Skip to content

Add NativeAuthRequestInterceptor for custom per-request HTTP headers AB#3606613#2511

Open
spetrescu84 wants to merge 9 commits into
devfrom
spetrescu/custom_headers
Open

Add NativeAuthRequestInterceptor for custom per-request HTTP headers AB#3606613#2511
spetrescu84 wants to merge 9 commits into
devfrom
spetrescu/custom_headers

Conversation

@spetrescu84
Copy link
Copy Markdown
Contributor

@spetrescu84 spetrescu84 commented May 13, 2026
edited
Loading

Summary

Implements the Android equivalent of the iOS PR microsoft-authentication-library-for-objc#2862, enabling apps to inject custom x-* headers into native auth HTTP requests (e.g., for CIAM fraud-signal scenarios like Akamai sensor data).

Changes

MSAL (this PR)

  • NativeAuthPublicClientApplicationConfiguration.kt — Added @Transient var requestInterceptor property with mergeConfiguration support
  • CommandParametersAdapter.java — Propagated requestInterceptor through all 16 native auth builder calls; fixed pre-existing duplicate .challengeType() in createSignInResendCodeCommandParameters()

Common (spetrescu/custom_headers)

  • NativeAuthRequestInterceptor.kt — Public interface: fun additionalHeaders(requestUrl: URL): Map<String, String>?
  • NativeAuthHeaderValidator.kt — Validates headers (must start with x-, must NOT start with x-ms-, x-client-, x-broker-, x-app-)
  • Wired interceptor through full propagation chain
  • Applied applyInterceptorHeaders() before every httpClient.post() call in all 4 interactors

Testing

  • 11 unit tests for NativeAuthHeaderValidator (all validation scenarios)
  • 6 integration tests for SignInInteractorRequestInterceptorTest
  • All 17 tests pass

Design Decisions

  • Synchronous interface (vs iOS async callbacks) — Android interactors already run on background threads
  • Same propagation pattern as challengeTypes/capabilities for consistency
  • Reserved prefix filtering prevents SDK header override
  • @Transient on config field — set programmatically, not from JSON

AB#3606613

@spetrescu84
Add NativeAuthRequestInterceptor support for custom per-request headers
09fdbd8 
Wire the NativeAuthRequestInterceptor through MSAL's public configuration
and command parameters adapter, matching the iOS PR
(microsoft-authentication-library-for-objc#2862).

- Add requestInterceptor property to NativeAuthPublicClientApplicationConfiguration
- Propagate interceptor in all 16 native auth CommandParametersAdapter builder calls
- Update common submodule to spetrescu/custom_headers branch
- Fix pre-existing duplicate .challengeType() call in createSignInResendCodeCommandParameters()

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 13, 2026 16:51
@spetrescu84 spetrescu84 requested review from a team as code owners May 13, 2026 16:51
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

❌ Work item link check failed. Description does not contain AB#{ID}.

Click here to Learn more.

@github-actions github-actions Bot added the msal label May 13, 2026
@spetrescu84
Add changelog entry and fix pop-benchmarker build.gradle quotes
9afa45c 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@spetrescu84 spetrescu84 self-assigned this May 13, 2026
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds native auth support for per-request custom HTTP headers by introducing a request interceptor on native auth configuration and propagating it into native auth command parameters.

Changes:

  • Added a transient requestInterceptor property to NativeAuthPublicClientApplicationConfiguration and included it in configuration merging.
  • Propagated requestInterceptor through most native auth command parameter builders.
  • Removed a duplicate challengeType() call in sign-in resend-code parameter construction.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

File Description
msal/src/main/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplicationConfiguration.kt Adds the native auth request interceptor configuration field and merge behavior.
msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java Passes the configured interceptor into native auth command parameter builders.

Comment thread msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java
Comment thread ...ain/java/com/microsoft/identity/nativeauth/NativeAuthPublicClientApplicationConfiguration.kt Outdated
@spetrescu84
Copy link
Copy Markdown
Contributor Author

spetrescu84 commented May 13, 2026

@copilot apply changes based on the comments in this thread

@spetrescu84
Fix requestInterceptor: propagate to JIT builders and expose on Nativ…
d6bb35a 
…eAuthPublicClientApplicationParameters

Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/3e578494-fa53-4d9a-92cc-5f88b974f149

Co-authored-by: spetrescu84 <111577419+spetrescu84@users.noreply.github.com>
Copy link
Copy Markdown
Contributor

Copilot AI commented May 13, 2026
edited
Loading

@copilot apply changes based on the comments in this thread

Applied both fixes in commit d6bb35a:

  1. JIT builders — Added .requestInterceptor(configuration.getRequestInterceptor()) to both createJITChallengeAuthMethodCommandParameters and createJITSubmitChallengeCommandParameters in CommandParametersAdapter.java, so custom headers are propagated consistently across all native auth flows including JIT.

  2. Public factory path — Added a requestInterceptor field to NativeAuthPublicClientApplicationParameters.kt, updated the private createNativeAuthApplication to accept and apply it to the config, and threaded parameters.getRequestInterceptor() through the createNativeAuthPublicClientApplication(Context, NativeAuthPublicClientApplicationParameters) factory. The three legacy/file-based factory paths continue to pass null (the interceptor is set programmatically, not from JSON).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • dl.google.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED -XX:MaxMetaspaceSize=512m -XX:&#43;HeapDumpOnOutOfMemoryError -Xmx2048m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

@spetrescu84
Update common submodule to include comprehensive interceptor tests
f5099cb 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
spetrescu84 and others added 2 commits May 14, 2026 17:22
@spetrescu84
Update common submodule to include PR review fixes
2ada5ff 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@spetrescu84
Update common submodule: consolidated test deduplication
212fbf6 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@spetrescu84 spetrescu84 changed the title Add NativeAuthRequestInterceptor for custom per-request HTTP headers Add NativeAuthRequestInterceptor for custom per-request HTTP headers AB#3600652 May 15, 2026
spetrescu84
spetrescu84 commented May 15, 2026
View reviewed changes
Comment thread msal/src/main/java/com/microsoft/identity/client/internal/CommandParametersAdapter.java
.challengeType(configuration.getChallengeTypes())
.requestInterceptor(configuration.getRequestInterceptor())
.continuationToken(continuationToken)
.challengeType(configuration.getChallengeTypes())
Copy link
Copy Markdown
Contributor Author

@spetrescu84 spetrescu84 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was removed because it's duplicated above

@spetrescu84 spetrescu84 changed the title Add NativeAuthRequestInterceptor for custom per-request HTTP headers AB#3600652 Add NativeAuthRequestInterceptor for custom per-request HTTP headers AB#3606613 May 15, 2026
@spetrescu84 spetrescu84 mentioned this pull request May 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mustafamizrak mustafamizrak mustafamizrak approved these changes

+2 more reviewers

Copilot code review Copilot Copilot left review comments

@antrix1989 antrix1989 antrix1989 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 2 approving reviews are required to merge this pull request.

Assignees

@spetrescu84 spetrescu84

Labels

msal pop-benchmarker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@spetrescu84 @antrix1989 @mustafamizrak