From ab9cfc285ae6b73801e1521bde3ec0110f50eb5e Mon Sep 17 00:00:00 2001
From: Ashok Kumar Ramakrishnan <83938949+ashok672@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:15:56 -0800
Subject: [PATCH 1/3] Deprecate ResponseMode.QUERY in system browser auth flow,
 automatically override to FORM_POST with warning

---
 .../target/test-classes/log4j.properties      |  5 ++
 .../AuthorizationRequestUrlParameters.java    | 17 +++++--
 .../microsoft/aad/msal4j/ResponseMode.java    |  2 +
 ...AuthorizationRequestUrlParametersTest.java | 46 +++++--------------
 4 files changed, 32 insertions(+), 38 deletions(-)
 create mode 100644 msal4j-persistence-extension/target/test-classes/log4j.properties

diff --git a/msal4j-persistence-extension/target/test-classes/log4j.properties b/msal4j-persistence-extension/target/test-classes/log4j.properties
new file mode 100644
index 00000000..73631c62
--- /dev/null
+++ b/msal4j-persistence-extension/target/test-classes/log4j.properties
@@ -0,0 +1,5 @@
+log4j.rootLogger=TRACE, stdout
+log4j.appender.stdout=org.apache.log4j.ConsoleAppender
+log4j.appender.stdout.Target=System.out
+log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
+log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd'T'HH:mm:ss.SSS} %-5p [%c] - %m%n
\ No newline at end of file
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
index bc92b006..cd013247 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
@@ -113,9 +113,18 @@ private AuthorizationRequestUrlParameters(Builder builder) {
         }
 
         if (builder.responseMode != null) {
-            this.responseMode = builder.responseMode;
-            requestParameters.put("response_mode",
-                    builder.responseMode.toString());
+            // Override QUERY with FORM_POST as QUERY is deprecated
+            if (builder.responseMode == ResponseMode.QUERY) {
+                LOG.warn("ResponseMode.QUERY is deprecated and will be removed in a future release. " +
+                        "Automatically overriding to ResponseMode.FORM_POST.");
+                this.responseMode = ResponseMode.FORM_POST;
+                requestParameters.put("response_mode",
+                        ResponseMode.FORM_POST.toString());
+            } else {
+                this.responseMode = builder.responseMode;
+                requestParameters.put("response_mode",
+                        builder.responseMode.toString());
+            }
         } else {
             this.responseMode = ResponseMode.FORM_POST;
             requestParameters.put("response_mode",
@@ -368,7 +377,9 @@ public Builder nonce(String val) {
 
         /**
          * Specifies the method that should be used to send the authentication result to your app.
+         * @deprecated ResponseMode.QUERY is deprecated. If you pass ResponseMode.QUERY, it will be automatically overridden to ResponseMode.FORM_POST.
          */
+        @Deprecated
         public Builder responseMode(ResponseMode val) {
             this.responseMode = val;
             return self();
diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java
index 9f24d2e7..f6c43ce2 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java
@@ -18,7 +18,9 @@ public enum ResponseMode {
     /**
      * Authorization result returned as query string in the redirect URL when redirecting back to the
      * client application.
+     * @deprecated Query response mode is no longer supported. Use FORM_POST instead. If provided, it will be automatically overridden to FORM_POST.
      */
+    @Deprecated
     QUERY("query"),
 
     /**
diff --git a/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java b/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java
index e7976478..d629eabe 100644
--- a/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java
+++ b/msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java
@@ -98,32 +98,23 @@ void testBuilder_conflictingParameters() {
     }
 
     @Test
-    void testBuilder_optionalParameters() throws UnsupportedEncodingException {
-        Set<String> clientCapabilities = new HashSet<>();
-        clientCapabilities.add("llt");
-        clientCapabilities.add("ssm");
-
-        PublicClientApplication app = PublicClientApplication.builder("client_id").clientCapabilities(clientCapabilities).build();
+    void testBuilder_queryResponseModeIsOverriddenToFormPost() throws UnsupportedEncodingException {
+        PublicClientApplication app = PublicClientApplication.builder("client_id").build();
 
         String redirectUri = "http://localhost:8080";
         Set<String> scope = Collections.singleton("scope");
 
+        // Test that when QUERY is passed (deprecated), it's overridden to FORM_POST
         AuthorizationRequestUrlParameters parameters =
                 AuthorizationRequestUrlParameters
                         .builder(redirectUri, scope)
-                        .extraScopesToConsent(new LinkedHashSet<>(Arrays.asList("extraScopeToConsent1", "extraScopeToConsent2")))
-                        .responseMode(ResponseMode.QUERY)
-                        .codeChallenge("challenge")
-                        .codeChallengeMethod("method")
-                        .state("app_state")
-                        .nonce("app_nonce")
-                        .correlationId("corr_id")
-                        .loginHint("hint")
-                        .domainHint("domain_hint")
-                        .claimsChallenge("{\"id_token\":{\"auth_time\":{\"essential\":true}},\"access_token\":{\"auth_time\":{\"essential\":true}}}")
-                        .prompt(Prompt.SELECT_ACCOUNT)
+                        .responseMode(ResponseMode.QUERY)  // Deprecated - should be overridden
                         .build();
 
+        // Verify that the responseMode is overridden to FORM_POST
+        assertEquals(ResponseMode.FORM_POST, parameters.responseMode(), 
+                "ResponseMode.QUERY should be overridden to ResponseMode.FORM_POST");
+
         URL authorizationUrl = app.getAuthorizationRequestUrl(parameters);
 
         Map<String, String> queryParameters = new HashMap<>();
@@ -137,23 +128,8 @@ void testBuilder_optionalParameters() throws UnsupportedEncodingException {
                     URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
         }
 
-        assertEquals(queryParameters.get("scope"),
-                "openid profile offline_access scope extraScopeToConsent1 extraScopeToConsent2");
-        assertEquals(queryParameters.get("response_type"), "code");
-        assertEquals(queryParameters.get("redirect_uri"), "http://localhost:8080");
-        assertEquals(queryParameters.get("client_id"), "client_id");
-        assertEquals(queryParameters.get("prompt"), "select_account");
-        assertEquals(queryParameters.get("response_mode"), "query");
-        assertEquals(queryParameters.get("code_challenge"), "challenge");
-        assertEquals(queryParameters.get("code_challenge_method"), "method");
-        assertEquals(queryParameters.get("state"), "app_state");
-        assertEquals(queryParameters.get("nonce"), "app_nonce");
-        assertEquals(queryParameters.get("correlation_id"), "corr_id");
-        assertEquals(queryParameters.get("login_hint"), "hint");
-        assertEquals(queryParameters.get("domain_hint"), "domain_hint");
-        assertEquals(queryParameters.get("claims"), "{\"access_token\":{\"auth_time\":{\"essential\":true},\"xms_cc\":{\"values\":[\"llt\",\"ssm\"]}},\"id_token\":{\"auth_time\":{\"essential\":true}}}");
-
-        // CCS routing
-        assertEquals(queryParameters.get(HttpHeaders.X_ANCHOR_MAILBOX), String.format(HttpHeaders.X_ANCHOR_MAILBOX_UPN_FORMAT, "hint"));
+        // Verify that the actual response_mode parameter is "form_post", not "query"
+        assertEquals("form_post", queryParameters.get("response_mode"), 
+                "response_mode query parameter should be 'form_post' even when QUERY was specified");
     }
 }

From 7379d7b5961f3a4c069d4fc802c04a0bb5f1cbac Mon Sep 17 00:00:00 2001
From: Ashok Kumar Ramakrishnan <83938949+ashok672@users.noreply.github.com>
Date: Wed, 14 Jan 2026 11:21:27 -0800
Subject: [PATCH 2/3] Update
 msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
index cd013247..b9c8b5d8 100644
--- a/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
+++ b/msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java
@@ -379,7 +379,6 @@ public Builder nonce(String val) {
          * Specifies the method that should be used to send the authentication result to your app.
          * @deprecated ResponseMode.QUERY is deprecated. If you pass ResponseMode.QUERY, it will be automatically overridden to ResponseMode.FORM_POST.
          */
-        @Deprecated
         public Builder responseMode(ResponseMode val) {
             this.responseMode = val;
             return self();

From 34a34eec7c96cc07992f2df15698fe3e2c08502e Mon Sep 17 00:00:00 2001
From: Ashok Kumar Ramakrishnan <83938949+ashok672@users.noreply.github.com>
Date: Wed, 14 Jan 2026 11:38:53 -0800
Subject: [PATCH 3/3] Update
 msal4j-persistence-extension/target/test-classes/log4j.properties

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .../target/test-classes/log4j.properties          | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/msal4j-persistence-extension/target/test-classes/log4j.properties b/msal4j-persistence-extension/target/test-classes/log4j.properties
index 73631c62..b59c17fa 100644
--- a/msal4j-persistence-extension/target/test-classes/log4j.properties
+++ b/msal4j-persistence-extension/target/test-classes/log4j.properties
@@ -1,5 +1,10 @@
-log4j.rootLogger=TRACE, stdout
-log4j.appender.stdout=org.apache.log4j.ConsoleAppender
-log4j.appender.stdout.Target=System.out
-log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd'T'HH:mm:ss.SSS} %-5p [%c] - %m%n
\ No newline at end of file
+# This file is located under the Maven/Gradle build output directory:
+#   msal4j-persistence-extension/target/test-classes/log4j.properties
+# It should not be tracked in version control and should be removed
+# from the repository, with the entire `target/` directory ignored
+# via .gitignore (or equivalent).
+#
+# The contents below were removed to prevent this accidental artifact
+# from affecting runtime logging configuration. Do not add any active
+# Log4j configuration here; instead, place it under src/test/resources
+# or src/main/resources as appropriate.
\ No newline at end of file