Switch to broker context after profile installation completes

Copilot · Veena11 · Copilot · commit f45fa46cf10d · 2026-02-04T01:01:00.000Z
- After msauth://profileInstalled callback, dismiss both webviews and switch to broker
- Added dismissSuspendedEmbeddedWebview method to coordinator
- Dismiss suspended embedded webview after profile installation
- Create MSIDBrokerInteractiveController after profile installation
- Broker invokes SSO extension to handle authentication in its own webview
- Response flows back to calling app through broker completion handler
- Updated cleanup to properly dismiss suspended webview
- Platform check for iOS (broker only available on iOS)
- Proper error handling for broker controller creation failures

Co-authored-by: Veena11 &lt;9446116+Veena11@users.noreply.github.com&gt;
diff --git a/IdentityCore/src/controllers/MSIDLocalInteractiveController.m b/IdentityCore/src/controllers/MSIDLocalInteractiveController.m
@@ -341,24 +341,51 @@ - (void)handleProfileInstallationCompletion:(NSURL *)callbackURL
         MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, 
                          @"Profile installation completed successfully (msauth://profileInstalled)");
         
-        // ASWebAuthenticationSession has already completed successfully
-        // Its completion handler has fired, and the session has cleaned itself up
-        // We should NOT call dismiss (which would try to cancel it) - just release our reference
+        // ASWebAuthenticationSession has already completed and cleaned itself up
+        // Just release our reference (don't call dismiss on completed session)
         self.transitionCoordinator.externalSessionHandler = nil;
         
-        // Resume the suspended embedded webview
-        [self.transitionCoordinator resumeSuspendedEmbeddedWebview];
+        // Dismiss the suspended embedded webview (we're switching to broker context)
+        [self.transitionCoordinator dismissSuspendedEmbeddedWebview];
         
-        // The webview will continue its flow naturally
-        // It's still alive and will process the next response from the server
-        // We don't call completionBlock here - the webview will complete when auth finishes
+        // After profile installation, switch to broker context
+        // The SSO extension will handle the authentication request in its own webview
+        MSID_LOG_WITH_CTX(MSIDLogLevelInfo, self.requestParameters, 
+                         @"Switching to broker context after profile installation");
+        
+#if TARGET_OS_IPHONE
+        NSError *brokerError = nil;
+        MSIDBrokerInteractiveController *brokerController = [[MSIDBrokerInteractiveController alloc] initWithInteractiveRequestParameters:self.interactiveRequestParamaters
+                                                                                                                     tokenRequestProvider:self.tokenRequestProvider
+                                                                                                                        brokerInstallLink:nil
+                                                                                                                                    error:&brokerError];
+        
+        if (!brokerController)
+        {
+            MSID_LOG_WITH_CTX(MSIDLogLevelError, self.requestParameters, 
+                             @"Failed to create broker controller after profile installation: %@", brokerError);
+            CONDITIONAL_STOP_TELEMETRY_EVENT([self telemetryAPIEvent], brokerError);
+            completionBlock(nil, brokerError);
+            return;
+        }
+        
+        // Broker will invoke SSO extension which handles the request in its own webview
+        // Response will be sent back to calling app through the broker completion handler
+        [brokerController acquireToken:completionBlock];
+#else
+        NSError *platformError = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, 
+                                                @"Broker authentication not supported on this platform", 
+                                                nil, nil, nil, self.requestParameters.correlationId, nil, YES);
+        CONDITIONAL_STOP_TELEMETRY_EVENT([self telemetryAPIEvent], platformError);
+        completionBlock(nil, platformError);
+#endif
     }
     else
     {
         MSID_LOG_WITH_CTX(MSIDLogLevelWarning, self.requestParameters, 
                          @"Unexpected callback URL from profile installation: %@", callbackURL);
         
-        // Clean up - this will dismiss the session if still active
+        // Clean up - this will dismiss both webviews
         [self.transitionCoordinator cleanup];
         
         // Create error for unexpected callback
diff --git a/IdentityCore/src/webview/MSIDWebviewTransitionCoordinator.h b/IdentityCore/src/webview/MSIDWebviewTransitionCoordinator.h
@@ -76,6 +76,12 @@ NS_ASSUME_NONNULL_BEGIN
  */
 - (void)resumeSuspendedEmbeddedWebview;
 
+/**
+ * Dismisses the suspended embedded webview (cancels and releases it)
+ * Use this when you need to completely abandon the embedded webview and switch to a different flow
+ */
+- (void)dismissSuspendedEmbeddedWebview;
+
 /**
  * Dismisses the ASWebAuthenticationSession if active
  * NOTE: Only call this if the session needs to be canceled (error, timeout, user cancellation).
diff --git a/IdentityCore/src/webview/MSIDWebviewTransitionCoordinator.m b/IdentityCore/src/webview/MSIDWebviewTransitionCoordinator.m
@@ -155,6 +155,23 @@ - (void)resumeSuspendedEmbeddedWebview
     // We don't need to manually trigger anything as it's been kept alive
 }
 
+- (void)dismissSuspendedEmbeddedWebview
+{
+    if (!self.suspendedEmbeddedWebview)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelWarning, nil, @"[MSIDWebviewTransitionCoordinator] No suspended webview to dismiss");
+        return;
+    }
+    
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[MSIDWebviewTransitionCoordinator] Dismissing suspended embedded webview");
+    
+    // Cancel the suspended webview to properly clean it up
+    [self.suspendedEmbeddedWebview cancelProgrammatically];
+    
+    // Release the reference
+    self.suspendedEmbeddedWebview = nil;
+}
+
 - (void)dismissExternalSession
 {
     if (self.externalSessionHandler)
@@ -173,7 +190,12 @@ - (void)cleanup
 {
     MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"[MSIDWebviewTransitionCoordinator] Cleaning up coordinator state");
     
-    self.suspendedEmbeddedWebview = nil;
+    // Dismiss suspended webview if exists
+    if (self.suspendedEmbeddedWebview)
+    {
+        MSID_LOG_WITH_CTX(MSIDLogLevelVerbose, nil, @"[MSIDWebviewTransitionCoordinator] Dismissing suspended webview during cleanup");
+        [self dismissSuspendedEmbeddedWebview];
+    }
     
     // Dismiss external session if still active (e.g., on error or cancellation)
     // If the session completed successfully, it should already be nil
