AzureAD
diff --git a/‎.github/workflows/auto-retag.yml‎
Lines changed: 108 additions & 0 deletions b/‎.github/workflows/auto-retag.yml‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎IdentityCore/IdentityCore.xcodeproj/project.pbxproj‎
Lines changed: 86 additions & 0 deletions b/‎IdentityCore/IdentityCore.xcodeproj/project.pbxproj‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDConstants.h‎
Lines changed: 8 additions & 0 deletions b/‎IdentityCore/src/MSIDConstants.h‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎IdentityCore/src/MSIDConstants.m‎
Lines changed: 4 additions & 0 deletions b/‎IdentityCore/src/MSIDConstants.m‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageGetTokenRequest.m‎
Lines changed: 27 additions & 17 deletions b/‎IdentityCore/src/broker_operation/request/browser_native_message_request/MSIDBrowserNativeMessageGetTokenRequest.m‎
Lines changed: 27 additions & 17 deletions
diff --git a/‎IdentityCore/src/network/MSIDHttpRequest.m‎
Lines changed: 28 additions & 3 deletions b/‎IdentityCore/src/network/MSIDHttpRequest.m‎
Lines changed: 28 additions & 3 deletions
diff --git a/‎IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m‎
Lines changed: 8 additions & 0 deletions b/‎IdentityCore/src/network/error_handler/MSIDAADRequestErrorHandler.m‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎IdentityCore/src/requests/MSIDSilentTokenRequest.m‎
Lines changed: 9 additions & 0 deletions b/‎IdentityCore/src/requests/MSIDSilentTokenRequest.m‎
Lines changed: 9 additions & 0 deletions
@@ -0,0 +1,108 @@
+name: Auto-retag UNTAGGED entries
+
+# This workflow automatically fixes UNTAGGED entries and commits the changes
+# Trigger manually via workflow_dispatch or on push to specific branches
+
+on:
+  workflow_dispatch:  # Manual trigger
+  push:
+    branches:
+      - '**'  # All branches
+    paths:
+      - 'IdentityCore/src/telemetry/execution_flow/MSIDExecutionFlowConstants.m'
+
+permissions:
+  contents: write
+  pull-requests: write
+  issues: write
+
+env:
+  TAG_PLACEHOLDER: "UNTAGGED"
+  TAG_LENGTH: "5"
+  TAG_CHARSET: "abcdefghijklmnopqrstuvwxyz0123456789"
+
+jobs:
+  auto-retag:
+    name: Automatically retag UNTAGGED entries
+    runs-on: ubuntu-latest
+    
+    # Skip if the commit was made by github-actions bot (prevents infinite loop)
+    if: github.actor != 'github-actions[bot]'
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        ref: ${{ github.head_ref || github.ref }}
+        
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.x'
+    
+    - name: Run retag script
+      id: retag
+      run: |
+        OUTPUT=$(python scripts/retag_untagged.py --placeholder "${{ env.TAG_PLACEHOLDER }}" --length "${{ env.TAG_LENGTH }}" --charset "${{ env.TAG_CHARSET }}" 2>&1)
+        echo "$OUTPUT"
+        echo "output<<EOF" >> $GITHUB_OUTPUT
+        echo "$OUTPUT" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+    
+    - name: Check if file was modified
+      id: check_changes
+      run: |
+        if git diff --quiet IdentityCore/src/telemetry/execution_flow/MSIDExecutionFlowConstants.m; then
+          echo "has_changes=false" >> $GITHUB_OUTPUT
+          echo "No changes made - file already has all tags assigned"
+        else
+          echo "has_changes=true" >> $GITHUB_OUTPUT
+          echo "Changes detected - UNTAGGED entries were replaced"
+        fi
+    
+    - name: Commit and push changes
+      if: steps.check_changes.outputs.has_changes == 'true'
+      run: |
+        git config user.name "github-actions[bot]"
+        git config user.email "github-actions[bot]@users.noreply.github.com"
+        git add IdentityCore/src/telemetry/execution_flow/MSIDExecutionFlowConstants.m
+        git commit -m "Auto-retag UNTAGGED execution flow tags [skip ci]"
+        git push
+    
+    - name: No changes needed
+      if: steps.check_changes.outputs.has_changes == 'false'
+      run: echo "✓ All tags are already assigned. No action needed."
+    
+    - name: Post PR comment
+      if: steps.check_changes.outputs.has_changes == 'true'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const output = `${{ steps.retag.outputs.output }}`;
+          const placeholder = `${{ env.TAG_PLACEHOLDER }}`;
+          
+          // Get the current branch name
+          const branch = context.ref.replace('refs/heads/', '');
+          
+          // Find open PRs for this branch
+          const { data: prs } = await github.rest.pulls.list({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            state: 'open',
+            head: `${context.repo.owner}:${branch}`
+          });
+          
+          // If there's an open PR, comment on it
+          if (prs.length > 0) {
+            const pr = prs[0];
+            await github.rest.issues.createComment({
+              issue_number: pr.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `## 🏷️ Auto-retag Results\n\n\`\`\`\n${output}\n\`\`\`\n\n✅ ${placeholder} entries have been automatically replaced with unique tags.`
+            });
+            console.log(`Posted comment to PR #${pr.number}`);
+          } else {
+            console.log('No open PR found for this branch - skipping comment');
+          }
@@ -244,8 +244,16 @@ extern NSString * _Nonnull const MSID_FLIGHT_IS_BART_SUPPORTED;
 extern NSString * _Nonnull const MSID_FLIGHT_SPINNER_FIX;
 
 extern NSString * _Nonnull const MSID_FLIGHT_ENABLE_QUERYING_STK;
+
+/// Owner: sedemche
 extern NSString * _Nonnull const MSID_FLIGHT_USE_AUTOLAYOUT_FOR_LOADING_INDICATOR;
 
+/// Owner: sedemche
+extern NSString * _Nonnull const MSID_FLIGHT_BROWSER_CORE_DISABLE_POP;
+
+/// Owner: sedemche
+extern NSString * _Nonnull const MSID_FLIGHT_BROWSER_CORE_DISABLE_CLAIMS;
+
 extern NSString * _Nonnull const MSID_DOMAIN_HINT_KEY;
 
 extern NSString * _Nonnull const MSID_FLIGHT_ENABLE_THREAD_STARVATION;
 
@@ -102,6 +102,10 @@
 
 NSString *const MSID_FLIGHT_USE_AUTOLAYOUT_FOR_LOADING_INDICATOR = @"use_autolayout_for_loading_indicator";
 
+NSString *const MSID_FLIGHT_BROWSER_CORE_DISABLE_POP = @"browser_core_disable_pop";
+
+NSString *const MSID_FLIGHT_BROWSER_CORE_DISABLE_CLAIMS = @"browser_core_disable_claims";
+
 NSString *const MSID_DOMAIN_HINT_KEY  = @"domain_hint";
 
 // This is SsoExt flow only flight
 
@@ -32,6 +32,7 @@
 #import "MSIDAuthenticationSchemePop.h"
 #import "MSIDAuthScheme.h"
 #import "MSIDClaimsRequest.h"
+#import "MSIDFlightManager.h"
 
 NSString *const MSID_BROWSER_NATIVE_MESSAGE_CLIENT_ID_KEY = @"clientId";
 NSString *const MSID_BROWSER_NATIVE_MESSAGE_AUTHORITY_KEY = @"authority";
@@ -178,36 +179,45 @@ - (instancetype)initWithJSONDictionary:(NSDictionary *)json error:(NSError *__au
     // It is optional param, if nil -- set it to 'true' by default.
     _canShowUI = canShowUIValue ? [requestJson msidBoolObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CAN_SHOW_UI_KEY] : YES;
 
-    NSString *reqCnf = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_REQUEST_CONFIRMATION_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_REQUEST_CONFIRMATION_KEY];
-    NSString *tokenType = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_TOKEN_TYPE_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_TOKEN_TYPE_KEY];
-    tokenType = tokenType.capitalizedString;
+    BOOL disablePop = [MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_BROWSER_CORE_DISABLE_POP];
 
-    
-    if (MSIDAuthSchemeTypeFromString(tokenType) == MSIDAuthSchemePop)
+    if (!disablePop)
     {
-        NSMutableDictionary *schemeParams = [NSMutableDictionary new];
-        schemeParams[MSID_OAUTH2_TOKEN_TYPE] = tokenType;
-        schemeParams[MSID_OAUTH2_REQUEST_CONFIRMATION] = reqCnf;
+        NSString *reqCnf = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_REQUEST_CONFIRMATION_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_REQUEST_CONFIRMATION_KEY];
+        NSString *tokenType = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_TOKEN_TYPE_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_TOKEN_TYPE_KEY];
+        tokenType = tokenType.capitalizedString;
 
-        _authScheme = [[MSIDAuthenticationSchemePop alloc] initWithSchemeParameters:schemeParams];
+        if (MSIDAuthSchemeTypeFromString(tokenType) == MSIDAuthSchemePop)
+        {
+            NSMutableDictionary *schemeParams = [NSMutableDictionary new];
+            schemeParams[MSID_OAUTH2_TOKEN_TYPE] = tokenType;
+            schemeParams[MSID_OAUTH2_REQUEST_CONFIRMATION] = reqCnf;
+            
+            _authScheme = [[MSIDAuthenticationSchemePop alloc] initWithSchemeParameters:schemeParams];
+        }
     }
 
     if (!_authScheme)
     {
         _authScheme = [MSIDAuthenticationScheme new]; // Bearer by default.
     }
-
-    NSString *claims = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CLAIMS_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CLAIMS_KEY];
 
-    if (claims)
+    BOOL disableClaims = [MSIDFlightManager.sharedInstance boolForKey:MSID_FLIGHT_BROWSER_CORE_DISABLE_CLAIMS];
+    
+    if (!disableClaims)
     {
-        NSDictionary *claimsJson = [claims msidJson];
+        NSString *claims = [requestJson msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CLAIMS_KEY] ?: [_extraParameters msidStringObjectForKey:MSID_BROWSER_NATIVE_MESSAGE_CLAIMS_KEY];
 
-        NSError *claimsError;
-        _claimsRequest = [[MSIDClaimsRequest alloc] initWithJSONDictionary:claimsJson error:&claimsError];
-        if (claimsError)
+        if (claims)
         {
-            MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"Failed to create claims request. Claims: %@", MSID_PII_LOG_MASKABLE(claimsJson));
+            NSDictionary *claimsJson = [claims msidJson];
+            
+            NSError *claimsError;
+            _claimsRequest = [[MSIDClaimsRequest alloc] initWithJSONDictionary:claimsJson error:&claimsError];
+            if (claimsError)
+            {
+                MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"Failed to create claims request. Claims: %@", MSID_PII_LOG_MASKABLE(claimsJson));
+            }
         }
     }
 
 
@@ -33,6 +33,8 @@
 #import "MSIDOAuthRequestConfigurator.h"
 #import "MSIDHttpRequestServerTelemetryHandling.h"
 #import "MSIDBrokerConstants.h"
+#import "MSIDExecutionFlowLogger.h"
+#import "MSIDExecutionFlowConstants.h"
 
 static NSInteger s_retryCount = 1;
 static NSTimeInterval s_retryInterval = 0.5;
@@ -76,7 +78,9 @@ - (instancetype)init
 - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
 {
     NSParameterAssert(self.urlRequest);
-
+    [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowPrepareNetworkRequestTag]
+                                              extraInfo:nil
+                                      withCorrelationId:self.context.correlationId];
     __auto_type requestConfigurator = [MSIDOAuthRequestConfigurator new];
     requestConfigurator.timeoutInterval = _requestTimeoutInterval;
     [requestConfigurator configure:self];
@@ -99,11 +103,17 @@ - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
 
         if (!responseObject)
         {
+            [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowCacheResponseFailedObjectTag]
+                                                      extraInfo:nil
+                                              withCorrelationId:self.context.correlationId];
             [self.cache removeCachedResponseForRequest:self.urlRequest];
             MSID_LOG_WITH_CTX(MSIDLogLevelVerbose,self.context, @"Removing invalid response from cache %@, response: %@", _PII_NULLIFY(self.urlRequest), _PII_NULLIFY(response.response));
         }
         else
         {
+            [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowCacheResponseSucceededObjectTag]
+                                                      extraInfo:nil
+                                              withCorrelationId:self.context.correlationId];
             if (completionBlock) { completionBlock(responseObject, error); }
             return;
         }
@@ -117,6 +127,9 @@ - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
 
     [[self.sessionManager.session dataTaskWithRequest:self.urlRequest completionHandler:^(NSData *data, NSURLResponse *urlResponse, NSError *error)
       {
+        [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowReceiveNetworkResponseTag]
+                                                  extraInfo:nil
+                                          withCorrelationId:self.context.correlationId];
           MSID_LOG_WITH_CTX(MSIDLogLevelVerbose,self.context, @"Received network response: %@, error %@", _PII_NULLIFY(urlResponse), _PII_NULLIFY(error));
 
           if (urlResponse) NSAssert([urlResponse isKindOfClass:NSHTTPURLResponse.class], NULL);
@@ -132,6 +145,9 @@ - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
 
         void (^completeBlockWrapper)(id, NSError *) = ^(id wrapperResponse, NSError *wrapperError)
         {
+            [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowParseNetworkResponseTag]
+                                                      extraInfo:wrapperError ? @{MSID_EXECUTION_FLOW_ERROR_CODE:@(wrapperError.code)} : nil
+                                              withCorrelationId:self.context.correlationId];
             [self.serverTelemetry handleError:wrapperError context:self.context];
 
             if (completionBlock) { completionBlock(wrapperResponse, wrapperError); }
@@ -140,7 +156,7 @@ - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
           if (error)
           {
               if ([self.experimentBag msidBoolObjectForKey:MSID_EXP_RETRY_ON_NETWORK])
-              {
+              {   
                   [self.errorHandler handleError:error
                                     httpResponse:nil
                                             data:nil
@@ -171,6 +187,10 @@ - (void)sendWithBlock:(MSIDHttpRequestDidCompleteBlock)completionBlock
           }
           else
           {
+              
+              [[MSIDExecutionFlowLogger sharedInstance] insertTag:[self toString:MSIDExecutionFlowOtherHttpNetworkStatusCodeTag]
+                                                        extraInfo:@{MSID_EXECUTION_FLOW_DIAGNOSTIC_ID:@(httpResponse.statusCode)}
+                                                withCorrelationId:self.context.correlationId];
               if (self.errorHandler)
               {
                   id<MSIDResponseSerialization> responseSerializer = self.errorResponseSerializer ? self.errorResponseSerializer : self.responseSerializer;
@@ -208,9 +228,14 @@ - (NSCachedURLResponse *)cachedResponse
     return [self.cache cachedResponseForRequest:self.urlRequest];
 }
 
--(void)setCachedResponse:(__unused NSCachedURLResponse *)cachedResponse forRequest:(__unused NSURLRequest *)request
+- (void)setCachedResponse:(__unused NSCachedURLResponse *)cachedResponse forRequest:(__unused NSURLRequest *)request
 {
    [self.cache storeCachedResponse:cachedResponse forRequest:request];
 }
 
+- (NSString *)toString:(MSIDExecutionFlowNetworkTag)tag
+{
+    return MSIDExecutionFlowNetworkTagToString(tag);
+}
+
 @end
@@ -29,6 +29,8 @@
 #import "MSIDWorkPlaceJoinConstants.h"
 #import "MSIDPKeyAuthHandler.h"
 #import "MSIDMainThreadUtil.h"
+#import "MSIDExecutionFlowLogger.h"
+#import "MSIDExecutionFlowConstants.h"
 
 @implementation MSIDAADRequestErrorHandler
 
@@ -72,11 +74,17 @@ - (void)handleError:(NSError *)error
 
     if (shouldRetry)
     {
+        [[MSIDExecutionFlowLogger sharedInstance] insertTag:MSIDExecutionFlowNetworkTagToString(MSIDExecutionFlowRetryOnNetworkFailureTag)
+                                                  extraInfo:nil
+                                          withCorrelationId:context.correlationId];
         httpRequest.retryCounter--;
 
         MSID_LOG_WITH_CTX(MSIDLogLevelVerbose,context, @"Retrying network request, retryCounter: %ld", (long)httpRequest.retryCounter);
 
         dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(httpRequest.retryInterval * NSEC_PER_SEC)), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
+            [[MSIDExecutionFlowLogger sharedInstance] insertTag:MSIDExecutionFlowNetworkTagToString(MSIDExecutionFlowStartToRetryOnNetworkFailureTag)
+                                                      extraInfo:nil
+                                              withCorrelationId:context.correlationId];
             [httpRequest sendWithBlock:completionBlock];
         });
 
 
@@ -50,6 +50,8 @@
 #import "MSIDDefaultTokenCacheAccessor.h"
 #import "MSIDAccountCredentialCache.h"
 #import "MSIDKeychainTokenCache.h"
+#import "MSIDExecutionFlowLogger.h"
+#import "MSIDExecutionFlowConstants.h"
 
 #if TARGET_OS_OSX && !EXCLUDE_FROM_MSALCPP
 #import "MSIDExternalAADCacheSeeder.h"
@@ -184,6 +186,13 @@ - (void)executeRequestImpl:(MSIDRequestCompletionBlock)completionBlock
         if (accessToken)
         {
             accessTokenExpired = [accessToken isExpiredWithExpiryBuffer:self.requestParameters.tokenExpirationBuffer];
+            if (accessToken.cachedAt)
+            {
+                NSTimeInterval elapsed = [[NSDate date] timeIntervalSinceDate:accessToken.expiresOn];
+                [[MSIDExecutionFlowLogger sharedInstance] insertTag:MSIDTokenRequestTagToString(MSIDTokenRequestAtExpirationElapsedTag)
+                                                          extraInfo:@{MSID_EXECUTION_FLOW_DIAGNOSTIC_ID:@((int64_t)elapsed)}
+                                                  withCorrelationId:self.requestParameters.correlationId];
+            }
         }
 
         if (accessToken && ![NSString msidIsStringNilOrBlank:accessToken.kid])