microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Bug] Microsoft.Identity.Client 4.44 certificate selection

Open merco opened this issue 2 years ago • 2 comments

Which version of MSAL.NET are you using? Microsoft.Identity.Client 4.44 and Azure ADFS with customer certificate

Platform .NET Standard, Xamarin Android, Xamarin iOS, Xamarin WPF with Xamarin Forms 5.0

What authentication flow has the issue?

  • Desktop / Mobile
    • [X] Interactive
    • [ ] Integrated Windows Authentication
    • [ ] Username Password
    • [ ] Device code flow (browserless)

Repro


  this.publicClientApplication = PublicClientApplicationBuilder.Create(ClientID)
                .WithIosKeychainSecurityGroup("com.microsoft.adalcache")
                .WithAuthority(authority)
                .WithRedirectUri($"msal{ClientID}://auth")
                .Build();

[omissis]

  authResult = await this.publicClientApplication.AcquireTokenInteractive(Scopes)
                           .WithParentActivityOrWindow(ParentWindow)
                           .WithUseEmbeddedWebView(useEmbeddedWebView)
                            .ExecuteAsync();

Expected behavior The window that let the user select the certificate

Actual behavior The window "select a certificate you want to use for authentication"

it is not shown on the Android browser and authentication does not take place with the message: no valid client certificate found in the request

All runs OK in Win/WPF

Additional context / logs / screenshots / links to code

left side, WPF app with client certificate selection popup right side Android app (no popup) error : "no valid client certificate found in the request"

immagine

merco avatar Jun 03 '22 13:06 merco

I am not sure if this is under MSAL's control, because we don't actually look for any certificates. To prove that a device is managed, on mobile, it is required to use the broker (Authenticator). I do not know how this works with ADFS.

A few things to try:

  1. Try to use Edge browser (you may have to set it as default)
  2. Try to setup and use WithBroker + Authenticator
  3. Consider federating ADFS through AAD :)

bgavrilMS avatar Jun 06 '22 09:06 bgavrilMS

You can't use: .WithUseEmbeddedWebView(useEmbeddedWebView) Embedded webviews don't have access to the certificates. https://docs.microsoft.com/en-us/azure/active-directory/develop/mobile-sso-support-overview

Your app must use the broker or a system browser so that Azure AD can determine the management state of the device. You must use the broker to support a "Bring Your Own Device" scenario to support App Protection Policies.

kylemar avatar Jun 06 '22 15:06 kylemar

Thanks @kylemar for sharing the solution. Closing.

SameerK-MSFT avatar Sep 23 '22 20:09 SameerK-MSFT