Skip to content

Native auth: update auth method blocked error handling, Fixes AB#3395876 #2804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 7, 2025
Merged

Native auth: update auth method blocked error handling, Fixes AB#3395876 #2804

merged 3 commits into from
Nov 7, 2025

Conversation

@nilo-ms
Copy link
Contributor

@nilo-ms nilo-ms commented Nov 6, 2025

Update auth method blocked error handling. Use suberror instead of error codes

AB#3395876

@nilo-ms nilo-ms requested a review from a team as a code owner November 6, 2025 12:28
Copilot AI review requested due to automatic review settings November 6, 2025 12:28
@github-actions github-actions bot changed the title Native auth: update auth method blocked error handling Native auth: update auth method blocked error handling, Fixes AB#3395876 Nov 6, 2025
@nilo-ms nilo-ms requested a review from a team as a code owner November 6, 2025 12:31
Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR refactors the error detection mechanism for blocked authentication methods and verification contacts in Native Auth responses. The change migrates from an error-code-based approach (errorCodes checking for 550024) to a suberror-based approach (subError checking for "provider_blocked_by_rep"), aligning with updated API contract specifications.

Key changes:

  • Added subError field to JITChallengeApiResponse to support provider blocking detection
  • Updated error detection logic from error.isInvalidRequest() && errorCodes?.first().isBlockedChallengeTarget() to error.isAccessDenied() && subError.isProviderBlocked()
  • Replaced the removed isBlockedChallengeTarget() function with new isProviderBlocked() and isAccessDenied() utility functions

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
ApiErrorResponseUtil.kt Removed isBlockedChallengeTarget() function and added isAccessDenied() and isProviderBlocked() utility functions for new error detection
SignInChallengeApiResponse.kt Updated imports and error detection logic to use isAccessDenied() and isProviderBlocked() instead of the removed isBlockedChallengeTarget()
JITChallengeApiResponse.kt Added subError field, updated imports, and changed error detection logic for blocked verification contacts
NativeAuthResponseHandler.kt Added subError = null to empty response construction for JITChallengeApiResponse
NativeAuthResponseHandlerTest.kt Updated all JITChallengeApiResponse test constructors to include subError = null parameter
Comments suppressed due to low confidence (1)

common4j/src/main/com/microsoft/identity/common/java/nativeauth/providers/responses/signin/SignInChallengeApiResponse.kt:87

  • Missing test coverage for the new blocked auth method scenario. The PR introduces a new error detection path (error.isAccessDenied() && subError.isProviderBlocked()) that triggers SignInChallengeApiResult.BlockedAuthMethod, but there are no tests validating this new behavior.

Recommendation: Add a test case in NativeAuthResponseHandlerTest.kt (similar to existing SignInChallengeApiResponse tests) that verifies:

  • When error is "access_denied"
  • And subError is "provider_blocked_by_rep"
  • The result is correctly mapped to SignInChallengeApiResult.BlockedAuthMethod

This ensures the new provider blocking logic works as intended for sign-in challenges.

                    error.isAccessDenied() && subError.isProviderBlocked() -> {
                        SignInChallengeApiResult.BlockedAuthMethod(
                            error = error.orEmpty(),
                            errorDescription = errorDescription.orEmpty(),
                            errorCodes = errorCodes.orEmpty(),
                            correlationId = correlationId
                        )

@nilo-ms nilo-ms merged commit 67d323b into dev Nov 7, 2025
23 of 25 checks passed
@nilo-ms nilo-ms deleted the danilo/update-blocked-auth-method- branch November 7, 2025 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mustafamizrak mustafamizrak mustafamizrak approved these changes

Copilot code review Copilot Copilot left review comments

@andwhysoft andwhysoft andwhysoft approved these changes

Assignees

No one assigned

Labels

native-auth

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nilo-ms @mustafamizrak @andwhysoft