Skip to content

Deprecate ResponseMode.QUERY in system browser auth flow, automatically override to FORM_POST with warning #1004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ashok672 wants to merge 3 commits into
base: dev
Choose a base branch
from
Open

Deprecate ResponseMode.QUERY in system browser auth flow, automatically override to FORM_POST with warning #1004

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ab9cfc2
Deprecate ResponseMode.QUERY in system browser auth flow, automatical…
ashok672 Jan 10, 2026
7379d7b
Update msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/Authorizatio…
ashok672 Jan 14, 2026
34a34ee
Update msal4j-persistence-extension/target/test-classes/log4j.properties
ashok672 Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions msal4j-persistence-extension/target/test-classes/log4j.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# This file is located under the Maven/Gradle build output directory:
Copy link
Contributor

@Avery-Dunn Avery-Dunn Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file can be removed entirely, it's in the "target" directory which means it's just a file that gets made when building the project and seems to just have some comments from Copilot?

# msal4j-persistence-extension/target/test-classes/log4j.properties
# It should not be tracked in version control and should be removed
# from the repository, with the entire `target/` directory ignored
# via .gitignore (or equivalent).
#
# The contents below were removed to prevent this accidental artifact
# from affecting runtime logging configuration. Do not add any active
# Log4j configuration here; instead, place it under src/test/resources
# or src/main/resources as appropriate.
16 changes: 13 additions & 3 deletions msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,9 +113,18 @@ private AuthorizationRequestUrlParameters(Builder builder) {
}

if (builder.responseMode != null) {
this.responseMode = builder.responseMode;
requestParameters.put("response_mode",
builder.responseMode.toString());
// Override QUERY with FORM_POST as QUERY is deprecated
Copy link
Contributor

@Avery-Dunn Avery-Dunn Jan 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than add the logic to check for Query here, it might be simpler to add an if statement to the actual builder method:

public Builder responseMode(ResponseMode val) {
    // Override QUERY with FORM_POST as QUERY is deprecated
    if (val == ResponseMode.QUERY) {
        LOG.warn("ResponseMode.QUERY is deprecated and will be removed in a future release. " +
                "Automatically overriding to ResponseMode.FORM_POST.");
        this.responseMode = ResponseMode.FORM_POST;
    } else {
        this.responseMode = val;
    }
    return self();
}

That way, this constructor stays the same and only valid values get set in the builder.

Copy link
Member

@bgavrilMS bgavrilMS Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, we should not change the AuthCodeUri for all scenarios. Or change it, but deprecate the "GetAuthorizationRequestUri" existing API and add a "GetAuthorizationRequestUriWithPost" and fully deprecate ResponseMode param

if (builder.responseMode == ResponseMode.QUERY) {
LOG.warn("ResponseMode.QUERY is deprecated and will be removed in a future release. " +
"Automatically overriding to ResponseMode.FORM_POST.");
this.responseMode = ResponseMode.FORM_POST;
requestParameters.put("response_mode",
ResponseMode.FORM_POST.toString());
} else {
this.responseMode = builder.responseMode;
requestParameters.put("response_mode",
builder.responseMode.toString());
}
} else {
this.responseMode = ResponseMode.FORM_POST;
requestParameters.put("response_mode",
Expand Down Expand Up @@ -368,6 +377,7 @@ public Builder nonce(String val) {

/**
* Specifies the method that should be used to send the authentication result to your app.
* @deprecated ResponseMode.QUERY is deprecated. If you pass ResponseMode.QUERY, it will be automatically overridden to ResponseMode.FORM_POST.
*/
public Builder responseMode(ResponseMode val) {
this.responseMode = val;
Expand Down
2 changes: 2 additions & 0 deletions msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ public enum ResponseMode {
/**
* Authorization result returned as query string in the redirect URL when redirecting back to the
* client application.
* @deprecated Query response mode is no longer supported. Use FORM_POST instead. If provided, it will be automatically overridden to FORM_POST.
*/
@Deprecated
QUERY("query"),

/**
Expand Down
46 changes: 11 additions & 35 deletions msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,32 +98,23 @@ void testBuilder_conflictingParameters() {
}

@Test
void testBuilder_optionalParameters() throws UnsupportedEncodingException {
Set<String> clientCapabilities = new HashSet<>();
clientCapabilities.add("llt");
clientCapabilities.add("ssm");

PublicClientApplication app = PublicClientApplication.builder("client_id").clientCapabilities(clientCapabilities).build();
void testBuilder_queryResponseModeIsOverriddenToFormPost() throws UnsupportedEncodingException {
PublicClientApplication app = PublicClientApplication.builder("client_id").build();

String redirectUri = "http://localhost:8080";
Set<String> scope = Collections.singleton("scope");

// Test that when QUERY is passed (deprecated), it's overridden to FORM_POST
AuthorizationRequestUrlParameters parameters =
AuthorizationRequestUrlParameters
.builder(redirectUri, scope)
.extraScopesToConsent(new LinkedHashSet<>(Arrays.asList("extraScopeToConsent1", "extraScopeToConsent2")))
.responseMode(ResponseMode.QUERY)
.codeChallenge("challenge")
.codeChallengeMethod("method")
.state("app_state")
.nonce("app_nonce")
.correlationId("corr_id")
.loginHint("hint")
.domainHint("domain_hint")
.claimsChallenge("{\"id_token\":{\"auth_time\":{\"essential\":true}},\"access_token\":{\"auth_time\":{\"essential\":true}}}")
.prompt(Prompt.SELECT_ACCOUNT)
.responseMode(ResponseMode.QUERY) // Deprecated - should be overridden
.build();

// Verify that the responseMode is overridden to FORM_POST
assertEquals(ResponseMode.FORM_POST, parameters.responseMode(),
"ResponseMode.QUERY should be overridden to ResponseMode.FORM_POST");

URL authorizationUrl = app.getAuthorizationRequestUrl(parameters);

Map<String, String> queryParameters = new HashMap<>();
Expand All @@ -137,23 +128,8 @@ void testBuilder_optionalParameters() throws UnsupportedEncodingException {
URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
}

assertEquals(queryParameters.get("scope"),
"openid profile offline_access scope extraScopeToConsent1 extraScopeToConsent2");
assertEquals(queryParameters.get("response_type"), "code");
assertEquals(queryParameters.get("redirect_uri"), "http://localhost:8080");
assertEquals(queryParameters.get("client_id"), "client_id");
assertEquals(queryParameters.get("prompt"), "select_account");
assertEquals(queryParameters.get("response_mode"), "query");
assertEquals(queryParameters.get("code_challenge"), "challenge");
assertEquals(queryParameters.get("code_challenge_method"), "method");
assertEquals(queryParameters.get("state"), "app_state");
assertEquals(queryParameters.get("nonce"), "app_nonce");
assertEquals(queryParameters.get("correlation_id"), "corr_id");
assertEquals(queryParameters.get("login_hint"), "hint");
assertEquals(queryParameters.get("domain_hint"), "domain_hint");
assertEquals(queryParameters.get("claims"), "{\"access_token\":{\"auth_time\":{\"essential\":true},\"xms_cc\":{\"values\":[\"llt\",\"ssm\"]}},\"id_token\":{\"auth_time\":{\"essential\":true}}}");

// CCS routing
assertEquals(queryParameters.get(HttpHeaders.X_ANCHOR_MAILBOX), String.format(HttpHeaders.X_ANCHOR_MAILBOX_UPN_FORMAT, "hint"));
// Verify that the actual response_mode parameter is "form_post", not "query"
assertEquals("form_post", queryParameters.get("response_mode"),
"response_mode query parameter should be 'form_post' even when QUERY was specified");
}
}
Loading