From 4602aada6075d3c0b36a9d6cc1fbb4c8a9c3f864 Mon Sep 17 00:00:00 2001 From: Wolfgang Mathurin Date: Wed, 10 Jun 2026 15:12:30 -0700 Subject: [PATCH 1/3] W-22917333: Rename token endpoint wire keys beacon_child_consumer_{key,secret} to auto_installed_app_org_consumer_{key,secret} Updates only the string values parsed from the token endpoint response. All code symbol names (constants, fields, getters, builder methods) are unchanged. --- .../salesforce/androidsdk/analytics/logger/LogRedactor.kt | 2 +- .../src/com/salesforce/androidsdk/accounts/UserAccount.java | 4 ++-- .../salesforce/androidsdk/auth/AuthenticatorService.java | 4 ++-- .../src/com/salesforce/androidsdk/auth/OAuth2.java | 4 ++-- .../androidsdk/analytics/logger/SalesforceLoggerTest.java | 6 +++--- .../com/salesforce/androidsdk/accounts/UserAccountTest.java | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt b/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt index 2247bd41cf..60e85dbb34 100644 --- a/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt +++ b/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt @@ -32,7 +32,7 @@ private val SENSITIVE_JSON_PATTERN = Regex( pattern = """("(?:access_token|refresh_token|id_token|csrf_token|sid""" + """|lightning_sid|visualforce_sid|content_sid|parent_sid""" + """|cookie-sid_Client|cookie-clientSrc""" + - """|beacon_child_consumer_secret)"\s*:\s*")([^"]+)(")""", + """|auto_installed_app_org_consumer_secret)"\s*:\s*")([^"]+)(")""", option = RegexOption.IGNORE_CASE, ) diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/accounts/UserAccount.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/accounts/UserAccount.java index aadad63d11..84e1240a92 100644 --- a/libs/SalesforceSDK/src/com/salesforce/androidsdk/accounts/UserAccount.java +++ b/libs/SalesforceSDK/src/com/salesforce/androidsdk/accounts/UserAccount.java @@ -97,8 +97,8 @@ public class UserAccount { public static final String CLIENT_ID = "clientId"; public static final String PARENT_SID = "parentSid"; public static final String TOKEN_FORMAT = "tokenFormat"; - public static final String BEACON_CHILD_CONSUMER_KEY = "beacon_child_consumer_key"; - public static final String BEACON_CHILD_CONSUMER_SECRET = "beacon_child_consumer_secret"; + public static final String BEACON_CHILD_CONSUMER_KEY = "auto_installed_app_org_consumer_key"; + public static final String BEACON_CHILD_CONSUMER_SECRET = "auto_installed_app_org_consumer_secret"; public static final String SCOPE = "scope"; private static final String TAG = "UserAccount"; diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/AuthenticatorService.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/AuthenticatorService.java index 45b32d1ad2..08b112f93c 100644 --- a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/AuthenticatorService.java +++ b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/AuthenticatorService.java @@ -89,8 +89,8 @@ public class AuthenticatorService extends Service { public static final String KEY_SID_COOKIE_NAME = "sidCookieName"; public static final String KEY_PARENT_SID = "parentSid"; public static final String KEY_TOKEN_FORMAT = "tokenFormat"; - public static final String KEY_BEACON_CHILD_CONSUMER_KEY = "beacon_child_consumer_key"; - public static final String KEY_BEACON_CHILD_CONSUMER_SECRET = "beacon_child_consumer_secret"; + public static final String KEY_BEACON_CHILD_CONSUMER_KEY = "auto_installed_app_org_consumer_key"; + public static final String KEY_BEACON_CHILD_CONSUMER_SECRET = "auto_installed_app_org_consumer_secret"; public static final String KEY_SCOPE = "scope"; private static final String TAG = "AuthenticatorService"; diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java index d815d33588..c7fde207f5 100644 --- a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java +++ b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java @@ -213,8 +213,8 @@ public class OAuth2 { private static final String SID_COOKIE_NAME = "sidCookieName"; private static final String PARENT_SID = "parent_sid"; private static final String TOKEN_FORMAT = "token_format"; - private static final String BEACON_CHILD_CONSUMER_SECRET = "beacon_child_consumer_secret"; - private static final String BEACON_CHILD_CONSUMER_KEY = "beacon_child_consumer_key"; + private static final String BEACON_CHILD_CONSUMER_SECRET = "auto_installed_app_org_consumer_secret"; + private static final String BEACON_CHILD_CONSUMER_KEY = "auto_installed_app_org_consumer_key"; public static final DateFormat TIMESTAMP_FORMAT; static { diff --git a/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java b/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java index ddaab84002..5a8921b75e 100644 --- a/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java +++ b/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java @@ -242,9 +242,9 @@ public void testRedactParentSid() { @Test public void testRedactBeaconChildConsumerSecret() { final String value = randomString(11); - final String input = "{\"beacon_child_consumer_secret\":\"" + value + "\"}"; - final String expected = "{\"beacon_child_consumer_secret\":\"" + expectedMask(value) + "\"}"; - Assert.assertEquals("beacon_child_consumer_secret should be redacted", expected, SalesforceLogger.redact(input)); + final String input = "{\"auto_installed_app_org_consumer_secret\":\"" + value + "\"}"; + final String expected = "{\"auto_installed_app_org_consumer_secret\":\"" + expectedMask(value) + "\"}"; + Assert.assertEquals("auto_installed_app_org_consumer_secret should be redacted", expected, SalesforceLogger.redact(input)); } /** diff --git a/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/accounts/UserAccountTest.java b/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/accounts/UserAccountTest.java index 3a05d7933d..e868804cd8 100644 --- a/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/accounts/UserAccountTest.java +++ b/libs/test/SalesforceSDKTest/src/com/salesforce/androidsdk/accounts/UserAccountTest.java @@ -655,8 +655,8 @@ private OAuth2.TokenEndpointResponse createTokenEndpointResponseLikeUserAgentFlo private OAuth2.TokenEndpointResponse createTokenEndpointResponseLikeWebServerFlow() { Map params = createTokenEndpointParams(); - params.put("beacon_child_consumer_key", TEST_BEACON_CHILD_CONSUMER_KEY); - params.put("beacon_child_consumer_secret", TEST_BEACON_CHILD_CONSUMER_SECRET); + params.put("auto_installed_app_org_consumer_key", TEST_BEACON_CHILD_CONSUMER_KEY); + params.put("auto_installed_app_org_consumer_secret", TEST_BEACON_CHILD_CONSUMER_SECRET); JSONObject responseJson = new JSONObject(params); MediaType mediaType = MediaType.parse("application/json"); ResponseBody responseBody = ResponseBody.create(responseJson.toString(), mediaType); From dc62d22057a736edb54720489d19ca8e9b9ee192 Mon Sep 17 00:00:00 2001 From: Wolfgang Mathurin Date: Wed, 10 Jun 2026 15:42:02 -0700 Subject: [PATCH 2/3] W-22917333: Fall back to beacon_child_consumer_{key,secret} if new field absent Checks auto_installed_app_org_consumer_{key,secret} first; falls back to the old beacon_child_consumer_{key,secret} name for servers that have not yet rolled out version 264. --- .../src/com/salesforce/androidsdk/auth/OAuth2.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java index c7fde207f5..d37288e240 100644 --- a/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java +++ b/libs/SalesforceSDK/src/com/salesforce/androidsdk/auth/OAuth2.java @@ -215,6 +215,9 @@ public class OAuth2 { private static final String TOKEN_FORMAT = "token_format"; private static final String BEACON_CHILD_CONSUMER_SECRET = "auto_installed_app_org_consumer_secret"; private static final String BEACON_CHILD_CONSUMER_KEY = "auto_installed_app_org_consumer_key"; + // TODO: Remove legacy fallback constants once server version 264 has rolled out everywhere. + private static final String LEGACY_BEACON_CHILD_CONSUMER_SECRET = "beacon_child_consumer_secret"; + private static final String LEGACY_BEACON_CHILD_CONSUMER_KEY = "beacon_child_consumer_key"; public static final DateFormat TIMESTAMP_FORMAT; static { @@ -1000,11 +1003,16 @@ public TokenEndpointResponse(Response response, List additionalOauthKeys tokenFormat = parsedResponse.optString(TOKEN_FORMAT); // Beacon child fields expected when using a beacon app and web server flow + // TODO: Remove LEGACY_BEACON_CHILD_CONSUMER_* fallback once server version 264 has rolled out everywhere. if (parsedResponse.has(BEACON_CHILD_CONSUMER_KEY)) { beaconChildConsumerKey = parsedResponse.getString(BEACON_CHILD_CONSUMER_KEY); + } else if (parsedResponse.has(LEGACY_BEACON_CHILD_CONSUMER_KEY)) { + beaconChildConsumerKey = parsedResponse.getString(LEGACY_BEACON_CHILD_CONSUMER_KEY); } if (parsedResponse.has(BEACON_CHILD_CONSUMER_SECRET)) { beaconChildConsumerSecret = parsedResponse.getString(BEACON_CHILD_CONSUMER_SECRET); + } else if (parsedResponse.has(LEGACY_BEACON_CHILD_CONSUMER_SECRET)) { + beaconChildConsumerSecret = parsedResponse.getString(LEGACY_BEACON_CHILD_CONSUMER_SECRET); } scope = parsedResponse.optString(SCOPE); From 113d04f0ddff09b4da7891b6cc51e088250ef95a Mon Sep 17 00:00:00 2001 From: Wolfgang Mathurin Date: Wed, 10 Jun 2026 15:44:00 -0700 Subject: [PATCH 3/3] W-22917333: Redact both old and new consumer secret field names in logs LogRedactor now redacts both auto_installed_app_org_consumer_secret and beacon_child_consumer_secret. The old pattern is guarded with a TODO to remove it once server version 264 has rolled out everywhere. --- .../androidsdk/analytics/logger/LogRedactor.kt | 3 ++- .../analytics/logger/SalesforceLoggerTest.java | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt b/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt index 60e85dbb34..7c2a22016a 100644 --- a/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt +++ b/libs/SalesforceAnalytics/src/com/salesforce/androidsdk/analytics/logger/LogRedactor.kt @@ -28,11 +28,12 @@ package com.salesforce.androidsdk.analytics.logger private const val VISIBLE_CHARS = 4 +// TODO: Remove beacon_child_consumer_secret from pattern once server version 264 has rolled out everywhere. private val SENSITIVE_JSON_PATTERN = Regex( pattern = """("(?:access_token|refresh_token|id_token|csrf_token|sid""" + """|lightning_sid|visualforce_sid|content_sid|parent_sid""" + """|cookie-sid_Client|cookie-clientSrc""" + - """|auto_installed_app_org_consumer_secret)"\s*:\s*")([^"]+)(")""", + """|auto_installed_app_org_consumer_secret|beacon_child_consumer_secret)"\s*:\s*")([^"]+)(")""", option = RegexOption.IGNORE_CASE, ) diff --git a/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java b/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java index 5a8921b75e..7aa7e9306c 100644 --- a/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java +++ b/libs/test/SalesforceAnalyticsTest/src/com/salesforce/androidsdk/analytics/logger/SalesforceLoggerTest.java @@ -237,16 +237,28 @@ public void testRedactParentSid() { } /** - * Test that beacon_child_consumer_secret is redacted in JSON. + * Test that auto_installed_app_org_consumer_secret is redacted in JSON. */ @Test - public void testRedactBeaconChildConsumerSecret() { + public void testRedactAutoInstalledAppOrgConsumerSecret() { final String value = randomString(11); final String input = "{\"auto_installed_app_org_consumer_secret\":\"" + value + "\"}"; final String expected = "{\"auto_installed_app_org_consumer_secret\":\"" + expectedMask(value) + "\"}"; Assert.assertEquals("auto_installed_app_org_consumer_secret should be redacted", expected, SalesforceLogger.redact(input)); } + /** + * Test that beacon_child_consumer_secret is redacted in JSON. + * TODO: Remove once server version 264 has rolled out everywhere. + */ + @Test + public void testRedactBeaconChildConsumerSecret() { + final String value = randomString(11); + final String input = "{\"beacon_child_consumer_secret\":\"" + value + "\"}"; + final String expected = "{\"beacon_child_consumer_secret\":\"" + expectedMask(value) + "\"}"; + Assert.assertEquals("beacon_child_consumer_secret should be redacted", expected, SalesforceLogger.redact(input)); + } + /** * Test that multiple sensitive keys in one JSON message are all redacted. */