Unable to create MultipleAccountPublicClientApplication when authorization_user_agent=DEFAULT and user has com.workjam.workjam app installed

[Greta-Rad]

We have an app in production running fine but from firebase logs discovered app is crashing for certain users.

Device: multiple, example Pixel 3XL
Android version: 9, 10, 11, 12
MSAL version: 4.0.5 (initially noticed on 2.2.3, updated to 4.0.5 but still crashing for the same reason)
Other preconditions:

1. adconfig configuration: "authorization_user_agent": "DEFAULT",
2. Install https://play.google.com/store/apps/details?id=com.workjam.workjam&hl=en&gl=US&pli=1 and relaunch your app.

PublicClientApplication.createMultipleAccountPublicClientApplication( application, getClientConfig() )

is throwing the following:

com.microsoft.identity.client.exception.MsalClientException: More than one app is listening for the URL scheme defined for BrowserTabActivity in the AndroidManifest. The package name of this other app is: com.workjam.workjam
    at com.microsoft.identity.client.PublicClientApplicationConfiguration.validateCustomTabRedirectActivity(PublicClientApplicationConfiguration.java:644)
    at com.microsoft.identity.client.PublicClientApplicationConfiguration.checkIntentFilterAddedToAppManifestForBrokerFlow(PublicClientApplicationConfiguration.java:661)
    at com.microsoft.identity.client.PublicClientApplication.initializeApplication(PublicClientApplication.java:1073)

Our manifest:

<activity
    android:name="com.microsoft.identity.client.BrowserTabActivity"
            android:screenOrientation="portrait"
            android:exported="true"
            tools:replace="android:exported"
            tools:ignore="AppLinkUrlError">
        <intent-filter>
            <action android:name="android.intent.action.VIEW" />
            <category android:name="android.intent.category.DEFAULT" />
            <category android:name="android.intent.category.BROWSABLE" />
            <data
                    android:host="our_valid_app_id" <-- we have correct value in here -->
                    android:path="${loginPath}" <-- we also have correct value in here -->
                    android:scheme="msauth" />
        </intent-filter>
</activity>

PublicClientApplicationConfiguration.validateCustomTabRedirectActivity method gets 2 entries in resolveInfoList:
com.microsoft.identity.client.BrowserTabActivity
net.openid.appauth.RedirectUriReceiverActivity

I have decompiled Workjam app and there is the following declaration in manifest:

<activity android:name="net.openid.appauth.RedirectUriReceiverActivity">
    <intent-filter>
        <action android:name="android.intent.action.VIEW"/>
        <category android:name="android.intent.category.DEFAULT"/>
        <category android:name="android.intent.category.BROWSABLE"/>
        <data android:scheme="com.workjam.workjam" android:host="login" android:pathPrefix="/oauth2"/>
    </intent-filter>
</activity>

If user uninstalls Workjam app, app is initialized correctly without exceptions being thrown.

[negoe]

@Greta-Rad Can you please confirm that you are not using the same redirect uri for both the apps i.e. Workjam and your other one? Redirect uri is combination of signature hash and package name. Please make sure that even if they have the same signature but at least package name is different or vice versa, to keep the redirect uri unique for both the apps.
You can find example redirect uri here .

[Greta-Rad]

Yeah, I confirm, the package name used in redirect_uri is our app's package name, the structure is as following
"redirect_uri": "msauth://our_package_name/our_signature_hash",

[Greta-Rad]

I have done some experimenting and it seems WorkJam app catches "msauth" scheme regardless of what package and signature hash is defined.

Steps to reproduce: we can create new app (msal dependency not required) and in MainActivity's on create add the following:

    val intent = Intent()
    intent.action = Intent.ACTION_VIEW
    intent.addCategory(Intent.CATEGORY_DEFAULT)
    intent.addCategory(Intent.CATEGORY_BROWSABLE)
    intent.setDataAndNormalize(Uri.parse("msauth://anything_here/also_anything_here"))

    val resolveInfoList: List<ResolveInfo> = packageManager.queryIntentActivities(
                intent,
                PackageManager.GET_RESOLVED_FILTER
    )
    Log.i(TAG, "Resolve info list: $resolveInfoList;")

if we have WorkJam app installed, it would print the following:
Resolve info list: [ResolveInfo{bd651da com.workjam.workjam/net.openid.appauth.RedirectUriReceiverActivity m=0x208000}];

@negoe Is there a reason why this check

microsoft-authentication-library-for-android/msal/src/main/java/com/microsoft/identity/client/internal/MsalUtils.java

Line 270 in 31c1fc8

for (final ResolveInfo info : resolveInfoList) {

is executed in a loop ? Wouldn't it just be enough to check only first entry (if it exists) and ignore others, because as per javadocs of PackageManager.queryIntentActivities: "... the first item is what would be returned by resolveActivity( ..."

[negoe]

@Greta-Rad the loop allows for multiple activities to be returned, in case there are multiple activities that can handle the same intent, and the developer can choose which one to use.
@shahzaibj Can you please verify if my understanding is correct here?