Handling https scheme for device enrollment link, Fixes AB#3344894 #2732
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses a corner case in device enrollment URL handling where eSTS sends https:// scheme instead of the expected browser:// scheme for web applications. The fix extends the webview client to handle device CA requests with https:// scheme in addition to the existing browser:// scheme handling.
- Extended device CA request handling to support https:// scheme URLs
- Added test coverage for the new https scheme handling
- Refactored device CA processing logic into a separate method for better code organization
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| AzureActiveDirectoryWebViewClient.java | Added https scheme support for device CA requests and refactored processing logic |
| AzureActiveDirectoryWebViewClientTest.java | Added test case to verify https device CA URL handling |
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Outdated
Show resolved
Hide resolved
…/webview/AzureActiveDirectoryWebViewClient.java Co-authored-by: Copilot <[email protected]>
…om/AzureAD/microsoft-authentication-library-common-for-android into somalaya/hotfixForDeviceEnrollment
rpdome
reviewed
Aug 8, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
moumighosh
approved these changes
Aug 8, 2025
rpdome
approved these changes
Aug 8, 2025
shahzaibj
reviewed
Aug 8, 2025
common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java
Outdated
Show resolved
Hide resolved
shahzaibj
reviewed
Aug 8, 2025
...ava/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java
Show resolved
Hide resolved
somalaya
changed the title
|
✅ Work item link check complete. Description contains link AB#3344894 to an Azure Boards work item. |
shahzaibj
approved these changes
Aug 8, 2025
somalaya
added
the
No-Changelog
somalaya
added a commit
that referenced
this pull request
Aug 11, 2025
…94 (#2733) In this PR #2732, I added a new check to detect device CA flow and follow our current pattern of handling the device CA requests. But I did not secure it with a flight. There are 2 ways of adding a flight for this 1. Add a new flight that is independent of webcp feature 2. Depend on webcp feature only. I went with 2nd option, because I only really need these changes when webcp flight is ON so that users are not blocked by new flow. So, I am securing it with webcp flight. Fixes [AB#3344894](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3344894)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue : In my testing, I noticed that OneAuth team started sending a config for a confidential client and that there is a corner case for device enrollment url's scheme on eSTS side. Our contract with eSTS has been to send "browser://" scheme for device enrollment url redirect and we enable webcp flow once we notice the url is of browser scheme and has device enrollment parameters.
But eSTS's corner case is that when the calling app is a web app, they pass https:// scheme instead. My logic to handle webcp flow is not triggered in this case and breaks the user's sign in.
Although this is a corner case scenario, we may start seeing issues if consumers of OneAuth or MSAL register themselves as webapp/confidential clients unknowingly.
Link to ests code where they replace browser scheme with https in specific cases : https://msazure.visualstudio.com/One/_git/ESTS-Main?path=/src/Product/Microsoft.AzureAD.ESTS/Sts/ConditionalAccess/DevicePolicyError.cs&version=GBmaster&_a=contents&line=497&lineStyle=plain&lineEnd=503&lineStartColumn=1&lineEndColumn=10
My fix : Is a small change to start supporting webcp flow with https:// scheme as well.
Fixes AB#3344894