comments

melissaahn · melissaahn · commit dc076348b244 · 2025-11-18T11:26:56.000-08:00
diff --git a/common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java b/common/src/main/java/com/microsoft/identity/common/adal/internal/AuthenticationConstants.java
@@ -2151,28 +2151,4 @@ public static final class SdkPlatformFields {
         @Deprecated
         public static final String VERSION = com.microsoft.identity.common.java.AuthenticationConstants.SdkPlatformFields.VERSION;
     }
-
-    public static final class PoPConstants {
-        /**
-         * Indicates caller requests a PoP token instead of bearer.
-         */
-        public static final String SIGN_POP_TOKEN = "signPopToken";
-
-        /**
-         * Resource request components used to build the PoP SHR.
-         */
-        public static final String RESOURCE_REQUEST_URI = "resourceRequestUri";
-        public static final String RESOURCE_REQUEST_METHOD = "resourceRequestMethod";
-
-        /**
-         * Optional PoP supplemental values.
-         */
-        public static final String SHR_NONCE = "shrNonce";
-        public static final String SHR_CLAIMS = "shrClaims";
-        /**
-         * Key identifier for the PoP key used to sign the token.
-         */
-        public static final String KEY_ID = "keyId";
-    }
 }
-
diff --git a/common/src/main/java/com/microsoft/identity/common/internal/controllers/BrokerMsalController.java b/common/src/main/java/com/microsoft/identity/common/internal/controllers/BrokerMsalController.java
@@ -1471,7 +1471,7 @@ public String executeWebAppRequest(@NonNull final String request,
                 final WebAppsGetTokenSubOperationRequest getTokenRequest = envelope.getRequest();
                 // If need to do interactive right away, do it now.
                 // Otherwise, just let the broker handle the silent token acquisition first.
-                if (shouldForceInteractive(getTokenRequest, additionalRequiredParams.getCanShowUi())) {
+                if (shouldForceInteractiveRequestForWebApp(getTokenRequest, additionalRequiredParams.getCanShowUi())) {
                     AzureActiveDirectory.buildAndValidateAuthorityFromWebAppSender(envelope.getSender());
                     final BrokerInteractiveTokenCommandParameters interactiveParams =
                             buildInteractiveTokenParametersForWebApps(getTokenRequest, additionalRequiredParams, minBrokerProtocolVersion);
@@ -1524,7 +1524,7 @@ public String extractResultBundle(@Nullable final Bundle resultBundle) throws Ba
                                                 WebAppsGetTokenSubOperationEnvelope.class
                                         );
                                 final WebAppsGetTokenSubOperationRequest getTokenRequest = envelope.getRequest();
-                                if (canFallbackToInteractive(getTokenRequest, additionalRequiredParams.getCanShowUi())) {
+                                if (canFallbackToInteractiveRequestForWebApp(getTokenRequest, additionalRequiredParams.getCanShowUi())) {
                                     // Create params from the request
                                     if (getTokenRequest.isSecurityTokenService()) {
                                         // Validate sender authority (throws if invalid)
@@ -1700,8 +1700,8 @@ private void verifyBrokerVersionIsSupported(@Nullable final Bundle resultBundle,
      * @return True if interactive token acquisition should be forced, false otherwise.
      * @throws ClientException if prompt is not none and UI is not allowed.
      */
-    private boolean shouldForceInteractive(final @NonNull WebAppsGetTokenSubOperationRequest req,
-                                           final boolean canShowUI) throws ClientException {
+    private boolean shouldForceInteractiveRequestForWebApp(final @NonNull WebAppsGetTokenSubOperationRequest req,
+                                                           final boolean canShowUI) throws ClientException {
         // MSAL JS requests will always be silent first.
         if (!req.isSecurityTokenService() || !StringUtil.isNullOrEmpty(req.getHomeAccountId())) {
             return false;
@@ -1729,8 +1729,8 @@ private boolean shouldForceInteractive(final @NonNull WebAppsGetTokenSubOperatio
      * @return True if we can fallback to interactive token acquisition, false otherwise.
      * @throws ClientException if prompt is none or if UI is not allowed when prompt is not none.
      */
-    private boolean canFallbackToInteractive(@NonNull final WebAppsGetTokenSubOperationRequest req,
-                                             final boolean canShowUI) throws ClientException {
+    private boolean canFallbackToInteractiveRequestForWebApp(@NonNull final WebAppsGetTokenSubOperationRequest req,
+                                                             final boolean canShowUI) throws ClientException {
         final OpenIdConnectPromptParameter prompt = OpenIdConnectPromptParameter.fromString(req.getPrompt());
         if (prompt == OpenIdConnectPromptParameter.NONE) {
             return false;
diff --git a/common4j/src/main/com/microsoft/identity/common/java/commands/parameters/BrokerInteractiveTokenCommandParameters.java b/common4j/src/main/com/microsoft/identity/common/java/commands/parameters/BrokerInteractiveTokenCommandParameters.java
@@ -27,6 +27,8 @@
 import com.microsoft.identity.common.java.cache.BrokerOAuth2TokenCache;
 import com.microsoft.identity.common.java.exception.ArgumentException;
 import com.microsoft.identity.common.java.exception.ClientException;
+import com.microsoft.identity.common.java.flighting.CommonFlight;
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
 import com.microsoft.identity.common.java.request.BrokerRequestType;
 import com.microsoft.identity.common.java.util.IPlatformUtil;
 import com.microsoft.identity.common.java.util.StringUtil;
@@ -124,7 +126,8 @@ public void validate() throws ArgumentException, ClientException {
                 );
             }
             final IPlatformUtil platformUtil = getPlatformComponents().getPlatformUtil();
-            if (getRequestType() == BrokerRequestType.WEB_APPS) {
+            if (!CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.DISABLE_WEB_APPS_API)
+                    && getRequestType() == BrokerRequestType.WEB_APPS) {
                 // For web apps, we have a different redirect URI from our standard Android one.
                 platformUtil.isValidCallingAppForWebApps(getCallerUid());
                 return;
diff --git a/common4j/src/main/com/microsoft/identity/common/java/commands/parameters/BrokerSilentTokenCommandParameters.java b/common4j/src/main/com/microsoft/identity/common/java/commands/parameters/BrokerSilentTokenCommandParameters.java
@@ -27,6 +27,8 @@
 import com.microsoft.identity.common.java.cache.BrokerOAuth2TokenCache;
 import com.microsoft.identity.common.java.exception.ArgumentException;
 import com.microsoft.identity.common.java.exception.ClientException;
+import com.microsoft.identity.common.java.flighting.CommonFlight;
+import com.microsoft.identity.common.java.flighting.CommonFlightsManager;
 import com.microsoft.identity.common.java.request.BrokerRequestType;
 import com.microsoft.identity.common.java.util.IPlatformUtil;
 import com.microsoft.identity.common.java.util.StringUtil;
@@ -116,7 +118,8 @@ public void validate() throws ArgumentException, ClientException {
             );
         }
         final IPlatformUtil platformUtil = getPlatformComponents().getPlatformUtil();
-        if (getRequestType() == BrokerRequestType.WEB_APPS) {
+        if (!CommonFlightsManager.INSTANCE.getFlightsProvider().isFlightEnabled(CommonFlight.DISABLE_WEB_APPS_API)
+                && getRequestType() == BrokerRequestType.WEB_APPS) {
             // For web apps, we have a different redirect URI from our standard Android one.
             platformUtil.isValidCallingAppForWebApps(getCallerUid());
             return;
diff --git a/common4j/src/main/com/microsoft/identity/common/java/commands/webapps/WebAppsGetTokenSubOperationEnvelope.kt b/common4j/src/main/com/microsoft/identity/common/java/commands/webapps/WebAppsGetTokenSubOperationEnvelope.kt
@@ -43,4 +43,4 @@ data class WebAppsGetTokenSubOperationEnvelope(
         const val FIELD_REQUEST = "request"
         const val FIELD_SENDER = "sender"
     }
-}
+}
diff --git a/common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java b/common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java
@@ -180,7 +180,12 @@ public enum CommonFlight implements IFlightConfig {
      * Flight to enable OpenID issuer validation code which validates issuer against the open id well known
      * config endpoint and only reports the failure result.
      */
-    ENABLE_OPENID_ISSUER_VALIDATION_REPORTING("EnableOpenIdIssuerValidationReporting", true);
+    ENABLE_OPENID_ISSUER_VALIDATION_REPORTING("EnableOpenIdIssuerValidationReporting", true),
+
+    /**
+     * Flight to disable Web Apps API.
+     */
+    DISABLE_WEB_APPS_API("DisableWebAppsApi", false);
 
     private String key;
     private Object defaultValue;

Original file line number	Diff line number	Diff line change
`@@ -43,4 +43,4 @@ data class WebAppsGetTokenSubOperationEnvelope(`
`43`	`43`	`const val FIELD_REQUEST = "request"`
`44`	`44`	`const val FIELD_SENDER = "sender"`
`45`	`45`	`}`
`46`		`-}`
	`46`	`+}`