AzureAD · Avery-Dunn · Jan 23, 2026 · Jan 10, 2026 · Jan 14, 2026 · Jan 14, 2026
@@ -368,9 +368,17 @@ public Builder nonce(String val) {
 
         /**
          * Specifies the method that should be used to send the authentication result to your app.
+         * @deprecated ResponseMode.QUERY is deprecated. If you pass ResponseMode.QUERY, it will be automatically overridden to ResponseMode.FORM_POST.
          */
         public Builder responseMode(ResponseMode val) {
-            this.responseMode = val;
+            // Override QUERY with FORM_POST as QUERY is deprecated
+            if (val == ResponseMode.QUERY) {
+                LOG.warn("ResponseMode.QUERY is deprecated and will be removed in a future release. " +
+                        "Automatically overriding to ResponseMode.FORM_POST.");
+                this.responseMode = ResponseMode.FORM_POST;
+            } else {
+                this.responseMode = val;
+            }
             return self();
         }
 

@@ -18,7 +18,9 @@ public enum ResponseMode {
     /**
      * Authorization result returned as query string in the redirect URL when redirecting back to the
      * client application.
+     * @deprecated Query response mode is no longer supported. Use FORM_POST instead. If provided, it will be automatically overridden to FORM_POST.
      */
+    @Deprecated
     QUERY("query"),
 
     /**

@@ -98,34 +98,35 @@ void testBuilder_conflictingParameters() {
     }
 
     @Test
-    void testBuilder_optionalParameters() throws UnsupportedEncodingException {
-        Set<String> clientCapabilities = new HashSet<>();
-        clientCapabilities.add("llt");
-        clientCapabilities.add("ssm");
-
-        PublicClientApplication app = PublicClientApplication.builder("client_id").clientCapabilities(clientCapabilities).build();
+    void testBuilder_responseMode() throws UnsupportedEncodingException {
+        PublicClientApplication app = PublicClientApplication.builder("client_id").build();
 
         String redirectUri = "http://localhost:8080";
         Set<String> scope = Collections.singleton("scope");
 
         AuthorizationRequestUrlParameters parameters =
                 AuthorizationRequestUrlParameters
                         .builder(redirectUri, scope)
-                        .extraScopesToConsent(new LinkedHashSet<>(Arrays.asList("extraScopeToConsent1", "extraScopeToConsent2")))
-                        .responseMode(ResponseMode.QUERY)
-                        .codeChallenge("challenge")
-                        .codeChallengeMethod("method")
-                        .state("app_state")
-                        .nonce("app_nonce")
-                        .correlationId("corr_id")
-                        .loginHint("hint")
-                        .domainHint("domain_hint")
-                        .claimsChallenge("{\"id_token\":{\"auth_time\":{\"essential\":true}},\"access_token\":{\"auth_time\":{\"essential\":true}}}")
-                        .prompt(Prompt.SELECT_ACCOUNT)
+                        .responseMode(ResponseMode.QUERY) // This should be overridden to FORM_POST
                         .build();
 
+        assertEquals(parameters.responseMode(), ResponseMode.FORM_POST);
+        assertEquals(parameters.redirectUri(), redirectUri);
+        assertEquals(parameters.scopes().size(), 4);
+
+        assertNull(parameters.loginHint());
+        assertNull(parameters.codeChallenge());
+        assertNull(parameters.codeChallengeMethod());
+        assertNull(parameters.correlationId());
+        assertNull(parameters.nonce());
+        assertNull(parameters.prompt());
+        assertNull(parameters.state());
+
         URL authorizationUrl = app.getAuthorizationRequestUrl(parameters);
 
+        assertEquals(authorizationUrl.getHost(), "login.microsoftonline.com");
+        assertEquals(authorizationUrl.getPath(), "/common/oauth2/v2.0/authorize");
+
         Map<String, String> queryParameters = new HashMap<>();
         String query = authorizationUrl.getQuery();
 
@@ -137,23 +138,10 @@ void testBuilder_optionalParameters() throws UnsupportedEncodingException {
                     URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
         }
 
-        assertEquals(queryParameters.get("scope"),
-                "openid profile offline_access scope extraScopeToConsent1 extraScopeToConsent2");
+        assertEquals(queryParameters.get("scope"), "openid profile offline_access scope");
         assertEquals(queryParameters.get("response_type"), "code");
         assertEquals(queryParameters.get("redirect_uri"), "http://localhost:8080");
         assertEquals(queryParameters.get("client_id"), "client_id");
-        assertEquals(queryParameters.get("prompt"), "select_account");
-        assertEquals(queryParameters.get("response_mode"), "query");
-        assertEquals(queryParameters.get("code_challenge"), "challenge");
-        assertEquals(queryParameters.get("code_challenge_method"), "method");
-        assertEquals(queryParameters.get("state"), "app_state");
-        assertEquals(queryParameters.get("nonce"), "app_nonce");
-        assertEquals(queryParameters.get("correlation_id"), "corr_id");
-        assertEquals(queryParameters.get("login_hint"), "hint");
-        assertEquals(queryParameters.get("domain_hint"), "domain_hint");
-        assertEquals(queryParameters.get("claims"), "{\"access_token\":{\"auth_time\":{\"essential\":true},\"xms_cc\":{\"values\":[\"llt\",\"ssm\"]}},\"id_token\":{\"auth_time\":{\"essential\":true}}}");
-
-        // CCS routing
-        assertEquals(queryParameters.get(HttpHeaders.X_ANCHOR_MAILBOX), String.format(HttpHeaders.X_ANCHOR_MAILBOX_UPN_FORMAT, "hint"));
+        assertEquals(queryParameters.get("response_mode"), "form_post");
     }
 }