Update DefaultOsBrowserWebUi.cs

ashok672 · ashok672 · commit a172dd0827fa · 2025-12-22T01:29:19.000-08:00
diff --git a/src/client/Microsoft.Identity.Client/Platforms/Features/DefaultOSBrowser/DefaultOsBrowserWebUi.cs b/src/client/Microsoft.Identity.Client/Platforms/Features/DefaultOSBrowser/DefaultOsBrowserWebUi.cs
@@ -63,7 +63,6 @@ public async Task<AuthorizationResult> AcquireAuthorizationAsync(
         {
             try
             {
-                // Add response_mode=form_post for security (prevents auth code from appearing in browser history/logs)
                 var authUriBuilder = new UriBuilder(authorizationUri);
                 authUriBuilder.AppendOrReplaceQueryParameter(OAuth2Parameter.ResponseMode, "form_post");
                 authorizationUri = authUriBuilder.Uri;
@@ -87,18 +86,16 @@ public async Task<AuthorizationResult> AcquireAuthorizationAsync(
                             authResponse.RequestUri.AbsolutePath,
                             redirectUri.AbsolutePath));
                 }
-
-                // Use FromPostData for form_post responses (more secure - never constructs URI with auth code)
-                // Use FromUri for legacy GET responses (query string)
                 if (authResponse.IsFormPost)
                 {
                     _logger.Info(() => "[DefaultOsBrowser] Processing form_post response securely from POST data");
                     return AuthorizationResult.FromPostData(authResponse.PostData);
                 }
                 else
                 {
-                    _logger.Info(() => "[DefaultOsBrowser] Processing legacy GET response from query string");
-                    return AuthorizationResult.FromUri(authResponse.RequestUri.OriginalString);
+                    throw new MsalClientException(
+                        MsalError.AuthenticationFailed,
+                        "The authorization server did not honor response_mode=form_post");
                 }
             }
             catch (System.Net.HttpListenerException) // sometimes this exception sneaks out (see issue 1773)

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,6 @@ public async Task<AuthorizationResult> AcquireAuthorizationAsync(`
`63`	`63`	`{`
`64`	`64`	`try`
`65`	`65`	`{`
`66`		`- // Add response_mode=form_post for security (prevents auth code from appearing in browser history/logs)`
`67`	`66`	`var authUriBuilder = new UriBuilder(authorizationUri);`
`68`	`67`	`authUriBuilder.AppendOrReplaceQueryParameter(OAuth2Parameter.ResponseMode, "form_post");`
`69`	`68`	`authorizationUri = authUriBuilder.Uri;`
`@@ -87,18 +86,16 @@ public async Task<AuthorizationResult> AcquireAuthorizationAsync(`
`87`	`86`	`authResponse.RequestUri.AbsolutePath,`
`88`	`87`	`redirectUri.AbsolutePath));`
`89`	`88`	`}`
`90`		`-`
`91`		`- // Use FromPostData for form_post responses (more secure - never constructs URI with auth code)`
`92`		`- // Use FromUri for legacy GET responses (query string)`
`93`	`89`	`if (authResponse.IsFormPost)`
`94`	`90`	`{`
`95`	`91`	`_logger.Info(() => "[DefaultOsBrowser] Processing form_post response securely from POST data");`
`96`	`92`	`return AuthorizationResult.FromPostData(authResponse.PostData);`
`97`	`93`	`}`
`98`	`94`	`else`
`99`	`95`	`{`
`100`		`- _logger.Info(() => "[DefaultOsBrowser] Processing legacy GET response from query string");`
`101`		`- return AuthorizationResult.FromUri(authResponse.RequestUri.OriginalString);`
	`96`	`+ throw new MsalClientException(`
	`97`	`+ MsalError.AuthenticationFailed,`
	`98`	`+ "The authorization server did not honor response_mode=form_post");`
`102`	`99`	`}`
`103`	`100`	`}`
`104`	`101`	`catch (System.Net.HttpListenerException) // sometimes this exception sneaks out (see issue 1773)`