Add additional allowed origins for PasskeyWebListener, Fixes AB#3465377 (#2839)

This pull request updates the list of allowed origins in the
`PasskeyWebListener` class to support additional sovereign cloud
identity endpoints. This change improves compatibility with new regional
identity services.

Expansion of allowed origins:

* Added support for three new sovereign cloud identity endpoints:
`login.sovcloud-identity.fr`, `login.sovcloud-identity.de`, and
`login.sovcloud-identity.sg` to the allowed origins list in
`PasskeyWebListener.kt`.

[AB#3465377](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3465377)

---------

Co-authored-by: Copilot <[email protected]>

Author: p3dr0rv

changelog.txt

@@ -1,5 +1,6 @@
 vNext
 ----------
+- [MINOR] Add additional allowed origins for PasskeyWebListener (#2839)
 - [PATCH] Add JavascriptInterface rules to consumer proguard rules (#2837)
 - [MINOR] Add optimized saveAndLoadAggregatedAccountData method in BrokerOAuth2TokenCache (#2832)
 - [MINOR] Remove MavenCentral repository from build.gradle files (#2830)

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyOriginRulesManager.kt

@@ -0,0 +1,160 @@
+// Copyright (c) Microsoft Corporation.
+// All rights reserved.
+//
+// This code is licensed under the MIT License.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files(the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions :
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+package com.microsoft.identity.common.internal.providers.oauth2
+
+import com.microsoft.identity.common.BuildConfig
+import com.microsoft.identity.common.logging.Logger
+import java.net.URI
+
+/**
+ * Manages allowed origin rules for Passkey/WebAuthN APIs.
+ * Ensures only trusted Microsoft origins can access sensitive credential operations.
+ *
+ * **Origin Categories:**
+ * 1. **Production origins** - Allow all paths (any path is safe)
+ * 2. **Sovereign cloud origins** - Require "/fido" as a path segment
+ *
+ * **Security Features:**
+ * - Validates scheme must be HTTPS
+ * - Prevents subdomain spoofing (e.g., attacker.com.microsoft.com)
+ * - Prevents prefix attacks (e.g., evillogin.microsoft.com)
+ * - Requires exact domain matching
+ * - Case-insensitive FIDO path matching for sovereign clouds
+ */
+object PasskeyOriginRulesManager {
+    private const val TAG = "PasskeyOriginRulesManager"
+    private const val HTTPS_SCHEME = "https"
+    private const val FIDO_SEGMENT = "fido"
+
+    // Production origins - allow any path
+    private val PRODUCTION_ORIGINS = setOf(
+        "https://login.microsoft.com",
+        "https://account.live.com",
+        "https://mysignins.microsoft.com",
+        "https://mysignins.azure.us",
+        "https://mysignins.microsoft.scloud",
+        "https://mysignins.eaglex.ic.gov"
+    )
+
+    // Sovereign cloud origins - require FIDO path
+    private val SOVEREIGN_CLOUD_ORIGINS = setOf(
+        "https://login.microsoftonline.us",
+        "https://login.microsoftonline.microsoft.scloud",
+        "https://login.microsoftonline.eaglex.ic.gov",
+        "https://login.sovcloud-identity.fr",
+        "https://login.sovcloud-identity.de",
+        "https://login.sovcloud-identity.sg"
+    )
+
+    // PPE origins
+    private val ALLOWED_ORIGIN_PPE= setOf(
+        "https://account.live-int.com",
+        "https://login.windows-ppe.net",
+        "https://mysignins-ppe.microsoft.com"
+    )
+
+    /**
+     * Checks if the provided URL is allowed to access Passkey/WebAuthN APIs.
+     *
+     * **Validation Rules:**
+     * - URL must have HTTPS scheme
+     * - Host must exactly match an allowed origin
+     * - For sovereign cloud origins, the path must contain "fido" as a complete segment
+     *   (e.g., "/fido" or "/fido/endpoint" are valid, but "/fidoauth" is not)
+     * - For production origins, any path is allowed
+     *
+     * @param url The URL to validate
+     * @return `true` if the URL is from an allowed origin and meets all validation rules, `false` otherwise
+     */
+    @JvmStatic
+    fun isAllowedOrigin(url: String): Boolean {
+        return try {
+            val uri = URI(url)
+
+            // Validate scheme
+            if (uri.scheme.lowercase() != HTTPS_SCHEME) {
+                return false
+            }
+
+            // Validate host and build origin
+            val host = uri.host ?: return false
+            val origin = "https://$host".lowercase()
+
+            // Check if it's a production origin (any path allowed)
+            if (PRODUCTION_ORIGINS.contains(origin)){
+                return true
+            }
+
+            // Check if it's a sovereign cloud origin (requires FIDO path)
+            if (SOVEREIGN_CLOUD_ORIGINS.contains(origin)) {
+                return hasFidoPathSegment(uri.path)
+            }
+
+            false
+        } catch (throwable: Throwable) {
+            Logger.error(TAG, "Error validating origin for URL.", throwable)
+            false
+        }
+    }
+
+    /**
+     * Checks if the path contains "fido" as a complete path segment.
+     *
+     * Valid examples:
+     * - "/fido" ✓
+     * - "/fido/" ✓
+     * - "/fido/endpoint" ✓
+     * - "/some/path/fido" ✓
+     * - "/some/path/fido/endpoint" ✓
+     *
+     * Invalid examples:
+     * - "" ✗
+     * - "/fidoauth" ✗ (fido is not a complete segment)
+     * - "/authenticate" ✗ (no fido)
+     *
+     * @param path The path to validate (e.g., "/fido" or "/some/fido/endpoint")
+     * @return `true` if path contains "fido" as a complete segment, `false` otherwise
+     */
+    private fun hasFidoPathSegment(path: String?): Boolean {
+        if (path.isNullOrEmpty()) {
+            return false
+        }
+
+        // Split by '/' and check for "fido" (case-insensitive)
+        val segments = path.split("/")
+        return segments.any { it.equals(FIDO_SEGMENT, ignoreCase = true) }
+    }
+
+    /**
+     * Returns the set of all allowed origin rules.
+     *
+     * @return Set containing all production and sovereign cloud origin URLs
+     */
+    fun getAllowedOriginRules(): Set<String> {
+        return if (BuildConfig.DEBUG) {
+            PRODUCTION_ORIGINS + SOVEREIGN_CLOUD_ORIGINS + ALLOWED_ORIGIN_PPE
+        } else {
+            PRODUCTION_ORIGINS + SOVEREIGN_CLOUD_ORIGINS
+        }
+    }
+}

common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/PasskeyWebListener.kt

@@ -289,38 +289,8 @@ class PasskeyWebListener(
             var __webauthn_interface__,__webauthn_hooks__;!function(e){__webauthn_interface__.addEventListener("message",(function(e){console.log(e.data);var n=JSON.parse(e.data);"get"===n.type?o(n):"create"===n.type?l(n):console.log("Incorrect response format for reply: "+n.type)}));var n=null,t=null,r=null,a=null;function o(e){if(null!==n&&null!==r){if("success"!=e.status){var o=r;return n=null,r=null,void o(new DOMException(e.data.domExceptionMessage,e.data.domExceptionName))}var s=u(e.data),i=n;n=null,r=null,i(s)}else console.log("Reply failure: Resolve: "+t+" and reject: "+a)}function s(e){var n=e.length%4;return Uint8Array.from(atob(e.replace(/-/g,"+").replace(/_/g,"/").padEnd(e.length+(0===n?0:4-n),"=")),(function(e){return e.charCodeAt(0)})).buffer}function i(e){return btoa(Array.from(new Uint8Array(e),(function(e){return String.fromCharCode(e)})).join("")).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+${'$'}/,"")}function l(e){if(null!==t&&null!==a){if("success"!=e.status){var n=a;return t=null,a=null,void n(new DOMException(e.data.domExceptionMessage,e.data.domExceptionName))}var r=u(e.data),o=t;t=null,a=null,o(r)}else console.log("Reply failure: Resolve: "+t+" and reject: "+a)}function u(e){return e.rawId=s(e.rawId),e.response.clientDataJSON=s(e.response.clientDataJSON),e.response.hasOwnProperty("attestationObject")&&(e.response.attestationObject=s(e.response.attestationObject)),e.response.hasOwnProperty("authenticatorData")&&(e.response.authenticatorData=s(e.response.authenticatorData)),e.response.hasOwnProperty("signature")&&(e.response.signature=s(e.response.signature)),e.response.hasOwnProperty("userHandle")&&(e.response.userHandle=s(e.response.userHandle)),e.getClientExtensionResults=function(){return{}},e.response.getTransports=function(){return e.response.hasOwnProperty("transports")?e.response.transports:[]},e}e.create=function(n){if(!("publicKey"in n))return e.originalCreateFunction(n);var r=new Promise((function(e,n){t=e,a=n})),o=n.publicKey;if(o.hasOwnProperty("challenge")){var s=i(o.challenge);o.challenge=s}if(o.hasOwnProperty("user")&&o.user.hasOwnProperty("id")){var l=i(o.user.id);o.user.id=l}if(o.hasOwnProperty("excludeCredentials")&&Array.isArray(o.excludeCredentials)&&o.excludeCredentials.length>0)for(var u=0;u<o.excludeCredentials.length;u++){var c=o.excludeCredentials[u];c&&c.hasOwnProperty("id")&&(c.id=i(c.id))}var p={type:"create",request:o},_=JSON.stringify(p);return __webauthn_interface__.postMessage(_),r},e.get=function(t){if(!("publicKey"in t))return e.originalGetFunction(t);var a=new Promise((function(e,t){n=e,r=t})),o=t.publicKey;if(o.hasOwnProperty("challenge")){var s=i(o.challenge);o.challenge=s}var l={type:"get",request:o},u=JSON.stringify(l);return __webauthn_interface__.postMessage(u),a},e.onReplyGet=o,e.CM_base64url_decode=s,e.CM_base64url_encode=i,e.onReplyCreate=l}(__webauthn_hooks__||(__webauthn_hooks__={})),__webauthn_hooks__.originalGetFunction=navigator.credentials.get,__webauthn_hooks__.originalCreateFunction=navigator.credentials.create,navigator.credentials.get=__webauthn_hooks__.get,navigator.credentials.create=__webauthn_hooks__.create,window.PublicKeyCredential=function(){},window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable=function(){return Promise.resolve(!0)};
          """
 
-        /** Allowed origins that can use the WebAuthN interface. */
-        private val ALLOWED_ORIGIN_RULES_PRODUCTION = setOf(
-            "https://login.microsoft.com",
-            "https://account.live.com",
-            "https://mysignins.microsoft.com",
-            "https://mysignins.azure.us",
-            "https://mysignins.microsoft.scloud",
-            "https://mysignins.eaglex.ic.gov",
-            "https://login.microsoftonline.us",
-            "https://login.microsoftonline.microsoft.scloud",
-            "https://login.microsoftonline.eaglex.ic.gov"
-        )
 
-        /** Allowed origins for pre-production/testing environments. */
-        private val ALLOWED_ORIGIN_PRE_PRODUCTION = setOf(
-            "https://account.live-int.com",
-            "https://login.windows-ppe.net",
-            "https://mysignins-ppe.microsoft.com"
-        )
 
-        /**
-         * Gets the set of allowed origin rules based on build configuration.
-         *
-         * @return Set of allowed origin rules.
-         */
-        private fun getAllowedOriginRules(): Set<String> {
-            val mutableSet = ALLOWED_ORIGIN_RULES_PRODUCTION.toMutableSet()
-            if (BuildConfig.DEBUG) {
-                mutableSet.addAll(ALLOWED_ORIGIN_PRE_PRODUCTION)
-            }
-            return mutableSet.toSet()
-        }
 
         /**
          * Attaches the passkey listener to a WebView.
@@ -357,7 +327,7 @@ class PasskeyWebListener(
                 WebViewCompat.addWebMessageListener(
                     webView,
                     INTERFACE_NAME,
-                    getAllowedOriginRules(),
+                    PasskeyOriginRulesManager.getAllowedOriginRules(),
                     PasskeyWebListener(
                         coroutineScope = CoroutineScope(Dispatchers.Default),
                         credentialManagerHandler = CredentialManagerHandler(activity)
@@ -373,11 +343,7 @@ class PasskeyWebListener(
                 } else {
                     WEB_AUTHN_INTERFACE_JS_MINIFIED
                 }
-                webClient.addOnPageStartedScript(
-                    TAG,
-                    scriptToInject,
-                    getAllowedOriginRules()
-                )
+                webClient.addPasskeyRegistrationJsScript(scriptToInject)
 
                 true
             } else {

common/src/main/java/com/microsoft/identity/common/internal/ui/webview/AzureActiveDirectoryWebViewClient.java

@@ -52,6 +52,7 @@
 import com.microsoft.identity.common.internal.fido.IFidoManager;
 import com.microsoft.identity.common.internal.fido.LegacyFido2ApiManager;
 import com.microsoft.identity.common.internal.providers.oauth2.AuthorizationActivity;
+import com.microsoft.identity.common.internal.providers.oauth2.PasskeyOriginRulesManager;
 import com.microsoft.identity.common.internal.providers.oauth2.WebViewAuthorizationFragment;
 import com.microsoft.identity.common.internal.ui.webview.certbasedauth.AbstractSmartcardCertBasedAuthChallengeHandler;
 import com.microsoft.identity.common.internal.ui.webview.certbasedauth.AbstractCertBasedAuthChallengeHandler;
@@ -88,13 +89,11 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.Principal;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
 import static com.microsoft.identity.common.adal.internal.AuthenticationConstants.Broker.AMAZON_APP_REDIRECT_PREFIX;
@@ -144,7 +143,7 @@ public class AzureActiveDirectoryWebViewClient extends OAuth2WebViewClient {
     private final SpanContext mSpanContext;
     private final String mUtid;
 
-    private final List<JsScriptRecord> mOnPageStartedScripts = new ArrayList<>();
+    private String mPasskeyRegistrationScript;
 
     public AzureActiveDirectoryWebViewClient(@NonNull final Activity activity,
                                              @NonNull final IAuthorizationCompletionCallback completionCallback,
@@ -1144,12 +1143,10 @@ public void onReceived(@Nullable final AbstractCertBasedAuthChallengeHandler cha
     @Override
     public void onPageStarted(final WebView view, final String url, final Bitmap favicon) {
         super.onPageStarted(view, url, favicon);
-        // Evaluate JavaScript for each script if URL matches allowed origins
-        for (final JsScriptRecord scriptRecord : mOnPageStartedScripts) {
-            if (scriptRecord.isAllowedForUrl(url)) {
-                Logger.info(TAG, "Executing onPageStarted script: " + scriptRecord.getId());
-                view.evaluateJavascript(scriptRecord.getScript(), null);
-            }
+        // Evaluate JavaScript for Passkey Registration if script is set and origin is allowed.
+        if (mPasskeyRegistrationScript != null && PasskeyOriginRulesManager.isAllowedOrigin(url)) {
+            Logger.verbose(TAG, "Executing onPageStarted PasskeyRegistration script for URL: " + url);
+            view.evaluateJavascript(mPasskeyRegistrationScript, null);
         }
     }
 
@@ -1232,17 +1229,10 @@ private Span createSpanWithAttributesFromParent(@NonNull final String spanName)
 
     /**
      * Add a JavaScript to be executed in onPageStarted.
-     * If allowedUrls is null, the script will be executed for all URLs.
-     * If allowedUrls is non-null, the script will be executed only for URLs that start with any of the allowed origins.
+     * The script will be executed only for URLs that are allowed by {@link PasskeyOriginRulesManager}.
      * @param script JavaScript code to be executed.
-     * @param allowedUrls Set of allowed URL origins.
      */
-    public void addOnPageStartedScript(
-            @NonNull final String scriptId,
-            @NonNull final String script,
-            @Nullable final Set<String> allowedUrls) {
-        this.mOnPageStartedScripts.add(
-                new JsScriptRecord(scriptId, script, allowedUrls)
-        );
+    public void addPasskeyRegistrationJsScript(@NonNull final String script) {
+        this.mPasskeyRegistrationScript = script;
     }
 }