user form_post response mode

Author: ashok672

src/client/Microsoft.Identity.Client/OAuth2/OAuthConstants.cs

@@ -9,6 +9,7 @@ namespace Microsoft.Identity.Client.OAuth2
     internal static class OAuth2Parameter
     {
         public const string ResponseType = "response_type";
+        public const string ResponseMode = "response_mode";
         public const string GrantType = "grant_type";
         public const string ClientId = "client_id";
         public const string ClientSecret = "client_secret";

src/client/Microsoft.Identity.Client/Platforms/Features/DefaultOSBrowser/DefaultOsBrowserWebUi.cs

@@ -11,9 +11,11 @@
 using System.Threading.Tasks;
 using Microsoft.Identity.Client.Core;
 using Microsoft.Identity.Client.Internal;
+using Microsoft.Identity.Client.OAuth2;
 using Microsoft.Identity.Client.Platforms.Shared.DefaultOSBrowser;
 using Microsoft.Identity.Client.PlatformsCommon.Interfaces;
 using Microsoft.Identity.Client.UI;
+using Microsoft.Identity.Client.Utils;
 
 namespace Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser
 {
@@ -61,24 +63,43 @@ public async Task<AuthorizationResult> AcquireAuthorizationAsync(
         {
             try
             {
-                var authCodeUri = await InterceptAuthorizationUriAsync(
+                // Add response_mode=form_post for security (prevents auth code from appearing in browser history/logs)
+                var authUriBuilder = new UriBuilder(authorizationUri);
+                authUriBuilder.AppendOrReplaceQueryParameter(OAuth2Parameter.ResponseMode, "form_post");
+                authorizationUri = authUriBuilder.Uri;
+
+                _logger.Info(() => $"[DefaultOsBrowser] Authorization URI with form_post: {authorizationUri.AbsoluteUri}");
+                _logger.Verbose(() => $"[DefaultOsBrowser] Query string contains response_mode: {authorizationUri.Query.Contains("response_mode=form_post")}");
+
+                var authResponse = await InterceptAuthorizationUriAsync(
                     authorizationUri,
                     redirectUri,
                     requestContext.ServiceBundle.Config.IsBrokerEnabled,
                     cancellationToken)
                     .ConfigureAwait(true);
 
-                if (!authCodeUri.Authority.Equals(redirectUri.Authority, StringComparison.OrdinalIgnoreCase) ||
-                   !authCodeUri.AbsolutePath.Equals(redirectUri.AbsolutePath))
+                if (!authResponse.RequestUri.Authority.Equals(redirectUri.Authority, StringComparison.OrdinalIgnoreCase) ||
+                   !authResponse.RequestUri.AbsolutePath.Equals(redirectUri.AbsolutePath))
                 {
                     throw new MsalClientException(
                         MsalError.LoopbackResponseUriMismatch,
                         MsalErrorMessage.RedirectUriMismatch(
-                            authCodeUri.AbsolutePath,
+                            authResponse.RequestUri.AbsolutePath,
                             redirectUri.AbsolutePath));
                 }
 
-                return AuthorizationResult.FromUri(authCodeUri.OriginalString);
+                // Use FromPostData for form_post responses (more secure - never constructs URI with auth code)
+                // Use FromUri for legacy GET responses (query string)
+                if (authResponse.IsFormPost)
+                {
+                    _logger.Info(() => "[DefaultOsBrowser] Processing form_post response securely from POST data");
+                    return AuthorizationResult.FromPostData(authResponse.PostData);
+                }
+                else
+                {
+                    _logger.Info(() => "[DefaultOsBrowser] Processing legacy GET response from query string");
+                    return AuthorizationResult.FromUri(authResponse.RequestUri.OriginalString);
+                }
             }
             catch (System.Net.HttpListenerException) // sometimes this exception sneaks out (see issue 1773)
             {
@@ -127,7 +148,7 @@ private static Uri FindFreeLocalhostRedirectUri(Uri redirectUri)
             }
         }
 
-        private async Task<Uri> InterceptAuthorizationUriAsync(
+        private async Task<AuthorizationResponse> InterceptAuthorizationUriAsync(
             Uri authorizationUri,
             Uri redirectUri,
             bool isBrokerConfigured,
@@ -148,10 +169,21 @@ private async Task<Uri> InterceptAuthorizationUriAsync(
             .ConfigureAwait(false);
         }
 
-        internal /* internal for testing only */ MessageAndHttpCode GetResponseMessage(Uri authCodeUri)
+        internal /* internal for testing only */ MessageAndHttpCode GetResponseMessage(AuthorizationResponse authResponse)
         {
-            // Parse the uri to understand if an error was returned. This is done just to show the user a nice error message in the browser.
-            var authorizationResult = AuthorizationResult.FromUri(authCodeUri.OriginalString);
+            // Parse the response to understand if an error was returned. This is done just to show the user a nice error message in the browser.
+            AuthorizationResult authorizationResult;
+            
+            if (authResponse.IsFormPost)
+            {
+                // For form_post, parse from POST data
+                authorizationResult = AuthorizationResult.FromPostData(authResponse.PostData);
+            }
+            else
+            {
+                // For GET/query string responses, parse from URI
+                authorizationResult = AuthorizationResult.FromUri(authResponse.RequestUri.OriginalString);
+            }
 
             if (!string.IsNullOrEmpty(authorizationResult.Error))
             {

src/client/Microsoft.Identity.Client/Platforms/Features/DefaultOSBrowser/HttpListenerInterceptor.cs

@@ -25,10 +25,10 @@ public HttpListenerInterceptor(ILoggerAdapter logger)
             _logger = logger;
         }
 
-        public async Task<Uri> ListenToSingleRequestAndRespondAsync(
+        public async Task<AuthorizationResponse> ListenToSingleRequestAndRespondAsync(
             int port,
             string path,
-            Func<Uri, MessageAndHttpCode> responseProducer,
+            Func<AuthorizationResponse, MessageAndHttpCode> responseProducer,
             CancellationToken cancellationToken)
         {
             TestBeforeTopLevelCall?.Invoke();
@@ -74,11 +74,14 @@ public async Task<Uri> ListenToSingleRequestAndRespondAsync(
 
                     cancellationToken.ThrowIfCancellationRequested();
 
-                    Respond(responseProducer, context);
+                    // Get the authorization response - either from query string (GET) or POST body (form_post)
+                    AuthorizationResponse authResponse = await GetAuthorizationResponseAsync(context).ConfigureAwait(false);
+
+                    Respond(responseProducer, context, authResponse);
                     _logger.Verbose(()=>"HttpListner received a message on " + urlToListenTo);
 
-                    // the request URL should now contain the auth code and pkce
-                    return context.Request.Url;
+                    // Return the authorization response
+                    return authResponse;
                 }
             }
             // If cancellation is requested before GetContextAsync is called, then either 
@@ -107,6 +110,39 @@ public async Task<Uri> ListenToSingleRequestAndRespondAsync(
             }
         }
 
+        private async Task<AuthorizationResponse> GetAuthorizationResponseAsync(HttpListenerContext context)
+        {
+            _logger.Info(() => $"[HttpListener] Received {context.Request.HttpMethod} request. HasEntityBody: {context.Request.HasEntityBody}");
+            _logger.Verbose(() => $"[HttpListener] Request URL: {context.Request.Url}");
+            
+            // With response_mode=form_post, we MUST receive a POST request for security
+            if (context.Request.HttpMethod == "POST" && context.Request.HasEntityBody)
+            {
+                _logger.Info(() => "[HttpListener] Processing POST request with entity body (form_post response)");
+                
+                using (var memoryStream = new System.IO.MemoryStream())
+                {
+                    await context.Request.InputStream.CopyToAsync(memoryStream).ConfigureAwait(false);
+                    byte[] postData = memoryStream.ToArray();
+                    
+                    _logger.Info(() => $"[HttpListener] Received POST data with {postData.Length} bytes");
+                    _logger.Verbose(() => "[HttpListener] Successfully processed POST data - keeping it secure (not reconstructing as URI)");
+                    
+                    return new AuthorizationResponse(context.Request.Url, postData);
+                }
+            }
+            
+            // Security: We requested form_post, so receiving GET with query params is a security violation
+            _logger.Error($"[HttpListener] Security violation: Expected POST request with form_post, but received {context.Request.HttpMethod}. " +
+                         "The authorization server did not honor response_mode=form_post, which exposes the authorization code in the URL.");
+            
+            throw new MsalClientException(
+                MsalError.AuthenticationFailed,
+                $"Expected POST request for form_post response mode, but received {context.Request.HttpMethod}. " +
+                "This is a security issue as the authorization code would be exposed in browser history and logs. " +
+                "Ensure the authorization server supports response_mode=form_post and the redirect URI is registered as a 'Web' platform.");
+        }
+
         private static void TryStopListening(HttpListener httpListener)
         {
             try
@@ -118,9 +154,9 @@ private static void TryStopListening(HttpListener httpListener)
             }
         }
 
-        private void Respond(Func<Uri, MessageAndHttpCode> responseProducer, HttpListenerContext context)
+        private void Respond(Func<AuthorizationResponse, MessageAndHttpCode> responseProducer, HttpListenerContext context, AuthorizationResponse authResponse)
         {
-            MessageAndHttpCode messageAndCode = responseProducer(context.Request.Url);
+            MessageAndHttpCode messageAndCode = responseProducer(authResponse);
             _logger.Info(() => "Processing a response message to the browser. HttpStatus:" + messageAndCode.HttpCode);
 
             switch (messageAndCode.HttpCode)

src/client/Microsoft.Identity.Client/Platforms/Features/DefaultOSBrowser/IUriInterceptor.cs

@@ -7,26 +7,43 @@
 
 namespace Microsoft.Identity.Client.Platforms.Shared.Desktop.OsBrowser
 {
+    /// <summary>
+    /// Result from intercepting an authorization response
+    /// </summary>
+    internal class AuthorizationResponse
+    {
+        public AuthorizationResponse(Uri requestUri, byte[] postData)
+        {
+            RequestUri = requestUri;
+            PostData = postData;
+        }
+
+        public Uri RequestUri { get; set; }
+        public byte[] PostData { get; set; }
+        public bool IsFormPost => PostData != null && PostData.Length > 0;
+    }
+
     /// <summary>
     /// An abstraction over objects that are able to listen to localhost url (e.g. http://localhost:1234)
-    /// and to retrieve the whole url, including query params (e.g. http://localhost:1234?code=auth_code_from_aad)
+    /// and to retrieve the authorization response via GET (query params) or POST (form data)
     /// </summary>
     internal interface IUriInterceptor
     {
         /// <summary>
-        /// Listens to http://localhost:{port} and retrieve the entire url, including query params. Then
-        /// push back a response such as a display message or a redirect.
+        /// Listens to http://localhost:{port} and retrieve the authorization response.
+        /// For GET requests, the response is in query params. For POST (form_post), the response is in the body.
+        /// Then push back a response such as a display message or a redirect.
         /// </summary>
         /// <remarks>Cancellation is very important as this is typically a long running unmonitored operation</remarks>
         /// <param name="port">the port to listen to</param>
         /// <param name="path">the path to listen in</param>
         /// <param name="responseProducer">The message to be displayed, or url to be redirected to will be created by this callback</param>
         /// <param name="cancellationToken">Cancellation token</param>
-        /// <returns>Full redirect uri</returns>
-        Task<Uri> ListenToSingleRequestAndRespondAsync(
+        /// <returns>Authorization response containing either URI with query params or POST data</returns>
+        Task<AuthorizationResponse> ListenToSingleRequestAndRespondAsync(
             int port,
             string path,
-            Func<Uri, MessageAndHttpCode> responseProducer,
+            Func<AuthorizationResponse, MessageAndHttpCode> responseProducer,
             CancellationToken cancellationToken);
     }
 }

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/SeleniumWebUI.cs

@@ -113,7 +113,7 @@ private async Task<Uri> SeleniumAcquireAuthAsync(
                     innerSource.Token, 
                     externalCancellationToken);
 
-                Task<Uri> listenForAuthCodeTask = listener.ListenToSingleRequestAndRespondAsync(
+                Task<AuthorizationResponse> listenForAuthCodeTask = listener.ListenToSingleRequestAndRespondAsync(
                     redirectUri.Port,
                     redirectUri.AbsolutePath,
                     (uri) =>

tests/Microsoft.Identity.Test.Unit/WebUITests/DefaultOsBrowserWebUiTests.cs

@@ -23,17 +23,17 @@ namespace Microsoft.Identity.Test.Unit.WebUITests
 {
     internal class TestTcpInterceptor : IUriInterceptor
     {
-        private readonly Uri _expectedUri;
+        private readonly AuthorizationResponse _expectedResponse;
         public Func<Uri, string> ResponseProducer { get; }
 
-        public TestTcpInterceptor(Uri expectedUri)
+        public TestTcpInterceptor(Uri expectedUri, byte[] postData = null)
         {
-            _expectedUri = expectedUri;
+            _expectedResponse = new AuthorizationResponse(expectedUri, postData);
         }
 
-        public Task<Uri> ListenToSingleRequestAndRespondAsync(int port, string path, Func<Uri, MessageAndHttpCode> responseProducer, CancellationToken cancellationToken)
+        public Task<AuthorizationResponse> ListenToSingleRequestAndRespondAsync(int port, string path, Func<AuthorizationResponse, MessageAndHttpCode> responseProducer, CancellationToken cancellationToken)
         {
-            return Task.FromResult(_expectedUri);
+            return Task.FromResult(_expectedResponse);
         }
     }
 
@@ -65,15 +65,28 @@ private DefaultOsBrowserWebUi CreateTestWebUI(SystemWebViewOptions options = nul
         }
 
         [TestMethod]
-        public async Task DefaultOsBrowserWebUi_HappyPath_Async()
+        public async Task DefaultOsBrowserWebUi_FormPost_HappyPath_Async()
         {
+            // Test with form_post (POST data)
+            var postData = System.Text.Encoding.UTF8.GetBytes(
+                "code=auth_code&state=901e7d87-6f49-4f9f-9fa7-e6b8c32d5b9595bc1797-dacc-4ff1-b9e9-0df81be286c7&session_state=test");
+            
             var webUI = CreateTestWebUI();
-            AuthorizationResult authorizationResult = await AcquireAuthCodeAsync(webUI)
+            AuthorizationResult authorizationResult = await AcquireAuthCodeAsync(
+                webUI, 
+                postData: postData)
                .ConfigureAwait(false);
 
             // Assert
             Assert.AreEqual(AuthorizationStatus.Success, authorizationResult.Status);
             Assert.IsFalse(string.IsNullOrEmpty(authorizationResult.Code));
+            Assert.AreEqual("auth_code", authorizationResult.Code);
+
+            // Verify that response_mode=form_post was added to the authorization URI
+            await _platformProxy.Received(1).StartDefaultOsBrowserAsync(
+                Arg.Is<string>(s => s.Contains("response_mode=form_post")), 
+                Arg.Any<bool>())
+                .ConfigureAwait(false);
 
             await _tcpInterceptor.Received(1).ListenToSingleRequestAndRespondAsync(
                 TestPort, "/", Arg.Any<Func<Uri, MessageAndHttpCode>>(), CancellationToken.None).ConfigureAwait(false);
@@ -124,13 +137,14 @@ public async Task DefaultOsBrowserWebUi_CustomBrowser_Async()
             var webUI = CreateTestWebUI(options);
             var requestContext = new RequestContext(TestCommon.CreateDefaultServiceBundle(), Guid.NewGuid(), null);
             var responseUri = new Uri(TestAuthorizationResponseUri);
+            var authResponse = new AuthorizationResponse(responseUri, null);
 
             _tcpInterceptor.ListenToSingleRequestAndRespondAsync(
                 TestPort,
                 "/",
                 Arg.Any<Func<Uri, MessageAndHttpCode>>(),
                 CancellationToken.None)
-               .Returns(Task.FromResult(responseUri));
+               .Returns(Task.FromResult(authResponse));
 
             // Act
             AuthorizationResult authorizationResult = await webUI.AcquireAuthorizationAsync(
@@ -165,7 +179,8 @@ private async Task<AuthorizationResult> AcquireAuthCodeAsync(
             IWebUI webUI,
             string redirectUri = TestRedirectUri,
             string requestUri = TestAuthorizationRequestUri,
-            string responseUriString = TestAuthorizationResponseUri)
+            string responseUriString = TestAuthorizationResponseUri,
+            byte[] postData = null)
         {
             // Arrange
             var requestContext = new RequestContext(TestCommon.CreateDefaultServiceBundle(), Guid.NewGuid(), null);
@@ -176,7 +191,7 @@ private async Task<AuthorizationResult> AcquireAuthCodeAsync(
                 "/",
                 Arg.Any<Func<Uri, MessageAndHttpCode>>(),
                 CancellationToken.None)
-               .Returns(Task.FromResult(responseUri));
+               .Returns(Task.FromResult(new AuthorizationResponse(responseUri, postData)));
 
             // Act
             AuthorizationResult authorizationResult = await webUI.AcquireAuthorizationAsync(
@@ -186,7 +201,9 @@ private async Task<AuthorizationResult> AcquireAuthCodeAsync(
                 CancellationToken.None).ConfigureAwait(false);
 
             // Assert that we opened the browser
-            await _platformProxy.Received(1).StartDefaultOsBrowserAsync(requestUri, requestContext.ServiceBundle.Config.IsBrokerEnabled)
+            await _platformProxy.Received(1).StartDefaultOsBrowserAsync(
+                Arg.Is<string>(s => s.Contains(requestUri) && s.Contains("response_mode=form_post")), 
+                requestContext.ServiceBundle.Config.IsBrokerEnabled)
                 .ConfigureAwait(false);
 
             return authorizationResult;
@@ -298,7 +315,7 @@ private void ValidateResponse(SystemWebViewOptions options, bool successResponse
                 new Uri(TestErrorAuthorizationResponseUri);
 
             // Act
-            MessageAndHttpCode messageAndCode = webUi.GetResponseMessage(successAuthCodeUri);
+            MessageAndHttpCode messageAndCode = webUi.GetResponseMessage(new AuthorizationResponse(successAuthCodeUri, null));
 
             // Assert
             if (expectedMessage != null)