Switch to browser on DUNA redirect URL., Fixes AB#3079799

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Launch browser when a switch_browser redirect URL is present (#2553)
 
 Version 20.0.0
 ----------

common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java

@@ -529,6 +529,29 @@ public static final class AAD {
         public static final String APP_VERSION = "x-app-ver";
     }
 
+    /**
+     * Represents the constants value for the SwitchBrowser protocol.
+     */
+    @NoArgsConstructor(access = AccessLevel.PRIVATE)
+    public static final class SWITCH_BROWSER {
+
+        /**
+         * String Query parameter key to indicate support for SWITCH_BROWSER protocol.
+         */
+        public static final String PATH = "switch_browser";
+
+        /**
+         * String Query parameter key for the session token.
+         */
+        public static final String CODE = "code";
+
+        /**
+         * String Query parameter key for the switchBrowser action uri.
+         */
+        public static final String ACTION_URI = "action_uri";
+
+    }
+
     /**
      * Represents the constants for broker.
      */

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/AuthorizationActivityFactory.java

@@ -30,6 +30,7 @@
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.REQUEST_URL;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_CONTROLS_ENABLED;
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.AuthorizationIntentKey.WEB_VIEW_ZOOM_ENABLED;
+import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.SWITCH_BROWSER;
 import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.PRODUCT;
 import static com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.VERSION;
 import static com.microsoft.identity.common.java.logging.DiagnosticContext.CORRELATION_ID;
@@ -41,8 +42,6 @@
 import androidx.annotation.NonNull;
 import androidx.fragment.app.Fragment;
 
-import com.microsoft.identity.common.internal.msafederation.MsaFederatedSignInProviderName;
-import com.microsoft.identity.common.internal.msafederation.MsaFederationConstants;
 import com.microsoft.identity.common.internal.msafederation.MsaFederationExtensions;
 import com.microsoft.identity.common.internal.msafederation.google.SignInWithGoogleCredential;
 import com.microsoft.identity.common.internal.msafederation.google.SignInWithGoogleParameters;
@@ -121,6 +120,11 @@ public static Intent getAuthorizationActivityIntent(final Context context,
         final LibraryConfiguration libraryConfig = LibraryConfiguration.getInstance();
         if (ProcessUtil.isBrokerProcess(context)) {
             intent = new Intent(context, BrokerAuthorizationActivity.class);
+            if(requestUrl.contains(SWITCH_BROWSER.PATH)) {
+                intent.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TASK | Intent.FLAG_ACTIVITY_NEW_TASK);
+                // In the case of a SwitchBrowser protocol, we need to transition from the browser to the WebView.
+                // These flags ensure that we have a new task stack that allows for this transition.
+            }
         } else if (libraryConfig.isAuthorizationInCurrentTask() && !authorizationAgent.equals(AuthorizationAgent.WEBVIEW)) {
             // We exclude the case when the authorization agent is already selected as WEBVIEW because of confusion
             // that results from attempting to use the CurrentTaskAuthorizationActivity in that case, because as webview

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -51,7 +51,10 @@
 import com.microsoft.identity.common.internal.ui.webview.certbasedauth.AbstractSmartcardCertBasedAuthChallengeHandler;
 import com.microsoft.identity.common.internal.ui.webview.certbasedauth.AbstractCertBasedAuthChallengeHandler;
 import com.microsoft.identity.common.internal.ui.webview.certbasedauth.CertBasedAuthFactory;
+import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SwitchBrowserChallenge;
+import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SwitchBrowserHandler;
 import com.microsoft.identity.common.internal.ui.webview.challengehandlers.NonceRedirectHandler;
+import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SwitchBrowserUriHelper;
 import com.microsoft.identity.common.java.constants.FidoConstants;
 import com.microsoft.identity.common.java.flighting.CommonFlight;
 import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
@@ -102,13 +105,15 @@ public class AzureActiveDirectoryWebViewClient extends OAuth2WebViewClient {
     private static final String TAG = AzureActiveDirectoryWebViewClient.class.getSimpleName();
 
     public static final String ERROR = "error";
-    public static final String ERROR_SUBCODE = "error_subcode";
     public static final String ERROR_DESCRIPTION = "error_description";
     private static final String DEVICE_CERT_ISSUER = "CN=MS-Organization-Access";
     private final String mRedirectUrl;
     private final CertBasedAuthFactory mCertBasedAuthFactory;
     private AbstractCertBasedAuthChallengeHandler mCertBasedAuthChallengeHandler;
 
+    private final SwitchBrowserHandler mSwitchBrowserHandler;
+
+
     private HashMap<String, String> mRequestHeaders;
 
     public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
@@ -118,6 +123,7 @@ public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
         super(activity, completionCallback, pageLoadedCallback);
         mRedirectUrl = redirectUrl;
         mCertBasedAuthFactory = new CertBasedAuthFactory(activity);
+        mSwitchBrowserHandler= new SwitchBrowserHandler(activity);
     }
 
     /**
@@ -208,7 +214,13 @@ private boolean handleUrl(final WebView view, final String url) {
              }
              else if (isRedirectUrl(formattedURL)) {
                 Logger.info(methodTag,"Navigation starts with the redirect uri.");
-                processRedirectUrl(view, url);
+                if (SwitchBrowserUriHelper.INSTANCE.isSwitchBrowserRequest(formattedURL)) {
+                    Logger.info(methodTag,"Request to switch browser.");
+                    return processSwitchBrowserRequest(formattedURL);
+                } else {
+                    Logger.info(methodTag,"It is a redirect request.");
+                    processRedirectUrl(view, url);
+                }
             } else if (isWebsiteRequestUrl(formattedURL)) {
                 Logger.info(methodTag,"It is an external website request");
                 processWebsiteRequest(view, url);
@@ -325,7 +337,7 @@ private boolean isHeaderForwardingRequiredUri(@NonNull final String url) {
 
     // This function is only called when the client received a redirect that starts with the apps
     // redirect uri.
-    protected void processRedirectUrl(@NonNull final WebView view, @NonNull final String url) {
+    private void processRedirectUrl(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processRedirectUrl";
 
         Logger.info(methodTag, "It is pointing to redirect. Final url can be processed to get the code or error.");
@@ -335,6 +347,23 @@ protected void processRedirectUrl(@NonNull final WebView view, @NonNull final St
         //the TokenTask should be processed at after the authorization process in the upper calling layer.
     }
 
+    /**
+     * Launch the browser with the given action URI and code.
+     * <p>
+     * From the query parameters, extract the action URI and code,
+     * The constructs the URI with the action URI and code.
+     *
+     * @param url The URL to be opened in the browser.
+     */
+    private boolean processSwitchBrowserRequest(@NonNull final String url) {
+        final SwitchBrowserChallenge switchBrowserChallenge =
+                SwitchBrowserChallenge.constructFromRedirectUri(Uri.parse(url));
+        if (switchBrowserChallenge == null) {
+            return false;
+        }
+        return mSwitchBrowserHandler.processChallenge(switchBrowserChallenge);
+    }
+
     private void processWebsiteRequest(@NonNull final WebView view, @NonNull final String url) {
         final String methodTag = TAG + ":processWebsiteRequest";
 
@@ -633,6 +662,7 @@ public void onDestroy() {
             mCertBasedAuthChallengeHandler.cleanUp();
         }
         mCertBasedAuthFactory.onDestroy();
+        mSwitchBrowserHandler.unbind();
     }
 
     /**

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/SwitchBrowserChallenge.kt

@@ -0,0 +1,54 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.ui.webview.challengehandlers
+
+import android.net.Uri
+
+/**
+ * SwitchBrowserChallenge is a challenge to switch from WebView to browser.
+ * It contains the URI to be opened in the new browser.
+ */
+data class SwitchBrowserChallenge(
+    val uri: Uri,
+) {
+
+    companion object {
+        /**
+         * Construct a SwitchBrowserChallenge from the redirect URI.
+         *
+         * @param redirectUri The redirect URI containing the switch browser code and action URI.
+         * e.g. msauth://com.microsoft.identity.client/your-redirect-uri?code=your-switch-browser-code&action_uri=your-action-uri
+         *
+         * @return The SwitchBrowserChallenge constructed from the redirect URI.
+         * e.g. SwitchBrowserChallenge(uri = your-action-uri?code=your-switch-browser-code)
+         * params: redirectUri: Uri
+         */
+        @JvmStatic
+        fun constructFromRedirectUri(redirectUri: Uri): SwitchBrowserChallenge? {
+            SwitchBrowserUriHelper.buildProcessUri(redirectUri)?.let { processUri ->
+                return SwitchBrowserChallenge(uri = processUri)
+            }
+            return null
+        }
+    }
+}

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/challengehandlers/SwitchBrowserHandler.kt

@@ -0,0 +1,101 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.ui.webview.challengehandlers
+
+import android.app.Activity
+import android.content.Context
+import android.content.Intent
+import com.microsoft.identity.common.internal.ui.browser.AndroidBrowserSelector
+import com.microsoft.identity.common.internal.ui.browser.CustomTabsManager
+import com.microsoft.identity.common.java.browser.IBrowserSelector
+import com.microsoft.identity.common.java.ui.BrowserDescriptor
+import com.microsoft.identity.common.logging.Logger
+
+/**
+ * SwitchBrowserHandler is a challenge handler for SwitchBrowserChallenge.
+ * It handles the challenge by selecting a valid browser to launch the Switch browser URI.
+ */
+class SwitchBrowserHandler(
+    private val activity: Activity,
+    private val context: Context,
+    private val customTabsManager: CustomTabsManager,
+    private val browserSelector: IBrowserSelector
+) : IChallengeHandler<SwitchBrowserChallenge, Boolean>  {
+
+    companion object {
+        private val TAG = SwitchBrowserHandler::class.simpleName
+    }
+
+    constructor( activity: Activity) : this(
+        activity,
+        activity.applicationContext,
+        CustomTabsManager(activity.applicationContext),
+        AndroidBrowserSelector(activity.applicationContext)
+    )
+
+    /**
+     * Process the SwitchBrowserChallenge, which is a request to switch the browser.
+     * This method will select a valid browser to launch the challenge URI.
+     *
+     * @param switchBrowserChallenge challenge request
+     * @return true if the challenge is handled successfully, false otherwise.
+     */
+    override fun processChallenge(switchBrowserChallenge: SwitchBrowserChallenge): Boolean {
+        val methodTag = "$TAG:processChallenge"
+
+        // Select a browser to handle the switch browser challenge
+        val browser = browserSelector.selectBrowser(
+            BrowserDescriptor.getBrowserSafeListForSwitchBrowser(),
+            null
+        )
+        if (browser == null) {
+            Logger.warn(methodTag, "No browser found for SwitchBrowserChallenge.")
+            return false
+        }
+
+        // Create an intent to launch the browser
+        val browserIntent: Intent
+        if (browser.isCustomTabsServiceSupported) {
+            Logger.info(methodTag, "CustomTabsService is supported.")
+            //create customTabsIntent
+            if (!customTabsManager.bind(context, browser.packageName)) {
+                Logger.warn(methodTag, "Failed to bind CustomTabsService.")
+                browserIntent = Intent(Intent.ACTION_VIEW)
+            } else {
+                browserIntent = customTabsManager.customTabsIntent.intent
+            }
+        } else {
+            Logger.warn(methodTag, "CustomTabsService is NOT supported")
+            browserIntent = Intent(Intent.ACTION_VIEW)
+        }
+        Logger.info(methodTag, "Launching switch browser request on browser: ${browser.packageName}")
+        browserIntent.setPackage(browser.packageName)
+        browserIntent.setData(switchBrowserChallenge.uri)
+        activity.startActivity(browserIntent)
+        return true
+    }
+
+    fun unbind() {
+        customTabsManager.unbind()
+    }
+}