Edge TB: PoP support for WebApps (Edge Token Broker), Fixes AB#3501329

[Copilot]

Adds common-side support for Proof of Possession (PoP) tokens in the Edge Token Broker WebApps flow. The new protocol introduces tokenType ("pop"/"bearer", case-insensitive) and reqCnf (request confirmation) fields that can arrive either as top-level fields on the request or inside extraParameters, with top-level taking priority.

New: WebAppsPopAuthenticationSchemeInternal

• Extends TokenAuthenticationScheme, implements ITokenAuthenticationSchemeInternal
• Holds a pre-generated req_cnf (not device-key-derived like PopAuthenticationSchemeInternal)
• Scheme name: "PoP_Pregenerated"; getAccessTokenForScheme() returns the raw AT (ESTS returns it already in PoP format)

New fields on WebAppsGetTokenSubOperationRequest

• tokenType and reqCnf — both optional; each resolved independently (top-level → extraParameters fallback)

Updated existing infrastructure to handle the new scheme

• AuthenticationSchemeTypeAdapter — added serialize/deserialize cases for WebAppsPopAuthenticationSchemeInternal
• AuthenticationSchemeFactory.isPopAuthenticationScheme() — returns true for the new scheme
• MicrosoftStsOAuth2Strategy — createTokenRequestForAuthCode() and createRefreshTokenRequest() set token_type=pop and req_cnf from the scheme
• AbstractAccountCredentialCache — SCHEME_POP_PREGENERATED added to the PoP AT-type matching check
• MicrosoftStsAccountCredentialAdapter — uses AccessToken_With_AuthScheme credential type (no kid since req_cnf is pre-generated)

AB#3501329

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

[melissaahn]

@copilot can you please update the PR description based on the changes I made? For example, parsePopAuthSchemeFromRequest() is not in this PR anymore.

[Copilot]

@copilot can you please update the PR description based on the changes I made? For example, parsePopAuthSchemeFromRequest() is not in this PR anymore.

Updated the PR description to remove the parsePopAuthSchemeFromRequest() section and instead accurately describe the infrastructure changes that handle the new scheme (OAuth2Strategy, AccountCredentialCache, AccountCredentialAdapter, etc.).

[github-actions]

✅ Work item link check complete. Description contains link AB#3501329 to an Azure Boards work item.

[Copilot]

Pull request overview

Adds Common-library support for a new WebApps/Edge Token Broker Proof-of-Possession (PoP) flow by introducing a pre-generated req_cnf PoP authentication scheme and wiring it through token request creation, auth-scheme (de)serialization, and cache filtering.

Changes:

• Introduces WebAppsPopAuthenticationSchemeInternal (PoP_Pregenerated) to represent pre-generated req_cnf PoP for WebApps/Edge TB.
• Plumbs the new scheme through request (de)serialization (AuthenticationSchemeTypeAdapter), PoP detection (AuthenticationSchemeFactory), and MSSTS token request creation (MicrosoftStsOAuth2Strategy).
• Extends WebApps request DTO (WebAppsGetTokenSubOperationRequest) and updates cache logic to recognize the new PoP scheme; updates changelog and affected tests.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
common4j/src/main/com/microsoft/identity/common/java/providers/microsoft/microsoftsts/MicrosoftStsOAuth2Strategy.java	Sets token_type=pop and req_cnf when using the new WebApps PoP scheme.
common4j/src/main/com/microsoft/identity/common/java/commands/webapps/WebAppsGetTokenSubOperationRequest.kt	Adds optional tokenType / reqCnf fields to the WebApps request contract.
common4j/src/main/com/microsoft/identity/common/java/cache/MicrosoftStsAccountCredentialAdapter.java	Stores WebApps PoP ATs as AccessToken_With_AuthScheme without a kid.
common4j/src/main/com/microsoft/identity/common/java/cache/AbstractAccountCredentialCache.java	Treats PoP_Pregenerated as a valid PoP scheme during AT filtering.
common4j/src/main/com/microsoft/identity/common/java/authscheme/WebAppsPopAuthenticationSchemeInternal.java	New internal auth scheme carrying pre-generated req_cnf.
common4j/src/main/com/microsoft/identity/common/java/authscheme/AuthenticationSchemeFactory.java	Classifies the new scheme as PoP for downstream logic.
common/src/test/java/com/microsoft/identity/common/internal/controllers/BrokerMsalControllerTest.java	Updates WebApps request construction to include the new optional fields.
common/src/main/java/com/microsoft/identity/common/internal/request/AuthenticationSchemeTypeAdapter.java	Adds serialize/deserialize support for PoP_Pregenerated.
changelog.txt	Adds vNext entry for “Edge TB: PoP support (#3006)”.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

[p3dr0rv]

left a few comments, do not feel obligated to do it, this can be improved down the road.

[mohitc1]

        }

won't this automatically help?

---

Refers to: common4j/src/main/com/microsoft/identity/common/java/cache/AbstractAccountCredentialCache.java:257 in e540b75. [](commit_id = e540b75, deletion_comment = False)

[melissaahn]

        }

won't this automatically help?

Refers to: common4j/src/main/com/microsoft/identity/common/java/cache/AbstractAccountCredentialCache.java:257 in e540b75. [](commit_id = e540b75, deletion_comment = False)

You're right. Removed the redundant addition: ea94912

[mohitc1]