microsoft-authentication-library-for-android icon indicating copy to clipboard operation
microsoft-authentication-library-for-android copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Nonce not present on JTW if user has Microsoft Authenticator app installed

Open gmarques33 opened this issue 2 years ago • 0 comments

Describe the bug Is your app live and in production or is this a development issue? Provide a clear and concise description of what the bug is.

Smartphone (please complete the following information):

  • Device: Pixel 6 Pro
  • Android Version: Android 14
  • MSAL Version: 4.9.0

To Reproduce We're using the following call to authenticate:

PublicClientApplication.createSingleAccountPublicClientApplication(this, R.raw.auth_config_single_account).acquireToken(
  AcquireTokenParameters
    .Builder()
    .withPrompt(SELECT_ACCOUNT)
    .withAuthorizationQueryStringParameters(listOf(SimpleEntry("nonce", nonce)))
    .withScopes(listOf(EMAIL_SCOPE))
    .startAuthorizationFromActivity(activity)
    .withCallback(object : AuthenticationCallback {
      override fun onSuccess(authenticationResult: IAuthenticationResult) {
        continuation.resume(authenticationResult.account.idToken!!)
      }

      override fun onError(exception: MsalException) {
        continuation.resumeWithException(exception)
      }

      override fun onCancel() {
        continuation.cancel()
      }
    })
    .build()
)

But if the user has the Microsoft Authenticator app installed on the same phone as the generated token doesn't contain the nonce that we pass on .withAuthorizationQueryStringParameters(listOf(SimpleEntry("nonce", nonce))). If the user doesn't have the Microsoft Authenticator the login is done in an Chrome Custom Tab and the token will have the nonce as expected.

gmarques33 avatar Nov 14 '23 16:11 gmarques33