out of their productivity app and sent to the default browser app on their Android device where they see a Company Portal website (webCP) page, which guides them to Settings where they can enroll in Intune management.
Problems
The problems with showing webCP in the browser app is:
See snapshot below for current experience with WebCP flow enabled
Note, the highlighted green pages indicate the 3 times the user must authenticate during this flow.
The flow:
Fix
Showing webcp in webview when user clicks on continue button on CA block page.
So with the fix, the screen shown in red in step 2 in below snapshot is removed
Fixes AB#3135912
Related broker PR : https://github.com/AzureAD/ad-accounts-for-android/pull/3130