Add WebAuthn version support in configuration, Fixes AB#3385532 (#2393)

[AB#3385532](https://identitydivision.visualstudio.com/fac9d424-53d2-45c0-91b5-ef6ba7a6bf26/_workitems/edit/3385532)

https://identitydivision.visualstudio.com/DevEx/_git/AuthLibrariesApiReview/pullrequest/20357
### Add WebAuthn Version Support and Passkey Headers

This PR adds support for handling the WebAuthn protocol version in the
app configuration and authentication flow for broker-less scenarios.
also enables testing on WEBVIEW PPE MSA

**Changes:**
- Added a new `webauthn_version` field to
`PublicClientApplicationConfiguration`, including serialization,
accessors, and merge logic, allowing apps to define and retrieve the
WebAuthn version from configuration files.
- Updated `CommandParametersAdapter` to include passkey protocol headers
in authentication requests when WebAuthn is enabled, supported (Android
9+), Authorization agent is Webview and the version is 1.1.
- Updated the test app (`MsalWrapper`) to append the `msaoauth2=true`
parameter to query strings when running in the pre-production
environment with WebAuthn 1.1 enabled, enabling proper testing of
WebAuthn flows.

Related PR:
AzureAD/microsoft-authentication-library-common-for-android#2769

Test
1- create account https://signup.live-int.com/?lic=1
2 - Install msal test app, (ensure no broker is installed)
3 - change config to MSA_WEBVIEW_PPE
4- Click acquire token and complete auth flow (username, password)
5 - User is presented with the option to register a passkey, complete
the flow, and you will end up with a token and a passkey.
6 - try again with no user selected and use the passkey.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: p3dr0rv

changelog

@@ -2,6 +2,7 @@ MSAL Wiki : https://github.com/AzureAD/microsoft-authentication-library-for-andr
 
 vNext
 ----------
+- [MINOR] Add WebAuthN version support in configuration (#2393)
 
 Version 8.0.2
 ----------

common

@@ -80,6 +80,7 @@ ext {
     AndroidCredentialsVersion="1.2.2"
     LegacyFidoApiVersion="20.1.0"
     GoogleIdVersion="1.1.0"
+    webkitVersion="1.14.0"
 
     // microsoft-diagnostics-uploader app versions
     powerliftVersion = "0.14.7"

gradle/versions.gradle

@@ -41,6 +41,7 @@
 import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.TELEMETRY;
 import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.USE_BROKER;
 import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.WEBAUTHN_CAPABLE;
+import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.WEBAUTHN_VERSION;
 import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.WEB_VIEW_ZOOM_CONTROLS_ENABLED;
 import static com.microsoft.identity.client.PublicClientApplicationConfiguration.SerializedNames.WEB_VIEW_ZOOM_ENABLED;
 import static com.microsoft.identity.client.exception.MsalClientException.APP_MANIFEST_VALIDATION_ERROR;
@@ -114,6 +115,8 @@ public static final class SerializedNames {
         static final String HANDLE_TASKS_WITH_NULL_TASKAFFINITY = "handle_null_taskaffinity";
         static final String AUTHORIZATION_IN_CURRENT_TASK = "authorization_in_current_task";
         static final String WEBAUTHN_CAPABLE = "webauthn_capable";
+        static final String WEBAUTHN_VERSION = "webauthn_version";
+
     }
 
     @SerializedName(CLIENT_ID)
@@ -187,6 +190,10 @@ public static final class SerializedNames {
     @SerializedName(WEBAUTHN_CAPABLE)
     private Boolean webauthnCapable;
 
+
+    @SerializedName(WEBAUTHN_VERSION)
+    private String webauthnVersion;
+
     transient private OAuth2TokenCache mOAuth2TokenCache;
 
     transient private Context mAppContext;
@@ -430,6 +437,10 @@ public Boolean isWebauthnCapable() {
         return Boolean.TRUE.equals(webauthnCapable);
     }
 
+    public String getWebauthnVersion() {
+        return webauthnVersion;
+    }
+
     public Authority getDefaultAuthority() {
         if (mAuthorities != null) {
             if (mAuthorities.size() > 1) {
@@ -515,6 +526,8 @@ public void mergeConfiguration(PublicClientApplicationConfiguration config) {
         this.handleNullTaskAffinity = config.handleNullTaskAffinity == null ? this.handleNullTaskAffinity : config.handleNullTaskAffinity;
         this.isAuthorizationInCurrentTask = config.isAuthorizationInCurrentTask == null ? this.isAuthorizationInCurrentTask : config.isAuthorizationInCurrentTask;
         this.webauthnCapable = config.webauthnCapable == null ? this.webauthnCapable : config.webauthnCapable;
+        this.webauthnVersion = config.webauthnVersion == null ? this.webauthnVersion : config.webauthnVersion;
+
     }
 
     public void validateConfiguration() {

msal/src/main/java/com/microsoft/identity/client/PublicClientApplicationConfiguration.java

@@ -25,6 +25,7 @@
 import android.content.Context;
 import android.content.pm.PackageInfo;
 import android.content.pm.PackageManager;
+import android.os.Build;
 
 import com.microsoft.identity.client.AcquireTokenParameters;
 import com.microsoft.identity.client.AcquireTokenSilentParameters;
@@ -33,6 +34,7 @@
 import com.microsoft.identity.client.ITenantProfile;
 import com.microsoft.identity.client.MultiTenantAccount;
 import com.microsoft.identity.common.internal.platform.AndroidPlatformUtil;
+import com.microsoft.identity.common.java.constants.FidoConstants;
 import com.microsoft.identity.common.java.logging.DiagnosticContext;
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.JITChallengeAuthMethodCommandParameters;
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.JITContinueCommandParameters;
@@ -86,6 +88,7 @@
 
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
@@ -204,6 +207,7 @@ public static InteractiveTokenCommandParameters createInteractiveTokenCommandPar
                 .powerOptCheckEnabled(configuration.isPowerOptCheckForEnabled())
                 .correlationId(parameters.getCorrelationId())
                 .preferredAuthMethod(parameters.getPreferredAuthMethod())
+                .requestHeaders(addPasskeyHeader(parameters.getExtraQueryStringParameters(), configuration))
                 .build();
     }
 
@@ -1371,4 +1375,81 @@ public static List<Map.Entry<String, String>> appendToExtraQueryParametersIfWebA
         ArrayList<Map.Entry<String, String>> result = queryStringParameters != null ? new ArrayList<>(queryStringParameters) : new ArrayList<>();
         return AndroidPlatformUtil.updateWithOrDeleteWebAuthnParam(result, configuration.isWebauthnCapable());
     }
+
+
+    /**
+     * Adds passkey protocol headers if WebAuthn is enabled and supported (Android 9+, version 1.1).
+     *
+     * @param queryStringParameters Query parameters from the authentication request.
+     * @param configuration Application configuration with WebAuthn settings.
+     * @return HashMap with passkey headers if conditions are met, otherwise empty.
+     */
+    @NonNull
+    private static HashMap<String, String> addPasskeyHeader(
+            @Nullable final List<Map.Entry<String, String>> queryStringParameters,
+            @NonNull final PublicClientApplicationConfiguration configuration) {
+
+        final String methodTag = TAG + ":addPasskeyHeader";
+        final HashMap<String, String> headers = new HashMap<>();
+
+        // Passkey functionality requires Android 9 (Pie) or higher
+        if (Build.VERSION.SDK_INT < Build.VERSION_CODES.P) {
+            return headers;
+        }
+
+        // Skip if not using WebView authorization agent
+        if (!AuthorizationAgent.WEBVIEW.equals(configuration.getAuthorizationAgent())) {
+            return headers;
+        }
+
+
+        // Skip if no webauthn query parameter and the configuration isn't webauthn-capable
+        if (!containsValidWebAuth(queryStringParameters) && !configuration.isWebauthnCapable()) {
+            return headers;
+        }
+
+        if (configuration.getWebauthnVersion() == null) {
+            return headers;
+        }
+
+        switch (configuration.getWebauthnVersion()) {
+            case FidoConstants.PASSKEY_PROTOCOL_VERSION_1_0:
+                headers.put(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME, FidoConstants.PASSKEY_PROTOCOL_HEADER_AUTH_ONLY);
+                Logger.verbose(methodTag, "Passkey header added for WebAuthn version 1.0");
+                break;
+            case FidoConstants.PASSKEY_PROTOCOL_VERSION_1_1:
+                headers.put(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME, FidoConstants.PASSKEY_PROTOCOL_HEADER_AUTH_AND_REG);
+                Logger.verbose(methodTag, "Passkey header added for WebAuthn version 1.1");
+                break;
+            default:
+                Logger.verbose(methodTag, "Unsupported WebAuthn version: " + configuration.getWebauthnVersion());
+                break;
+        }
+
+        return headers;
+    }
+
+    /**
+     * Determines whether the given list of query parameters contains a valid WebAuthn entry.
+     *
+     * @param queryParameters the list of query parameters to inspect, may be null.
+     * @return {@code true} if a parameter with both the expected WebAuthn key and value is found; {@code false} otherwise.
+     */
+    private static boolean containsValidWebAuth(
+            @Nullable final List<Map.Entry<String, String>> queryParameters) {
+
+        if (queryParameters == null || queryParameters.isEmpty()) {
+            return false;
+        }
+
+        for (Map.Entry<String, String> entry : queryParameters) {
+            if (FidoConstants.WEBAUTHN_QUERY_PARAMETER_FIELD.equals(entry.getKey())
+                    && FidoConstants.WEBAUTHN_QUERY_PARAMETER_VALUE.equals(entry.getValue())) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+    
 }

msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java

@@ -47,6 +47,7 @@
 import com.microsoft.identity.common.java.nativeauth.commands.parameters.SignInWithContinuationTokenCommandParameters;
 import com.microsoft.identity.common.java.providers.oauth2.OAuth2TokenCache;
 import com.microsoft.identity.common.java.exception.ClientException;
+import com.microsoft.identity.common.java.ui.AuthorizationAgent;
 import com.microsoft.identity.common.java.ui.PreferredAuthMethod;
 import com.microsoft.identity.msal.R;
 import com.microsoft.identity.nativeauth.NativeAuthPublicClientApplicationConfiguration;
@@ -365,6 +366,103 @@ public void testAppendToExtraQueryParametersIfWebAuthnCapable_WebAuthnCapableFal
         Assert.assertEquals(combinedQueryParameters.size(), 1);
     }
 
+
+    @Test
+    @Config(sdk=28)
+    public void testPasskeyHeader_AddedWhenWebAuthnConfigurationEnabled() throws ClientException {
+        InteractiveTokenCommandParameters commandParameters = CommandParametersAdapter
+                .createInteractiveTokenCommandParameters(
+                        getConfiguration(WEBAUTHN_CAPABLE_CONFIG_FILE),
+                        getCache(),
+                        getAcquireTokenParametersWithClaims()
+                );
+        Assert.assertTrue(commandParameters
+                .getRequestHeaders()
+                .containsKey(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+        Assert.assertEquals(
+                FidoConstants.PASSKEY_PROTOCOL_HEADER_AUTH_AND_REG,
+                commandParameters.getRequestHeaders().get(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+    }
+
+    @Test
+    @Config(sdk=28)
+    public void testPasskeyHeader_NotAddedWhenAuthorizationAgentIsDefault() throws ClientException {
+        PublicClientApplicationConfiguration mockConfig = Mockito.spy(getConfiguration(WEBAUTHN_CAPABLE_CONFIG_FILE));
+        Mockito.when(mockConfig.getAuthorizationAgent()).thenReturn(AuthorizationAgent.DEFAULT);
+
+        InteractiveTokenCommandParameters commandParameters = CommandParametersAdapter
+                .createInteractiveTokenCommandParameters(
+                        mockConfig,
+                        getCache(),
+                        getAcquireTokenParametersWithClaims()
+                );
+        Assert.assertFalse(commandParameters
+                .getRequestHeaders()
+                .containsKey(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+    }
+
+    @Test
+    @Config(sdk=28)
+    public void testPasskeyHeader_NotAddedWhenWebAuthnNotCapable() throws ClientException {
+        PublicClientApplicationConfiguration mockConfig = Mockito.spy(getConfiguration(WEBAUTHN_CAPABLE_CONFIG_FILE));
+        Mockito.when(mockConfig.isWebauthnCapable()).thenReturn(false);
+
+        InteractiveTokenCommandParameters commandParameters = CommandParametersAdapter
+                .createInteractiveTokenCommandParameters(
+                        mockConfig,
+                        getCache(),
+                        getAcquireTokenParametersWithClaims()
+                );
+        Assert.assertFalse(commandParameters
+                .getRequestHeaders()
+                .containsKey(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+    }
+
+    @Test
+    @Config(sdk=28)
+    public void testPasskeyHeader_NotAddedWhenWebAuthnVersionUnsupported() throws ClientException {
+        PublicClientApplicationConfiguration mockConfig = Mockito.spy(getConfiguration(WEBAUTHN_CAPABLE_CONFIG_FILE));
+        Mockito.when(mockConfig.getWebauthnVersion()).thenReturn("3.0");
+
+        InteractiveTokenCommandParameters commandParameters = CommandParametersAdapter
+                .createInteractiveTokenCommandParameters(
+                        mockConfig,
+                        getCache(),
+                        getAcquireTokenParametersWithClaims()
+                );
+        Assert.assertFalse(commandParameters
+                .getRequestHeaders()
+                .containsKey(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+    }
+
+    @Test
+    @Config(sdk=28)
+    public void testPasskeyHeader_NotAddedWhenWebAuthnVersion1_0() throws ClientException {
+        PublicClientApplicationConfiguration mockConfig = Mockito.spy(getConfiguration(WEBAUTHN_CAPABLE_CONFIG_FILE));
+        Mockito.when(mockConfig.getWebauthnVersion()).thenReturn("1.0");
+
+        InteractiveTokenCommandParameters commandParameters = CommandParametersAdapter
+                .createInteractiveTokenCommandParameters(
+                        mockConfig,
+                        getCache(),
+                        getAcquireTokenParametersWithClaims()
+                );
+        Assert.assertTrue(commandParameters
+                .getRequestHeaders()
+                .containsKey(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+        Assert.assertEquals(
+                FidoConstants.PASSKEY_PROTOCOL_HEADER_AUTH_ONLY,
+                commandParameters.getRequestHeaders().get(FidoConstants.PASSKEY_PROTOCOL_HEADER_NAME)
+        );
+    }
+
+
     @Test
     public void testCreateSignInStartCommandParameters_CommandParamsContainsExpectedParams() throws ClientException {
         List<String> challengeTypes = new ArrayList<>(Collections.singletonList("OOB"));

msal/src/test/java/com/microsoft/identity/client/CommandParametersTest.java

@@ -1,11 +1,12 @@
 {
   "client_id" : "4b0db8c2-9f26-4417-8bde-3f0e3656f8e0",
-  "authorization_user_agent" : "DEFAULT",
+  "authorization_user_agent" : "WEBVIEW",
   "redirect_uri" : "msauth://com.microsoft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D",
   "multiple_clouds_supported":true,
   "broker_redirect_uri_registered": true,
   "account_mode": "MULTIPLE",
   "webauthn_capable": true,
+  "webauthn_version": 1.1,
   "authorities" : [
     {
       "type": "AAD",

msal/src/test/res/raw/webauthn_capable.json

@@ -56,7 +56,9 @@ enum ConfigFile {
         WEBVIEW_WITH_PPE,
 
         WEBVIEW_PPE_MSA,
-        ONEBOX
+        ONEBOX,
+
+        WEBVIEW_MSA_PASSKEY_REG
     }
 
     public static int getResourceIdFromConfigFile(ConfigFile configFile) {
@@ -124,6 +126,10 @@ public static int getResourceIdFromConfigFile(ConfigFile configFile) {
 
             case ONEBOX:
                 return R.raw.msal_config_onebox;
+
+            case WEBVIEW_MSA_PASSKEY_REG:
+                return R.raw.msal_config_webview_msa_passkey_reg;
+
         }
 
         return R.raw.msal_config_default;

testapps/testapp/src/main/java/com/microsoft/identity/client/testapp/Constants.java

@@ -26,8 +26,11 @@
 import com.microsoft.identity.client.exception.MsalServiceException;
 import com.microsoft.identity.client.exception.MsalUiRequiredException;
 import com.microsoft.identity.common.internal.ui.browser.AndroidBrowserSelector;
+import com.microsoft.identity.common.java.authorities.Environment;
 import com.microsoft.identity.common.java.browser.Browser;
+import com.microsoft.identity.common.java.constants.FidoConstants;
 import com.microsoft.identity.common.java.exception.BaseException;
+import com.microsoft.identity.common.java.ui.AuthorizationAgent;
 import com.microsoft.identity.common.java.ui.PreferredAuthMethod;
 import com.microsoft.identity.common.java.util.StringUtil;
 
@@ -167,6 +170,18 @@ private AcquireTokenParameters.Builder getAcquireTokenParametersBuilder(@NonNull
         if (requestOptions.isAllowSignInFromOtherDevice()) {
             extraQP.add(new AbstractMap.SimpleEntry<>("is_remote_login_allowed", Boolean.toString(true)));
         }
+
+        // Add "msaoauth2=true" to test WebAuthN on WebView PPE
+        final String webauthnVersion = getApp().getConfiguration().getWebauthnVersion();
+        final Environment environment = getApp().getConfiguration().getEnvironment();
+        final AuthorizationAgent authorizationAgent = getApp().getConfiguration().getAuthorizationAgent();
+        if (getApp().getConfiguration().isWebauthnCapable()
+                && FidoConstants.PASSKEY_PROTOCOL_VERSION_1_1.equals(webauthnVersion)
+                && Environment.PreProduction.equals(environment)
+                && AuthorizationAgent.WEBVIEW.equals(authorizationAgent)) {
+            extraQP.add(new AbstractMap.SimpleEntry<>("msaoauth2", Boolean.toString(true)));
+        }
+
         builder.withAuthorizationQueryStringParameters(extraQP);
 
         if (!StringUtil.isNullOrEmpty(requestOptions.getAuthority())) {

testapps/testapp/src/main/java/com/microsoft/identity/client/testapp/MsalWrapper.java

@@ -0,0 +1,15 @@
+{
+  "client_id" : "9668f2bd-6103-4292-9024-84fa2d1b6fb2",
+  "authorization_user_agent" : "WEBVIEW",
+  "redirect_uri" : "msauth://com.msft.identity.client.sample.local/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D",
+  "webauthn_capable" : true,
+  "webauthn_version" : 1.1,
+  "authorities" : [
+    {
+      "type": "AAD",
+      "audience": {
+        "type": "AzureADandPersonalMicrosoftAccount"
+      }
+    }
+  ]
+}