microsoft-authentication-library-for-android icon indicating copy to clipboard operation
microsoft-authentication-library-for-android copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Deadlock during second interactive brokered auth request if first request is abandoned

Open codylund opened this issue 3 years ago • 0 comments

Describe the bug If multiple simultaneous interactive brokered auth sessions are started in the same application, the second (and beyond) interactive session will deadlock on an infinite spinner until all former sessions are finished.

This issue has been observed during development and a temporary workaround has been identified, but this could block our migration from ADAL to MSAL and/or cause problems in production.

Smartphone (please complete the following information): Observed on the following device/versions, but presumably is not device/version specific.

  • Device: Pixel 4 XL
  • Android Version: 12
  • Browser: WebView (brokered auth)
  • MSAL Version: 3.0.2. Also, using a pre-release Company Portal build with this version of MSAL and v4.1.0 of the broker library.

To Reproduce

  1. Launch ActivityA which starts an interactive brokered auth session.
  2. Once the brokered auth session starts and the authorization activity is visible, background the app.
  3. Launch ActivityB in the same app (e.g. from clicking a notification or, for repro purposes, via ADB) which also starts an interactive brokered auth session. This activity can be started on the same activity task stack or a new task stack within the application.

Expected behavior The interactive session started by ActivityB starts and the user can authenticate.

Actual Behavior The interactive session started by ActivityB deadlocks on an infinite spinner.

Additional context The deadlock can only be resolved if the user returns to the interactive session started by ActivityA and finishes it, or if the broker process is killed.

As a temporary workaround, I have found that I can install an ActivityLifecycleMonitor and track instances of BrokerActivity in my app. Before starting a new interactive auth session, I can prevent deadlock by manually finishing these activity's affinity and the child activities they have started. This relies on implementation details of MSAL, however, so I am not confident in the workaround as a long term solution.

codylund avatar May 24 '22 14:05 codylund