AzureAD · mohitc1 · Jun 25, 2025 · Jun 25, 2025 · Jun 26, 2025
@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Updating handling of ssl error received in Android WebView's onReceivedSslError callback
 
 Version 21.3.0
 ----------

@@ -2023,6 +2023,8 @@ public static final class AuthorizationIntentKey {
         public static final String WEB_VIEW_ZOOM_CONTROLS_ENABLED = "com.microsoft.identity.web.view.zoom.controls.enabled";
 
         public static final String WEB_VIEW_ZOOM_ENABLED = "com.microsoft.identity.web.view.zoom.enabled";
+
+        public static final String WEB_VIEW_NEW_SSL_ERROR_HANDLER_ENABLED = "com.microsoft.identity.web.view.new.ssl.error.handler.enabled";
     }
 
     public static final class AuthorizationIntentAction {

@@ -22,6 +22,17 @@
 // THE SOFTWARE.
 package com.microsoft.identity.common.internal.providers.oauth2;
 
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.AUTH_INTENT;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.POST_PAGE_LOADED_URL;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REDIRECT_URI;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REQUEST_HEADERS;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REQUEST_URL;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_NEW_SSL_ERROR_HANDLER_ENABLED;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_CONTROLS_ENABLED;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_ENABLED;
+import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.PRODUCT;
+import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.VERSION;
+
 import android.annotation.SuppressLint;
 import android.app.Activity;
 import android.content.Context;
@@ -36,7 +47,6 @@
 import android.webkit.PermissionRequest;
 import android.webkit.WebChromeClient;
 import android.webkit.WebSettings;
-import android.webkit.WebView;
 import android.widget.ProgressBar;
 
 import androidx.activity.result.ActivityResultLauncher;
@@ -46,40 +56,31 @@
 import androidx.fragment.app.FragmentActivity;
 
 import com.microsoft.identity.common.R;
-import com.microsoft.identity.common.internal.fido.LegacyFidoActivityResultContract;
-import com.microsoft.identity.common.internal.fido.LegacyFido2ApiObject;
-import com.microsoft.identity.common.internal.ui.webview.ISendResultCallback;
-import com.microsoft.identity.common.internal.ui.webview.ProcessUtil;
-import com.microsoft.identity.common.internal.ui.webview.switchbrowser.SwitchBrowserProtocolCoordinator;
-import com.microsoft.identity.common.java.WarningType;
 import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
 import com.microsoft.identity.common.adal.internal.util.StringExtensions;
+import com.microsoft.identity.common.internal.fido.LegacyFido2ApiObject;
+import com.microsoft.identity.common.internal.fido.LegacyFidoActivityResultContract;
+import com.microsoft.identity.common.internal.ui.webview.AzureActiveDirectoryWebView;
 import com.microsoft.identity.common.internal.ui.webview.AzureActiveDirectoryWebViewClient;
+import com.microsoft.identity.common.internal.ui.webview.ISendResultCallback;
 import com.microsoft.identity.common.internal.ui.webview.OnPageLoadedCallback;
+import com.microsoft.identity.common.internal.ui.webview.ProcessUtil;
 import com.microsoft.identity.common.internal.ui.webview.WebViewUtil;
+import com.microsoft.identity.common.internal.ui.webview.switchbrowser.SwitchBrowserProtocolCoordinator;
+import com.microsoft.identity.common.java.WarningType;
 import com.microsoft.identity.common.java.constants.FidoConstants;
 import com.microsoft.identity.common.java.exception.ClientException;
 import com.microsoft.identity.common.java.flighting.CommonFlight;
 import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
-import com.microsoft.identity.common.java.ui.webview.authorization.IAuthorizationCompletionCallback;
 import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
+import com.microsoft.identity.common.java.ui.webview.authorization.IAuthorizationCompletionCallback;
 import com.microsoft.identity.common.java.util.ClientExtraSku;
 import com.microsoft.identity.common.logging.Logger;
 
-import java.util.Arrays;
-import java.util.HashMap;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
-
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.AUTH_INTENT;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.POST_PAGE_LOADED_URL;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REDIRECT_URI;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REQUEST_HEADERS;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REQUEST_URL;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_CONTROLS_ENABLED;
-import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_ENABLED;
-import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.PRODUCT;
-import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.VERSION;
+import java.util.Arrays;
+import java.util.HashMap;
 
 import io.opentelemetry.api.trace.SpanContext;
 
@@ -93,7 +94,7 @@ public class WebViewAuthorizationFragment extends AuthorizationFragment {
     @VisibleForTesting
     private static final String PKEYAUTH_STATUS = "pkeyAuthStatus";
 
-    private WebView mWebView;
+    private AzureActiveDirectoryWebView mWebView;
 
     private AzureActiveDirectoryWebViewClient mAADWebViewClient;
 
@@ -116,6 +117,14 @@ public class WebViewAuthorizationFragment extends AuthorizationFragment {
 
     private boolean webViewZoomEnabled;
 
+    /**
+     * This is used to determine whether the new SSL error handler should be used.
+     * If null, means that the value has not provide. Use default logic.
+     * If true, the new SSL error handler will be used.
+     * If false, the old SSL error handler will be used.
+     */
+    private Boolean webViewNewSslErrorHandlerEnabled;
+
     private final CameraPermissionRequestHandler mCameraPermissionRequestHandler = new CameraPermissionRequestHandler(this);
 
     // This is used by LegacyFido2ApiManager to launch a PendingIntent received by the legacy API.
@@ -206,6 +215,10 @@ public void onSaveInstanceState(@NonNull Bundle outState) {
         outState.putSerializable(POST_PAGE_LOADED_URL, mPostPageLoadedJavascript);
         outState.putBoolean(WEB_VIEW_ZOOM_CONTROLS_ENABLED, webViewZoomControlsEnabled);
         outState.putBoolean(WEB_VIEW_ZOOM_ENABLED, webViewZoomEnabled);
+        if (webViewNewSslErrorHandlerEnabled != null) {
+            // save only if not null, otherwise it will be false by default
+            outState.putBoolean(WEB_VIEW_NEW_SSL_ERROR_HANDLER_ENABLED, webViewNewSslErrorHandlerEnabled);
+        }
     }
 
     @Override
@@ -223,6 +236,10 @@ void extractState(@NonNull final Bundle state) {
         mPostPageLoadedJavascript = state.getString(POST_PAGE_LOADED_URL);
         webViewZoomEnabled = state.getBoolean(WEB_VIEW_ZOOM_ENABLED, true);
         webViewZoomControlsEnabled = state.getBoolean(WEB_VIEW_ZOOM_CONTROLS_ENABLED, true);
+        if (state.containsKey(WEB_VIEW_NEW_SSL_ERROR_HANDLER_ENABLED)) {
+            // If the key exists, we retrieve the value.
+            webViewNewSslErrorHandlerEnabled = state.getBoolean(WEB_VIEW_NEW_SSL_ERROR_HANDLER_ENABLED, false);
+        }
     }
 
     @Nullable
@@ -260,14 +277,29 @@ public void onPageLoaded(final String url) {
                     }
                 },
                 mRedirectUri,
-                getSwitchBrowserCoordinator().getSwitchBrowserRequestHandler()
+                getSwitchBrowserCoordinator().getSwitchBrowserRequestHandler(),
+                shouldUseWebViewNewSslErrorHandler()
         );
         setUpWebView(view, mAADWebViewClient);
         mAADWebViewClient.initializeAuthUxJavaScriptApi(mWebView, mAuthorizationRequestUrl);
         launchWebView(mAuthorizationRequestUrl, mRequestHeaders);
         return view;
     }
 
+    /**
+     * Determines whether the new SSL error handler should be used.
+     *
+     * @return true if the new SSL error handler should be used, false otherwise.
+     */
+    protected boolean shouldUseWebViewNewSslErrorHandler() {
+        if (webViewNewSslErrorHandlerEnabled == null) {
+            // if the value was not provided in intent extra, then use from flight.
+            return CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_WEB_VIEW_NEW_SSL_HANDLER);
+        }
+
+        return webViewNewSslErrorHandlerEnabled;
+    }
+
     @Override
     public void handleBackButtonPressed() {
         final String methodTag = TAG + ":handleBackButtonPressed";

@@ -0,0 +1,73 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.ui.webview
+
+import android.webkit.WebView
+import android.content.Context
+import android.util.AttributeSet
+import android.webkit.WebViewClient
+import com.microsoft.identity.common.logging.Logger
+
+/**
+ * WebView implementation used for authentication in client libraries.
+ */
+class AzureActiveDirectoryWebView @JvmOverloads constructor(
+    context: Context,
+    attrs: AttributeSet? = null,
+    defStyleAttr: Int = 0
+) : WebView(context,attrs, defStyleAttr) {
+
+    private var azureActiveDirectoryWebViewClient: AzureActiveDirectoryWebViewClient? = null
+
+    companion object {
+        private const val TAG = "AzureActiveDirectoryWebView"
+    }
+
+    /**
+     * Sets the URL to load on the webview client and continues loading the URL.
+     */
+    override fun loadUrl(url: String) {
+        azureActiveDirectoryWebViewClient?.setActiveLoadUrl(url)
+        super.loadUrl(url)
+    }
+
+    /**
+     * Sets the URL to load on the webview client and continues loading the URL.
+     */
+    override fun loadUrl(url: String, additionalHttpHeaders: Map<String, String>) {
+        azureActiveDirectoryWebViewClient?.setActiveLoadUrl(url)
+        super.loadUrl(url, additionalHttpHeaders)
+    }
+
+    /**
+     * Sets the [WebViewClient] for this WebView and tracks the [AzureActiveDirectoryWebViewClient]
+     * instance for further use.
+     */
+    override fun setWebViewClient(webViewClient: WebViewClient) {
+        val methodTag = "$TAG:setWebViewClient"
+        // Add custom logic here if needed
+        super.setWebViewClient(webViewClient)
+        azureActiveDirectoryWebViewClient = webViewClient as? AzureActiveDirectoryWebViewClient
+        Logger.info(methodTag, "AzureActiveDirectoryWebViewClient set: ${azureActiveDirectoryWebViewClient != null}")
+    }
+}
@@ -132,7 +132,20 @@ public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
                                              @NonNull final OnPageLoadedCallback pageLoadedCallback,
                                              @NonNull final String redirectUrl,
                                              @NonNull final SwitchBrowserRequestHandler switchBrowserRequestHandler) {
-        super(activity, completionCallback, pageLoadedCallback);
+        super(activity, completionCallback, pageLoadedCallback, false);
+        mRedirectUrl = redirectUrl;
+        mCertBasedAuthFactory = new CertBasedAuthFactory(activity);
+        mSwitchBrowserRequestHandler = switchBrowserRequestHandler;
+    }
+
+    public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
+                                             @NonNull final IAuthorizationCompletionCallback completionCallback,
+                                             @NonNull final OnPageLoadedCallback pageLoadedCallback,
+                                             @NonNull final String redirectUrl,
+                                             @NonNull final SwitchBrowserRequestHandler switchBrowserRequestHandler,
+                                             final boolean enableNewSslErrorHandling
+    ) {
+        super(activity, completionCallback, pageLoadedCallback, enableNewSslErrorHandling);
         mRedirectUrl = redirectUrl;
         mCertBasedAuthFactory = new CertBasedAuthFactory(activity);
         mSwitchBrowserRequestHandler = switchBrowserRequestHandler;
@@ -336,6 +349,9 @@ else if (isRedirectUrl(formattedURL)) {
             } else {
                 Logger.info(methodTag,"This maybe a valid URI, but no special handling for this mentioned URI, hence deferring to WebView for loading.");
                 processInvalidUrl(url);
+                // By return false, deferring to WebView to continue loading the url. This does not call webview.loadUrl()
+                // so setting the url as next url to load and marking active.
+                setActiveLoadUrl(url);
                 return false;
             }
         } catch (final ClientException exception) {