Remove "multiple apps listening" check from PublicClientApplicationConfiguration

[Copilot]

The custom tab redirect activity validation (validateCustomTabRedirectActivity) was running at PCA init time, causing false-positive failures in broker scenarios because the default authorization_user_agent is DEFAULT, triggering the check even when the actual auth flow uses WEBVIEW. This check has been relocated to AuthorizationActivityFactory in the Common module, where it only fires when browser-based auth is actually used.

Changes

• PublicClientApplicationConfiguration.java:

  • Remove validateCustomTabRedirectActivity() private static method
  • Remove the DEFAULT/BROWSER authorization agent check block from checkIntentFilterAddedToAppManifestForBrokerFlow() (the block that called the above and threw APP_MANIFEST_VALIDATION_ERROR)
  • Broker redirect URI validation (mUseBroker check, isBrokerRedirectUri, verifyRedirectUriWithAppSignature) is unchanged
  • Remove now-unused imports: Intent, ActivityInfo, ResolveInfo, APP_MANIFEST_VALIDATION_ERROR

• ShadowPublicClientApplicationConfiguration.java: Deleted — its only purpose was to stub validateCustomTabRedirectActivity in tests

• 10 test files: Removed ShadowPublicClientApplicationConfiguration from @Config(shadows = ...) and import statements

MsalClientException.MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME is not removed — it is still surfaced when the Common-layer ClientException is wrapped at the MSAL boundary.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)
• www.puppycrawl.com
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.25.1/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-38ad52fff39af1e6/dbs/java/working/files-to-index5690327582133304986.list --sourceArchiveDir=/tmp/codeql-scratch-38ad52fff39af1e6/dbs/java/src --outputDir=/tmp/codeql-scratch-38ad52fff39af1e6/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fixes AB#3568778

Remove "multiple apps listening" check from PublicClientApplicationConfiguration

Objective

Remove the validateCustomTabRedirectActivity() method and its invocation from PublicClientApplicationConfiguration.java in MSAL, since this validation has been moved to the Common module's AuthorizationActivityFactory. Update the related test shadow accordingly.

Follow .github/copilot-instructions.md strictly.

Context

The "multiple apps listening on custom URL scheme" check was previously in PublicClientApplicationConfiguration.checkIntentFilterAddedToAppManifestForBrokerFlow(), running at PCA initialization time. This caused false-positive failures for broker scenarios because the config's default authorization_user_agent is DEFAULT, which triggered the check even when the actual auth flow uses WEBVIEW. The check has been relocated to AuthorizationActivityFactory in the Common module, so it now only fires when browser-based authorization is actually used. This PBI cleans up the old code in MSAL.

Technical Requirements

1. Modify PublicClientApplicationConfiguration.java (msal/src/main/java/com/microsoft/identity/client/PublicClientApplicationConfiguration.java):

   • Remove the validateCustomTabRedirectActivity() private static method (around line 652). This method uses PackageManager to query intent activities and throws MsalClientException with MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME when another app is found listening on the same URL scheme.
   • In the checkIntentFilterAddedToAppManifestForBrokerFlow() method (around line 706), remove the entire block that checks getAuthorizationAgent() == AuthorizationAgent.DEFAULT || getAuthorizationAgent() == AuthorizationAgent.BROWSER and calls validateCustomTabRedirectActivity(). This includes removing the block that throws APP_MANIFEST_VALIDATION_ERROR when hasCustomTabRedirectActivity is false.
   • Keep the rest of checkIntentFilterAddedToAppManifestForBrokerFlow() intact the broker redirect URI validation (mUseBroker check, isBrokerRedirectUri check, verifyRedirectUriWithAppSignature) must remain unchanged.
   • Remove any imports that become unused after the method removal (e.g., PackageManager, ResolveInfo, ActivityInfo, List if no longer used, APP_MANIFEST_VALIDATION_ERROR static import if no longer used).

2. Update ShadowPublicClientApplicationConfiguration.java (msal/src/test/java/com/microsoft/identity/client/e2e/shadows/ShadowPublicClientApplicationConfiguration.java):

   • Remove the shadow implementation for validateCustomTabRedirectActivity since the method no longer exists in the real class.
   • If the shadow class has no other shadowed methods after removal, remove the class entirely and update any @Config(shadows = ...) annotations referencing it in test classes.

3. Update tests:

   • Search for any tests that assert MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME is thrown from the configuration class and remove/update them.
   • Existing tests for the remaining broker redirect URI validation logic in checkIntentFilterAddedToAppManifestForBrokerFlow() should continue to pass unchanged.

4. Important: The MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME constant in MsalClientException.java should remain do NOT remove it. MSAL callers will still receive this error code when the Common-layer ClientException is wrapped into MsalClientException at the MSAL boundary.

Acceptance Criteria

• validateCustomTabRedirectActivity() method is removed from PublicClientApplicationConfiguration.java
• checkIntentFilterAddedToAppManifestForBrokerFlow() no longer calls the removed method and no longer checks authorization_user_agent for DEFAULT/BROWSER
• Remaining broker redirect URI checks in checkIntentFilterAddedToAppManifestForBrokerFlow() are preserved and unchanged
• ShadowPublicClientApplicationConfiguration is updated to remove the no-longer-needed shadow
• MsalClientException.MULTIPLE_APPS_LISTENING_CUSTOM_URL_SCHEME constant is NOT removed
• No new lint warnings introduced
• Unused imports are cleaned up

[github-actions]

✅ Work item link check complete. Description contains link AB#3568778 to an Azure Boards work item.