Add OnboardingBlockingErrorParser bridging clitelem/error_codes into the onboarding blob, Fixes AB#3462876#3122
Open
wzhipan wants to merge 11 commits into
Open
Add OnboardingBlockingErrorParser bridging clitelem/error_codes into the onboarding blob, Fixes AB#3462876#3122wzhipan wants to merge 11 commits into
wzhipan wants to merge 11 commits into
Conversation
…g blob Provides a small Kotlin helper that callers (OneAuth navigation fragment, broker error handler, etc.) can invoke after a failed token request to extract the eSTS-emitted error code from MicrosoftTokenResponse (which already carries the parsed x-ms-clitelem header values) and feed it into OnboardingTelemetryRecorder.addBlockingError(...). Per design spec §10, position-2 errorCode of the x-ms-clitelem header is the canonical attribution source for blocking errors. Sub-error code is preferred when present for finer-grained classification; otherwise falls back to the top-level error code. Returns null when no error or error is '0'. Includes 9 unit tests covering both overloads (MicrosoftTokenResponse and raw header string).
Some 5-digit AADSTS codes look like blocking errors syntactically but are
not onboarding-remediation signals. Excluding them at the policy boundary so
callers don't have to filter individually:
- 50058 UserInformationNotProvided (no SSO session - normal sign-in path)
- 50097 DeviceAuthenticationRequired (in-flow device auth challenge; if WPJ
runs we already record DeviceRegistrationStarted)
- 50126 InvalidUserNameOrPassword (wrong credentials - user error)
Filter applies in both extractBlockingError overloads (MicrosoftTokenResponse
and raw x-ms-clitelem header string). Adds 6 new tests covering each excluded
code, sub-error fallthrough behavior, and a sanity check that non-excluded
codes still pass.
eSTS commonly emits multiple AADSTS codes in the OAuth 'error_codes' query parameter on authorization redirect failures (e.g. '50058,53003' = no SSO session AND CA-blocked). The single-value overloads return only the most-specific identifier from the x-ms-clitelem header; for Path B we want all qualifying codes since the schema's blocking_errors[] is already an array and callers can invoke addBlockingError once per code. extractBlockingErrorsFromAuthorizationErrorCodes filters: - empty entries (trailing commas) - the literal '0' (eSTS no-error sentinel) - codes in NON_ONBOARDING_AADSTS_CODES (50058, 50097, 50126) - duplicates (preserves first-occurrence order) Adds 10 tests covering null/blank/single/multiple/excluded/all-excluded/ zero-sentinel/empty-entries/whitespace/duplicates cases.
|
✅ Work item link check complete. Description contains link AB#3462876 to an Azure Boards work item. |
2 similar comments
|
✅ Work item link check complete. Description contains link AB#3462876 to an Azure Boards work item. |
|
✅ Work item link check complete. Description contains link AB#3462876 to an Azure Boards work item. |
|
❌ Work item link check failed. Description contains AB#3462876 but the Bot could not link it to an Azure Boards work item. Click here to learn more. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new Common4j parser utility to convert eSTS-provided “blocking” error signals into onboarding-telemetry-friendly values, enabling richer onboarding attribution from both token responses and authorization redirects.
Changes:
- Introduces
OnboardingBlockingErrorParserto extract blocking errors fromMicrosoftTokenResponse(viax-ms-clitelem) and from OAutherror_codes(multi-value). - Adds unit tests covering token/header parsing, exclusion filtering, multi-value behavior, and malformed inputs.
- Updates
changelog.txtwith a vNext MINOR entry for the new parser.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| common4j/src/main/com/microsoft/identity/common/java/telemetry/OnboardingBlockingErrorParser.kt | New parser bridging x-ms-clitelem + OAuth error_codes into onboarding blocking-error strings with filtering. |
| common4j/src/test/com/microsoft/identity/common/java/telemetry/OnboardingBlockingErrorParserTest.kt | Unit tests for the new parser behavior and edge cases. |
| changelog.txt | Adds a vNext entry documenting the new parser feature. |
- Fix malformed KDoc reference in OnboardingBlockingErrorParser (extra ']' after AbstractMicrosoftStsTokenResponseHandler) - Align KDoc field names with the actual snake_case blob schema (last_blocking_error / blocking_errors) and reference the constants - Update the attribution precedence docs to match the implementation: the parser prefers serverSubErrorCode (most specific) and falls back to serverErrorCode, rather than the previous wording that implied errorCode was canonical - Test: rename 'Non-onboarding AADSTS code whitelist' to 'exclusion list' to reflect that the codes are being filtered out, not allowed - Changelog: add PR reference #3122 to the new vNext entry
…metry-clitelem-v2
…metry-clitelem-v2 # Conflicts: # changelog.txt
Contributor
Author
|
Rebased onto latest dev and resolved changelog conflicts. Please re-review when you get a chance. |
shahzaibj
approved these changes
May 21, 2026
Prvnkmr337
approved these changes
May 21, 2026
…test + corrupted Robolectric JAR cache + equal-coverage compare bug)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
C5 in the onboarding telemetry feature series (follows merged #3088 / #3111 / #3117; sibling of #3121 C3).
Adds
OnboardingBlockingErrorParserso the onboarding blob captures rich AADSTS / OAuth blocking errors during interactive token requests — not just the small set of WebViewResultCodes OneAuth currently maps toBROKER_INSTALLATION_TRIGGERED/MDM_FLOW.What this adds:
MicrosoftTokenResponse(coversx-ms-clitelemerrorCode+ sub-error).error_codesparameter — multi-value overload so all listed codes are captured.50058(no signed-in user)50097(device authentication required — not an onboarding block per se)50126(invalid credentials)Usage: Consumers (OneAuth EmbeddedBrowser, Broker error handler) call
OnboardingBlockingErrorParser.parse...()and feed results toOnboardingTelemetryRecorder.addBlockingError(). No callers wired in this PR.Tests:
OnboardingBlockingErrorParserTest(~250 LOC) covers all parse paths, exclusion list, multi-value behavior, and malformed inputs.Fixes AB#3462876