Enable seamless webview-to-broker transitions for server-driven enrollment flows#1684
Draft
Enable seamless webview-to-broker transitions for server-driven enrollment flows#1684
Conversation
Copilot stopped work on behalf of
Veena11 due to an error
February 3, 2026 05:10
Copilot
AI
changed the title
[WIP] Update authentication flow with ASWebAuthenticationSession
Design Discussion: Seamless WebView Transition for Profile Installation Flow
Feb 3, 2026
Copilot stopped work on behalf of
Veena11 due to an error
February 3, 2026 05:34
…activeController actions - Created MSIDWebInstallProfileResponse class to detect and parse msauth://profileInstalled URLs - Added response detection in MSIDAADWebviewFactory response chain - Updated MSIDInteractiveAuthorizationCodeRequest to pass through profile installed responses - Added handleWebInstallProfileResponse method in MSIDLocalInteractiveController - Controller can now perform custom actions before continuing authentication flow - Created comprehensive unit tests for the new response type Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
![azure-pipelines[bot]](https://avatars.githubusercontent.com/in/9426?s=60&v=4){kind=small}
| @@ -23,13 +23,18 @@ | |||
|
|
|||
There was a problem hiding this comment.
This pull request does not update changelog.txt.
Please consider if this change would be noticeable to a partner or user and either update changelog.txt or resolve this conversation.
Copilot
AI
changed the title
Design Discussion: Seamless WebView Transition for Profile Installation Flow
Add msauth://profileInstalled response handling with extensibility hook in localInteractiveController
Feb 3, 2026
- Created MSIDWebviewTransitionCoordinator to manage state-preserving transitions - Added MSIDWebProfileInstallTriggerResponse to detect msauth://profileInstall with HTTP headers - Updated MSIDAADOAuthEmbeddedWebviewController to: - Capture HTTP response headers via navigationResponseBlock - Detect profile install trigger (msauth://profileInstall) - Extract profile installation URL from X-Profile-Install-URL header - Suspend embedded webview (hide UI but keep alive) - Launch ASWebAuthenticationSession with extracted URL - Wait for msauth://profileInstalled callback - Resume suspended embedded webview seamlessly - Continue authentication flow without cancellation - Created comprehensive tests for trigger response detection Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Add msauth://profileInstalled response handling with extensibility hook in localInteractiveController
Implement state-preserving webview transition for profile installation flow
Feb 3, 2026
Corrected URL scheme names to match requirements: - First 302: msauth://installProfile - triggers transition FROM embedded webview TO ASWebAuthenticationSession - Second 302: msauth://profileInstalled - happens IN ASWebAuthenticationSession, triggers transition BACK to embedded webview Changes: - Updated MSIDWebProfileInstallTriggerResponse to detect msauth://installProfile - Changed constant from PROFILE_INSTALL to INSTALL_PROFILE - Updated all references to use installProfile instead of profileInstall - Updated tests to use correct URL msauth://installProfile - Updated comments and log messages for clarity - Verified MSIDWebInstallProfileResponse correctly detects msauth://profileInstalled Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Implement state-preserving webview transition for profile installation flow
Correct URL scheme for profile installation trigger: installProfile not profileInstall
Feb 3, 2026
…tiveController - Removed profile installation handling from MSIDAADOAuthEmbeddedWebviewController - Embedded webview now only detects msauth://installProfile and returns it via completion handler - MSIDLocalInteractiveController now orchestrates the entire profile installation flow - Added handleProfileInstallTrigger method to controller - Added handleProfileInstallationCompletion method to controller - Controller now manages MSIDWebviewTransitionCoordinator - Controller suspends/resumes webview and launches ASWebAuthenticationSession - Follows existing pattern used for MSIDWebWPJResponse - Maintains separation of concerns: view detects, controller orchestrates Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Correct URL scheme for profile installation trigger: installProfile not profileInstall
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for profile installation
Feb 3, 2026
- Updated MSIDWebProfileInstallTriggerResponse to extract x-intune-url and x-intune-token headers - Replaced profileInstallURL property with intuneURL - Added intuneToken property for authentication - Added extractHeaderValue helper for case-insensitive header matching - Updated MSIDASWebAuthenticationSessionHandler to support additionalHeaders parameter (iOS 18+) - Added new initializer with additionalHeaders support - Use additionalHeaderFields property when iOS 18+ available - Updated MSIDWebviewTransitionCoordinator to pass additional headers - Updated MSIDLocalInteractiveController to build headers dictionary with x-intune-token - Updated all tests to use new header names (x-intune-url, x-intune-token) - Added tests for both headers extraction and case-insensitive matching Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for profile installation
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for Intune profile installation
Feb 3, 2026
…ctory access - Added lastHTTPResponse property to MSIDWebviewSession - Updated MSIDAADOAuthEmbeddedWebviewController to store HTTP response in session - Updated MSIDWebviewAuthorization to pass httpResponse to factory - Added new overload methods to configuration classes accepting httpResponse parameter - Added new overload to MSIDWebviewFactory.oAuthResponseWithURL with httpResponse - Updated MSIDAADWebviewFactory to create MSIDWebProfileInstallTriggerResponse with HTTP headers - HTTP response now flows: Webview → Session → Authorization → Factory → Response - Intune URL and token now properly extracted from HTTP headers - Controller receives response with both intuneURL and intuneToken populated - Backward compatible: New methods with default implementations Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for Intune profile installation
Enable seamless webview transitions for Intune profile installation with header-based authentication
Feb 3, 2026
…AuthenticationSession flow - Renamed profileSessionHandler → externalSessionHandler (generic naming) - Renamed launchProfileInstallationSession → launchExternalSession (generic naming) - Renamed dismissProfileInstallationSession → dismissExternalSession (generic naming) - Updated all method parameters to be generic (profileURL → url) - Updated documentation to describe generic external session flows - Updated log messages to be generic (external session vs profile installation) - Updated error messages to be generic - Updated MSIDLocalInteractiveController to use new method names - Coordinator is now reusable for ANY flow requiring ASWebAuthenticationSession transition - No functional changes, only naming improvements for reusability Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Enable seamless webview transitions for Intune profile installation with header-based authentication
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for server-driven external authentication flows
Feb 3, 2026
…tion - Removed dismissExternalSession call after successful callback - ASWebAuthenticationSession completion handler already cleans up the session - After successful callback (msauth://profileInstalled), just set externalSessionHandler = nil - Prevents attempting to cancel an already-completed session - dismissExternalSession should only be called for error/cancellation scenarios - Updated documentation to clarify when to use dismiss vs nil assignment - Updated log messages to indicate dismissal is for active session cancellation - cleanup method still dismisses if session is somehow still active (safety net) Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Enable seamless embedded webview ↔ ASWebAuthenticationSession transitions for server-driven external authentication flows
Fix ASWebAuthenticationSession lifecycle: don't dismiss after successful completion
Feb 4, 2026
- After msauth://profileInstalled callback, dismiss both webviews and switch to broker - Added dismissSuspendedEmbeddedWebview method to coordinator - Dismiss suspended embedded webview after profile installation - Create MSIDBrokerInteractiveController after profile installation - Broker invokes SSO extension to handle authentication in its own webview - Response flows back to calling app through broker completion handler - Updated cleanup to properly dismiss suspended webview - Platform check for iOS (broker only available on iOS) - Proper error handling for broker controller creation failures Co-authored-by: Veena11 <9446116+Veena11@users.noreply.github.com>
Copilot
AI
changed the title
Fix ASWebAuthenticationSession lifecycle: don't dismiss after successful completion
Enable broker context switch after Intune profile installation
Feb 4, 2026
Copilot
AI
changed the title
Enable broker context switch after Intune profile installation
Enable seamless webview-to-broker transitions for server-driven enrollment flows
Feb 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
During authentication, servers may require device enrollment (e.g., Intune profile installation) via external flow before continuing. The authentication request must remain active throughout: embedded webview → ASWebAuthenticationSession → broker/SSO extension.
Response detection and header extraction
MSIDWebProfileInstallTriggerResponsedetectsmsauth://installProfile, extractsx-intune-urlandx-intune-tokenfrom HTTP response headersMSIDWebInstallProfileResponsedetectsmsauth://profileInstalledcompletion callbackMSIDWebviewSession.lastHTTPResponse, flows through completion chain to factory via new overload methodsState-preserving coordinator
MSIDWebviewTransitionCoordinatormanages transitions without request cancellation:suspendEmbeddedWebview()hides UI, preserves completion handlers and statelaunchExternalSession()creates ASWebAuthenticationSession with URL and headers (iOS 18+additionalHeaderFields)dismissSuspendedEmbeddedWebview()cancels and releases for context switchBroker handoff on enrollment completion
After
msauth://profileInstalled:Controller orchestrates flow (embedded webview only detects and returns responses), following existing
MSIDWebWPJResponsepattern. Navigation canceled at trigger detection but completion handler not invoked—request remains active until broker completes.Server contract
ASWebAuthenticationSession request includes token header (iOS 18+).
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.