Microsoft-authentication-library-for-dotnet: SSO in Android using system browser approach not working
Description
As given in documentation, we have tried configuring SSO by using system browser option. But, it seems it's not working. Can you please suggest what am i missing?
App.PCA = PublicClientApplicationBuilder.Create(B2CConstants.ClientID)
.WithRedirectUri($"msal{B2CConstants.ClientID}://auth")
.WithIosKeychainSecurityGroup("com.microsoft.adalcache")
.WithParentActivityOrWindow(()=>App.ParentWindow)
.WithAuthority(new Uri(B2CConstants.Authority))
.Build();
AuthResult = await App.PCA.AcquireTokenInteractive(B2CConstants.Scopes).WithAccount(LoginHelper.GetUserByPolicy(await App.PCA.GetAccountsAsync(), B2CConstants.PolicySignUpSignIn)).WithUseEmbeddedWebView(false).WithParentActivityOrWindow(App.ParentWindow).ExecuteAsync();
By default, MSAL is supposed to use system browser and share cookies for SSO. I have built 2 apps with same values. But SSO doesnt seem to work. Please help me on this regard.
Devices:
- Android Version: API 27, 28
- Using Xamarin MSAL. Version : 4.13.0
Steps to reproduce the behavior:
- Create two different apps with same MSAL configurations.
- Use default settings when creating PCA object. As per documentation, by default MSAL opts authentication agent to be 'system browser'.
- Login to one application.
- Try to login to another application, it should ideally autologin the user if we use silent login. But as token is null, user have to login again. SSO doesnt seem to work.
- SSO settings are enabled on Azure.
Expected behavior
System browser authentication agent SSO approach is expected to work as per documentation.
Actual Behavior
SSO with system browser option not working.
References
https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-web-browsers
https://developer.microsoft.com/en-us/identity/blogs/microsoft-authentication-libraries-for-android-ios-and-macos-are-now-generally-available/
https://docs.microsoft.com/en-us/azure/active-directory/develop/authorization-agents
SravanthiKare
All 11 comments
Hi @SravanthiKare it seems like you are using the MSAL .NET library and I am attaching the link where you can post this issue which would be the correct place to ask the doubts
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues
Please let us know if any other help is needed.
tanmaymanolkar1
on 19 Jun 2020
@SravanthiKare I have transferred the issue to the correct repository :)
tanmaymanolkar1
on 19 Jun 2020
@SravanthiKare Also if I could suggest, I can see that you are using
AuthResult = await App.PCA.AcquireTokenInteractive
probably in both your applications. It would help if you could use acuireTokenSilent in the second one, since AcquireTokenInteractive would always display a login prompt.
tanmaymanolkar1
on 19 Jun 2020
The only way to get SSO between applications on mobile is to use a broker (Authenticator or Company Portal). I am not aware of the system browser being able to provide SSO - can you point us to the docs you found?
bgavrilMS
on 22 Jun 2020
@bgavrilMS
I think I have already added the references to the documentation in the issue description. Can you please refer on those links once.
SravanthiKare
on 23 Jun 2020
@SravanthiKare Also if I could suggest, I can see that you are using
AuthResult = await App.PCA.AcquireTokenInteractiveprobably in both your applications. It would help if you could use acuireTokenSilent in the second one, since AcquireTokenInteractive would always display a login prompt.
@trwalke
AcquiretokeInteractive is being called after unsuccessful call to get silent token. So, in second app we are actually calling acquiretoken first- as it couldn鈥檛 acquire the token silently we are triggering acquiretokeninteractive. Hope that answers your query.
SravanthiKare
on 23 Jun 2020
There are 2 levels of SSO that you can achieve. One is controlled by the SDK and one is controlled by the service itself.
The SDK maintains a cache of all the tokens. AcquireTokenSilent is used to retrieve tokens from this cache. Tokens from one application CANNOT be used for another application, and AcquireTokenSilent will fail. Moreover, the token cache on Android is stored in shared preferences and this location isn't even accessible by different apps. So SSO between apps via the SDK is not possible, except through the use of a broker (Authenticator or Company Portal).
AAD is responsible for the content of the browser, including session cookies. When you use the system browser, via AcquireTokenInteractive, it remembers previous logged in users. This is the SSO that you are trying to get I believe.
bgavrilMS
on 23 Jun 2020
TLDR; I believe that if you use the standard pattern of
try AcquireTokenSilent
catch AcquireTokenInteractive
You will provide the best user experience.
bgavrilMS
on 23 Jun 2020
TLDR; I believe that if you use the standard pattern of
try AcquireTokenSilent catch AcquireTokenInteractiveYou will provide the best user experience.
Thanks @bgavrilMS. This is what we are doing to retrieve token.
But, only misunderstanding that I had is token data will be stored on cookiejar in android which can be used across applications. (As per the documentation on references provided on issue description).
Thanks for the sharing more details. I think, options that are provided on Microsoft documentation make have to be relooked as it is little misleading.
SravanthiKare
on 23 Jun 2020
Hi @bgavrilMS attaching the link:
https://identitydivision.visualstudio.com/Engineering/_workitems/edit/967272
tanmaymanolkar1
on 23 Jun 2020
Agreed, there is more work on the server side and broker side to enable better system browser behavior. Closing this question for now.
bgavrilMS
on 3 Aug 2020
Related issues
chrisevans9629
路
5Comments
23W
路
5Comments
jennyf19
路
5Comments
yhvicey
路
3Comments
geoffreygeslin
路
4Comments