Skip to content

Add AAD authority validation for DUNA flow, Fixes AB#3282191 #2740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 21, 2025
Merged

Add AAD authority validation for DUNA flow, Fixes AB#3282191 #2740

merged 8 commits into from
Aug 21, 2025

Conversation

@p3dr0rv
Copy link
Contributor

@p3dr0rv p3dr0rv commented Aug 18, 2025
edited by azure-boards bot
Loading

AB#3282191

Issue

In the current DUNA flow, both switch_browser and switch_browser_resume actions can be triggered via a native app URL scheme, which introduces a potential security vulnerability, which can be exploited by a malicious app to render a phishing page that mimics the ESTS UI and captures user credentials.

Resolution

To mitigate this risk, we validate that the “action_uri” belongs to Microsoft by ensuring its host is included in our list of trusted authorities. This can be done by checking the “host” dictionary returned during authority discovery in AzureActiveDirectory

@github-actions
Copy link

github-actions bot commented Aug 18, 2025

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

@github-actions
Copy link

github-actions bot commented Aug 19, 2025

✅ Work item link check complete. Description contains link AB#3282191 to an Azure Boards work item.

@github-actions
Copy link

github-actions bot commented Aug 19, 2025

❌ Work item link check failed. Description contains AB#3282191

but the Bot could not link it to an Azure Boards work item.

Click here to learn more.

@github-actions github-actions bot changed the title Add AAD authority validation for DUNA flow Add AAD authority validation for DUNA flow, Fixes AB#3282191 Aug 19, 2025
@p3dr0rv p3dr0rv marked this pull request as ready for review August 19, 2025 16:43
Copilot AI review requested due to automatic review settings August 19, 2025 16:43
@p3dr0rv p3dr0rv requested review from a team as code owners August 19, 2025 16:43

This comment was marked as outdated.

Sign in to view

@p3dr0rv
Update common/src/main/java/com/microsoft/identity/common/internal/ui…
85d3a84 
…/webview/switchbrowser/SwitchBrowserUriHelper.kt

Co-authored-by: Copilot <[email protected]>
shahzaibj
shahzaibj reviewed Aug 19, 2025
View reviewed changes
Copy link
Contributor

@shahzaibj shahzaibj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not clear from the code if you are validating action_uri or the overall URI that we receive from eSTS. The ask is validate action_uri. Can you confirm the code is doing that?

shahzaibj
shahzaibj reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

@shahzaibj shahzaibj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what you've done is fine, though I think it would've been cleaner had you just validated the action_uri as opposed to validating complete process/resume URI

@p3dr0rv p3dr0rv requested a review from Copilot August 20, 2025 20:00
Copilot AI reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds security validation for the DUNA (Device-based User-to-Native-App) flow by implementing Azure Active Directory (AAD) authority validation. The change prevents potential phishing attacks by validating that action URIs in switch browser operations come from trusted Microsoft authorities.

  • Adds AAD authority validation to prevent malicious apps from exploiting the DUNA flow
  • Updates test cases to use valid Microsoft authorities instead of test domains
  • Implements proper mock cleanup in test teardown methods

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
SwitchBrowserUriHelper.kt Adds validateActionUri method to check action URIs against trusted AAD authorities
SwitchBrowserUriHelperTest.kt Updates test to properly mock state validation and adds teardown cleanup
SwitchBrowserProtocolCoordinatorTest.kt Updates test URLs to use Microsoft domains and adds validation tests for invalid authorities
SwitchBrowserRequestHandlerTest.kt Updates test URLs from example.com to login.microsoft.com
changelog.txt Documents the security enhancement

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@p3dr0rv
Copy link
Contributor Author

p3dr0rv commented Aug 20, 2025

I think what you've done is fine, though I think it would've been cleaner had you just validated the action_uri as opposed to validating complete process/resume URI

tweaked it to validate the action URL when we get the raw data. Also reused the AAD logic to keep it simple.

@p3dr0rv p3dr0rv requested a review from shahzaibj August 20, 2025 20:23
@p3dr0rv p3dr0rv merged commit dabcddf into dev Aug 21, 2025
24 of 25 checks passed
@p3dr0rv p3dr0rv deleted the pedroro/duna-validateAadAuthority branch August 21, 2025 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shahzaibj shahzaibj shahzaibj approved these changes

@melissaahn melissaahn melissaahn approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@p3dr0rv @shahzaibj @melissaahn