Skip to content

Expose a JavaScript API in brokered Webviews to facilitate Improved Same Device NumberMatch , Fixes AB#3203956 #2617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: dev
Choose a base branch
from
Open

Expose a JavaScript API in brokered Webviews to facilitate Improved Same Device NumberMatch , Fixes AB#3203956 #2617

wants to merge 13 commits into from

Conversation

fadidurah
Copy link
Contributor

@fadidurah fadidurah commented Apr 2, 2025
edited
Loading

SPEC: https://microsoft-my.sharepoint-df.com/:w:/r/personal/siddhijain_microsoft_com/_layouts/15/Doc.aspx?sourcedoc=%7BD1D944D5-2047-40AB-B8F9-98506BF212A3%7D&file=Engineering%20design%20-%20Number%20matching%20on%20same%20device.docx&action=default&mobileredirect=true&share=IQHVRNnRRyCrQLj5mFBr8hKjAbj81fEnpO6X-99laqs2j_M&wdOrigin=TEAMS-MAGLEV.p2p_ns.rwc&wdExp=TEAMS-TREATMENT&wdhostclicktime=1743094076241&web=1

Word Doc: for JavaScript Api: https://microsoft-my.sharepoint-df.com/:w:/p/veenasoman/EY1AZIeT8X5KrXVz97Vx520B3Jj0fBLSPlklnoRvcmbh0Q?e=ZVVUrw&nav=eyJoIjoiMjEzMzE1Mzg5NSJ9

Structure has changed a bit for this. To facilitate future work, we will have a generalized JavaScript API that takes in a json string payload. This is used to parse out a function name, and data field, both of which are used to call a specific function in broker code. This same functionality will be used next month for CA Block improvment work (I don't have a spec to this one yet).

Expected method call in JavaScript is now something like this, we are working on finalizing json schema:
BrokerJS.postToBroker('{function: NUMBER_MATCH,data: {sessionID: id, numberMatch: number}}')

I added some unit tests in the broker PR, but primary validation will be when ests exposes a test slice that calls the JavaScript API. Did some testing in our webview class to call javascript code, and was able to prompt the numberMatch method.

Broker PR: https://github.com/AzureAD/ad-accounts-for-android/pull/3073

AB#3203956

@fadidurah fadidurah requested a review from a team as a code owner April 2, 2025 06:18
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2025

✅ Work item link check complete. Description contains link AB#3203956 to an Azure Boards work item.

1 similar comment
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 2, 2025

✅ Work item link check complete. Description contains link AB#3203956 to an Azure Boards work item.

@github-actions github-actions bot changed the title Expose a JavaScript API in brokered Webviews to facilitate Improved Same Device NumberMatch Expose a JavaScript API in brokered Webviews to facilitate Improved Same Device NumberMatch , Fixes AB#3203956 Apr 2, 2025
@fadidurah fadidurah requested a review from a team as a code owner April 15, 2025 22:45
shahzaibj
shahzaibj reviewed May 16, 2025
View reviewed changes
common/src/main/java/com/microsoft/identity/common/internal/broker/AuthUxJavaScriptInterface.kt
Comment on lines +77 to +88
val parsedJson = JsonUtil.extractJsonObjectIntoMap(jsonPayload)

val correlationID = parsedJson["correlationID"]
Logger.info(methodTag, "Correlation ID during JavaScript Call: [$correlationID]")

// TODO: Leaving these here, as these will be relevant for next WebCP feature
// val actionName = parsedJson["action_name"]
// val actionComponent = parsedJson["action_component"]

val parameters = JsonUtil.extractJsonObjectIntoMap(parsedJson["params"])
val function = parameters["function"]
val data = JsonUtil.extractJsonObjectIntoMap(parameters["data"])
Copy link
Contributor

@shahzaibj shahzaibj May 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's define a DTO representing the json schema and then you can just use the kotlinx serialization libraries (or even GSON or Moshi if you prefer that) to deserialize the raw json directly to a custom dto.

For instance:

@Serializable
data class AuthUxApiResponse(
    val correlationId: String,
    val actionName: String,
    val actionComponent: String,
    val params: Params; // define this as a DTO as well
)

and then you can deserialize as follows using kotlinx serialization framework

val authUxResponse: AuthUxApiResponse = Json.decodeFromString(jsonString)

and then you can access individual properties as follows:

   val numberMatch = authUxResponse.params.data.numberMatch;

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat! I can adjust to this, this current Json parsing implementation is a bit janky

shahzaibj
shahzaibj reviewed May 16, 2025
View reviewed changes
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
@@ -211,6 +217,12 @@ void extractState(@NonNull final Bundle state) {
mAuthIntent = state.getParcelable(AUTH_INTENT);
mPkeyAuthStatus = state.getBoolean(PKEYAUTH_STATUS, false);
mAuthorizationRequestUrl = state.getString(REQUEST_URL);
if (mAuthorizationRequestUrl != null) {
isEstsRequest = mAuthorizationRequestUrl.startsWith("https://login.microsoftonline.com");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about sovereign clouds?

shahzaibj
shahzaibj reviewed May 16, 2025
View reviewed changes
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
@@ -122,6 +125,9 @@ public class WebViewAuthorizationFragment extends AuthorizationFragment {
// This is used by the switch browser protocol to handle the resume of the flow.
private SwitchBrowserProtocolCoordinator mSwitchBrowserProtocolCoordinator = null;

private boolean isBrokerRequest = false;
private boolean isEstsRequest = false;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH, I don't think we make requests anywhere besides eSTS so all of our requests are to eSTS. So not sure what this check is doing

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

May be you intend to check for the "current" URL that we are navigating to within the webview? I think that would be ideal but I don't think your code is doing that at the moment

shahzaibj
shahzaibj reviewed May 16, 2025
View reviewed changes
...va/com/microsoft/identity/common/internal/providers/oauth2/WebViewAuthorizationFragment.java
@@ -290,6 +302,9 @@ private void setUpWebView(@NonNull final View view,
mWebView.getSettings().setUserAgentString(
userAgent + AuthenticationConstants.Broker.CLIENT_TLS_NOT_SUPPORTED);
mWebView.getSettings().setJavaScriptEnabled(true);
if (isBrokerRequest && isEstsRequest) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens once the URL changes within the webview? So we go from eSTS to ADFS for federated auth but the isEstsRequest would still say true because it was defined earlier in the flow. This would be a problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shahzaibj shahzaibj shahzaibj left review comments

@somalaya somalaya somalaya approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fadidurah @shahzaibj @somalaya