Add AuthTab (Chrome 137+) support for browser-based authentication flows, Fixes AB#3533538

[Copilot]

Implements AuthTabIntent from androidx.browser:browser:1.9.0 as an alternative to Custom Tabs for interactive auth. AuthTab returns results via ActivityResultCallback instead of intent redirects, improving security. Gated behind a new ENABLE_AUTH_TAB feature flag (default off).

Feature Flag

• Added ENABLE_AUTH_TAB("EnableAuthTab", false) to CommonFlight.java

Dependency

• Bumped browserVersion: 1.7.0 → 1.9.0

New: AuthTabAuthorizationFragment (MSAL browser flows)

• Extends AuthorizationFragment; registers ActivityResultLauncher in onCreate() before STARTED state
• Launches AuthTabIntent in onResume() with URL + redirect scheme extracted from fragment args
• Handles all AuthResult codes: RESULT_OK → fromRedirectUri, RESULT_CANCELED → cancel, RESULT_VERIFICATION_FAILED/TIMED_OUT → exception result
• Guards against double-result on lifecycle re-entry via mAuthResultSent
• Emits AuthTabAuthorization span with is_auth_tab_used and auth_tab_result_code attributes

Updated: AuthorizationActivityFactory

• Non-WebView path now returns AuthTabAuthorizationFragment when ENABLE_AUTH_TAB is on; falls back to BrowserAuthorizationFragment

Updated: SwitchBrowserActivity (DUNA flows)

• Registers ActivityResultLauncher in onCreate() before super
• launchBrowser() short-circuits to AuthTab when flag is on + isAuthTabSupported() returns true
• handleAuthTabResult() parses RESULT_OK redirect URI query params into the switch-browser bundle for WebViewAuthorizationFragment

New: CustomTabsManager.isAuthTabSupported()

public static boolean isAuthTabSupported(@NonNull Context context, @NonNull String browserPackage)

Wraps CustomTabsClient.isAuthTabSupported() with null-safety and logging.

Telemetry

• AttributeName: is_auth_tab_used, auth_tab_result_code, auth_tab_supported (note: Broker repo sync required)
• SpanName: AuthTabAuthorization

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -Xmx3072m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)
• identitydivision.pkgs.visualstudio.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=1024m -XX:+HeapDumpOnOutOfMemoryError -Xmx3072m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)
• www.puppycrawl.com
  • Triggering command: /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/tools/linux64/java/bin/java -jar /opt/hostedtoolcache/CodeQL/2.24.2/x64/codeql/xml/tools/xml-extractor.jar --fileList=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/working/files-to-index8571831542820985369.list --sourceArchiveDir=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/src --outputDir=/tmp/codeql-scratch-b2678d0398b00160/dbs/java/trap/java (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fixes AB#3533538

Objective

Implement full AuthTab support in the Common repo: add the ENABLE_AUTH_TAB feature flag to CommonFlight, create a new AuthTabAuthorizationFragment for MSAL browser flows, update AuthorizationActivityFactory to route to it, update SwitchBrowserActivity for DUNA flows, add an isAuthTabSupported() helper in CustomTabsManager, and bump androidx.browser to 1.9.0.

Target Repository

• Repo: AzureAD/microsoft-authentication-library-common-for-android
• Base Branch: dev
• Module: common4j + common

Context

Chrome 137+ introduces AuthTab (AuthTabIntent from androidx.browser:browser:1.9.0), a specialized Custom Tab for authentication. AuthTab returns results via ActivityResultCallback instead of intent-based redirects, improving security and simplifying the flow. This PBI implements AuthTab support for two paths:

1. MSAL interactive browser auth - A new AuthTabAuthorizationFragment replaces BrowserAuthorizationFragment when AuthTab is enabled and supported.
2. Broker Switch Browser (DUNA) - SwitchBrowserActivity gains an AuthTab launch path alongside its existing Custom Tabs path.

Both paths fall back to standard Custom Tabs when the browser doesn't support AuthTab.

Feature Flag

Create a new ENABLE_AUTH_TAB enum value in CommonFlight.java (common4j module) with config key "EnableAuthTab" and default false. Follow the pattern of SWITCH_BROWSER_PROTOCOL_REQUIRES_STATE. Then gate all new behavior behind CommonFlightsManager.getFlightsProvider().isFlightEnabled(CommonFlight.ENABLE_AUTH_TAB).

Technical Requirements

1. Feature Flag (common4j)

• Add ENABLE_AUTH_TAB("EnableAuthTab", false) to CommonFlight.java
• Add JavaDoc: enables Chrome AuthTab (Chrome 137+) for browser-based auth flows

2. Dependency Bump

• Change browserVersion = "1.7.0" to browserVersion = "1.9.0" in gradle/versions.gradle

3. New AuthTabAuthorizationFragment.kt (common)

• Create in common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/
• Extends AuthorizationFragment
• In onCreate(), register ActivityResultLauncher via AuthTabIntent.registerActivityResultLauncher(this, ::handleAuthResult) - MUST be before STARTED state
• In onResume(), build AuthTabIntent.Builder().build() and call authTabIntent.launch(launcher, uri, redirectScheme)
• Extract requestUrl and redirectScheme from fragment arguments (same pattern as BrowserAuthorizationFragment gets mAuthIntent)
• Handle AuthResult: RESULT_OK -> sendResult(RawAuthorizationResult.fromRedirectUri(...)), RESULT_CANCELED -> cancelAuthorization(true), RESULT_VERIFICATION_FAILED/TIMED_OUT -> send exception result
• Add telemetry span attributes: is_auth_tab_used, auth_tab_result_code, auth_tab_supported
• Log all decision points via Logger class
• Handle onSaveInstanceState/extractState for authFlowStarted flag

4. Update AuthorizationActivityFactory.kt

• In getAuthorizationFragmentFromStartIntent(), when agent is NOT WEBVIEW, check CommonFlight.ENABLE_AUTH_TAB. If true, return AuthTabAuthorizationFragment()
• Runtime browser support check happens inside the fragment itself

5. Update SwitchBrowserActivity.kt

• In launchBrowser(), before existing Custom Tabs check: if AuthTab flag on + CustomTabsClient.isAuthTabSupported() returns true, launch via AuthTabIntent
• Register ActivityResultLauncher in onCreate() (must be before onStart)
• Handle result: RESULT_OK -> pass URI to WebViewAuthorizationFragment.setSwitchBrowserBundle() + finishAndRemoveTask(); cancel/error -> finishAndRemoveTask()

6. Add isAuthTabSupported() to CustomTabsManager.java

• Static method: public static boolean isAuthTabSupported(@NonNull Context context, @NonNull String browserPackage)
• Wraps CustomTabsClient.isAuthTabSupported() with null-safety and logging

Files to Modify/Create

• common4j/src/main/com/microsoft/identity/common/java/flighting/CommonFlight.java - Add ENABLE_AUTH_TAB enum
• gradle/versions.gradle - browserVersion = "1.9.0"
• common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/AuthTabAuthorizationFragment.kt - NEW: AuthTab authorization fragment
• common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/AuthorizationActivityFactory.kt - Add AuthTab branch
• common/src/main/java/com/microsoft/identity/common/internal/providers/oauth2/SwitchBrowserActivity.kt - Add AuthTab launch path
• common/src/main/java/com/microsoft/identity/common/internal/ui/browser/CustomTabsManager.java - Add isAuthTabSupported()
• common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/AuthTabAuthorizationFragmentTest.kt - NEW: Unit tests
• common/src/test/java/com/microsoft/identity/common/internal/providers/oauth2/AuthorizationActivityFactoryTest.java - Add AuthTab tests

Acceptance Criteria

• CommonFlight.ENABLE_AUTH_TAB exists w...

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

✅ Work item link check complete. Description contains link AB#3533538 to an Azure Boards work item.

[github-actions]

✅ Work item link check complete. Description contains link AB#3533538 to an Azure Boards work item.