Deprecate ResponseMode.QUERY in system browser auth flow, automatically override to FORM_POST with warning

msal4j-persistence-extension/target/test-classes/log4j.properties

@@ -0,0 +1,10 @@
+# This file is located under the Maven/Gradle build output directory:
+#   msal4j-persistence-extension/target/test-classes/log4j.properties
+# It should not be tracked in version control and should be removed
+# from the repository, with the entire `target/` directory ignored
+# via .gitignore (or equivalent).
+#
+# The contents below were removed to prevent this accidental artifact
+# from affecting runtime logging configuration. Do not add any active
+# Log4j configuration here; instead, place it under src/test/resources
+# or src/main/resources as appropriate.

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParameters.java

@@ -113,9 +113,18 @@ private AuthorizationRequestUrlParameters(Builder builder) {
         }
 
         if (builder.responseMode != null) {
-            this.responseMode = builder.responseMode;
-            requestParameters.put("response_mode",
-                    builder.responseMode.toString());
+            // Override QUERY with FORM_POST as QUERY is deprecated
+            if (builder.responseMode == ResponseMode.QUERY) {
+                LOG.warn("ResponseMode.QUERY is deprecated and will be removed in a future release. " +
+                        "Automatically overriding to ResponseMode.FORM_POST.");
+                this.responseMode = ResponseMode.FORM_POST;
+                requestParameters.put("response_mode",
+                        ResponseMode.FORM_POST.toString());
+            } else {
+                this.responseMode = builder.responseMode;
+                requestParameters.put("response_mode",
+                        builder.responseMode.toString());
+            }
         } else {
             this.responseMode = ResponseMode.FORM_POST;
             requestParameters.put("response_mode",
@@ -368,6 +377,7 @@ public Builder nonce(String val) {
 
         /**
          * Specifies the method that should be used to send the authentication result to your app.
+         * @deprecated ResponseMode.QUERY is deprecated. If you pass ResponseMode.QUERY, it will be automatically overridden to ResponseMode.FORM_POST.
          */
         public Builder responseMode(ResponseMode val) {
             this.responseMode = val;

msal4j-sdk/src/main/java/com/microsoft/aad/msal4j/ResponseMode.java

@@ -18,7 +18,9 @@ public enum ResponseMode {
     /**
      * Authorization result returned as query string in the redirect URL when redirecting back to the
      * client application.
+     * @deprecated Query response mode is no longer supported. Use FORM_POST instead. If provided, it will be automatically overridden to FORM_POST.
      */
+    @Deprecated
     QUERY("query"),
 
     /**

msal4j-sdk/src/test/java/com/microsoft/aad/msal4j/AuthorizationRequestUrlParametersTest.java

@@ -98,32 +98,23 @@ void testBuilder_conflictingParameters() {
     }
 
     @Test
-    void testBuilder_optionalParameters() throws UnsupportedEncodingException {
-        Set<String> clientCapabilities = new HashSet<>();
-        clientCapabilities.add("llt");
-        clientCapabilities.add("ssm");
-
-        PublicClientApplication app = PublicClientApplication.builder("client_id").clientCapabilities(clientCapabilities).build();
+    void testBuilder_queryResponseModeIsOverriddenToFormPost() throws UnsupportedEncodingException {
+        PublicClientApplication app = PublicClientApplication.builder("client_id").build();
 
         String redirectUri = "http://localhost:8080";
         Set<String> scope = Collections.singleton("scope");
 
+        // Test that when QUERY is passed (deprecated), it's overridden to FORM_POST
         AuthorizationRequestUrlParameters parameters =
                 AuthorizationRequestUrlParameters
                         .builder(redirectUri, scope)
-                        .extraScopesToConsent(new LinkedHashSet<>(Arrays.asList("extraScopeToConsent1", "extraScopeToConsent2")))
-                        .responseMode(ResponseMode.QUERY)
-                        .codeChallenge("challenge")
-                        .codeChallengeMethod("method")
-                        .state("app_state")
-                        .nonce("app_nonce")
-                        .correlationId("corr_id")
-                        .loginHint("hint")
-                        .domainHint("domain_hint")
-                        .claimsChallenge("{\"id_token\":{\"auth_time\":{\"essential\":true}},\"access_token\":{\"auth_time\":{\"essential\":true}}}")
-                        .prompt(Prompt.SELECT_ACCOUNT)
+                        .responseMode(ResponseMode.QUERY)  // Deprecated - should be overridden
                         .build();
 
+        // Verify that the responseMode is overridden to FORM_POST
+        assertEquals(ResponseMode.FORM_POST, parameters.responseMode(), 
+                "ResponseMode.QUERY should be overridden to ResponseMode.FORM_POST");
+
         URL authorizationUrl = app.getAuthorizationRequestUrl(parameters);
 
         Map<String, String> queryParameters = new HashMap<>();
@@ -137,23 +128,8 @@ void testBuilder_optionalParameters() throws UnsupportedEncodingException {
                     URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
         }
 
-        assertEquals(queryParameters.get("scope"),
-                "openid profile offline_access scope extraScopeToConsent1 extraScopeToConsent2");
-        assertEquals(queryParameters.get("response_type"), "code");
-        assertEquals(queryParameters.get("redirect_uri"), "http://localhost:8080");
-        assertEquals(queryParameters.get("client_id"), "client_id");
-        assertEquals(queryParameters.get("prompt"), "select_account");
-        assertEquals(queryParameters.get("response_mode"), "query");
-        assertEquals(queryParameters.get("code_challenge"), "challenge");
-        assertEquals(queryParameters.get("code_challenge_method"), "method");
-        assertEquals(queryParameters.get("state"), "app_state");
-        assertEquals(queryParameters.get("nonce"), "app_nonce");
-        assertEquals(queryParameters.get("correlation_id"), "corr_id");
-        assertEquals(queryParameters.get("login_hint"), "hint");
-        assertEquals(queryParameters.get("domain_hint"), "domain_hint");
-        assertEquals(queryParameters.get("claims"), "{\"access_token\":{\"auth_time\":{\"essential\":true},\"xms_cc\":{\"values\":[\"llt\",\"ssm\"]}},\"id_token\":{\"auth_time\":{\"essential\":true}}}");
-
-        // CCS routing
-        assertEquals(queryParameters.get(HttpHeaders.X_ANCHOR_MAILBOX), String.format(HttpHeaders.X_ANCHOR_MAILBOX_UPN_FORMAT, "hint"));
+        // Verify that the actual response_mode parameter is "form_post", not "query"
+        assertEquals("form_post", queryParameters.get("response_mode"), 
+                "response_mode query parameter should be 'form_post' even when QUERY was specified");
     }
 }