Enhance Passkey origin validation to be case insensitive for scheme and host

Author: p3dr0rv

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyOriginRulesManager.kt

@@ -92,16 +92,16 @@ object PasskeyOriginRulesManager {
             val uri = URI(url)
 
             // Validate scheme
-            if (uri.scheme != HTTPS_SCHEME) {
+            if (uri.scheme.lowercase() != HTTPS_SCHEME) {
                 return false
             }
 
             // Validate host and build origin
             val host = uri.host ?: return false
-            val origin = "https://$host"
+            val origin = "https://$host".lowercase()
 
             // Check if it's a production origin (any path allowed)
-            if (PRODUCTION_ORIGINS.contains(origin)) {
+            if (PRODUCTION_ORIGINS.contains(origin)){
                 return true
             }
 

common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyOriginRulesManagerTest.kt

@@ -171,6 +171,32 @@ class PasskeyOriginRulesManagerTest {
         assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://login.microsoftonline.us/path/fIdO"))
     }
 
+    @Test
+    fun `isAllowedOrigin is case insensitive for schema`() {
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HTTPS://login.microsoft.com"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("Https://account.live.com"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://mysignins.microsoft.com"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://login.microsoftonline.us/fido"))
+    }
+
+    @Test
+    fun `isAllowedOrigin is case insensitive for host`() {
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://LOGIN.MICROSOFT.COM"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://Login.Microsoft.Com"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://ACCOUNT.LIVE.COM"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://Account.Live.Com/"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://MYSIGNINS.MICROSOFT.COM"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("https://MySignins.Microsoft.Com/auth/passkey"))
+    }
+
+    @Test
+    fun `isAllowedOrigin is case insensitive for mixed case schema and host`() {
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://LoGiN.MiCrOsOfT.CoM"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://AcCoUnT.LiVe.CoM/page/webauthn"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://MySignins.MiCrOsOfT.CoM/auth/passkey"))
+        assertTrue(PasskeyOriginRulesManager.isAllowedOrigin("HtTpS://LoGiN.MiCrOsOfToNlInE.Us/FiDo"))
+    }
+
     // ==================== Subdomain Spoofing Prevention Tests ====================
 
     @Test
@@ -277,4 +303,3 @@ class PasskeyOriginRulesManagerTest {
         assertTrue(rules.size >= 12) // At least production + sovereign cloud origins
     }
 }
-