Add SilentAuthReceiver for Doze network-block reproduction, Fixes AB#3612535#2516
Open
rpdome wants to merge 7 commits into
Open
Add SilentAuthReceiver for Doze network-block reproduction, Fixes AB#3612535#2516rpdome wants to merge 7 commits into
rpdome wants to merge 7 commits into
Conversation
Add a BroadcastReceiver to MsalTestApp that triggers acquireTokenSilent
from a background process context (PROCESS_STATE_RECEIVER). This enables
reliable reproduction of the Doze network-block issue that affects
background broker auth triggered by FCM notifications.
Key findings from investigation:
- When a foreground app binds to Broker via IPC, Android's
NetworkPolicyManagerService adds a dozable-allow firewall rule for the
Broker's UID. This masks the Doze network block during UI testing.
- When the caller is in a background context (BroadcastReceiver/Service),
the IPC binding does NOT elevate the Broker enough for dozable-allow.
The Broker's network call fails with UnknownHostException.
- This matches the production scenario: Outlook receives FCM push in
background -> calls OneAuth -> OneAuth calls Broker -> Broker's network
to eSTS is blocked by Doze firewall.
Usage:
adb shell dumpsys battery unplug
adb shell dumpsys deviceidle force-idle
adb shell am broadcast \
-a com.microsoft.identity.client.testapp.SILENT_AUTH \
-n com.msft.identity.client.sample.local/com.microsoft.identity.client.testapp.SilentAuthReceiver
adb logcat -s SilentAuthReceiver:*
|
❌ Work item link check failed. Description does not contain AB#{ID}. Click here to Learn more. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new testing hook in MsalTestApp to reproduce the Doze network-block scenario by triggering acquireTokenSilent from a BroadcastReceiver (background/receiver process state), along with manifest registration to invoke it via adb.
Changes:
- Introduces
SilentAuthReceiverto create a PCA instance and runacquireTokenSilentAsync(forceRefresh=true)from a receiver context. - Registers the receiver in
AndroidManifest.xmlwith an intent-filter action for adb triggering.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| testapps/testapp/src/main/java/com/microsoft/identity/client/testapp/SilentAuthReceiver.java | Adds a BroadcastReceiver to run silent token acquisition from a background receiver context for Doze repro. |
| testapps/testapp/src/main/AndroidManifest.xml | Registers the new receiver/action used to trigger the Doze repro flow. |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rpdome
force-pushed
the
rapong/doze-silent-auth-receiver
branch
3 times, most recently
from
8cf2f3c to
bca228f
Compare
|
❌ Invalid work item number: AB#3612535 ##. Work item number must be a valid integer. Click here to learn more. |
|
✅ Work item link check complete. Description contains link AB#3612535 to an Azure Boards work item. |
github-actions
Bot
changed the title
rpdome
force-pushed
the
rapong/doze-silent-auth-receiver
branch
2 times, most recently
from
9a67d3b to
a6d2373
Compare
Prvnkmr337
reviewed
May 20, 2026
Prvnkmr337
reviewed
May 20, 2026
Prvnkmr337
reviewed
May 20, 2026
|
Overall LGTM, just minor comments. |
Prvnkmr337
approved these changes
May 20, 2026
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/8666a879-5695-4eb3-bed2-71862e059d5f Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
rpdome
commented
May 20, 2026
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/8666a879-5695-4eb3-bed2-71862e059d5f Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
Contributor
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/cbdbc7c2-0ac5-48a5-9349-50239c795309 Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/0e8621a1-0a3e-4157-b8ac-c8436b3d2a33 Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
Agent-Logs-Url: https://github.com/AzureAD/microsoft-authentication-library-for-android/sessions/cbdbc7c2-0ac5-48a5-9349-50239c795309 Co-authored-by: rpdome <19558668+rpdome@users.noreply.github.com>
Contributor
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AB#3612535
Summary
Add a BroadcastReceiver to MsalTestApp that triggers acquireTokenSilent from a background process context (PROCESS_STATE_RECEIVER). This enables reliable reproduction of the Doze network-block issue that affects background broker auth triggered by FCM notifications.
Root Cause (from investigation)
When a foreground app binds to Broker via IPC, Android's NetworkPolicyManagerService adds a \dozable-allow\ firewall rule for the Broker's UID — masking the Doze network block during UI testing.
When the caller is in a background context (BroadcastReceiver/Service handling FCM), the IPC binding does NOT elevate the Broker enough for \dozable-allow. The Broker's network call to eSTS fails with \UnknownHostException.
Evidence
Files
Usage
\\�ash
Prerequisites: broker + MsalTestApp installed, account signed in
adb shell dumpsys battery unplug
adb shell dumpsys deviceidle force-idle
adb shell am broadcast -a com.microsoft.identity.client.testapp.SILENT_AUTH -n com.msft.identity.client.sample.local/com.microsoft.identity.client.testapp.SilentAuthReceiver
adb logcat -s SilentAuthReceiver:*
Cleanup:
adb shell dumpsys deviceidle unforce && adb shell dumpsys battery reset
\\
Test script
A companion script \scripts/doze-repro-test.sh\ in android-complete automates the full sequence.