microsoft-authentication-library-for-dotnet icon indicating copy to clipboard operation
microsoft-authentication-library-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

[Documentation] msal vs msauth redirect uri on android

Open J-Swift opened this issue 3 years ago • 2 comments

Documentation related to component

Android?

Please check those that apply

  • [ ] typo
  • [ ] documentation doesn't exist
  • [x] documentation needs clarification
  • [x] error(s) in example
  • [ ] needs example

Description of the issue

I just went through setting up B2C in a MAUI app and it looks like theres a disconnect in how redirect URIs should be specified/configured between the Azure portal and the app settings. The samples all give msal{ClientId}://auth forms of the redirect, but all the Azure documentation seems to indicate I should be using msauth://{bundle}/{signature}? I didn't even realize I could generate the msal version on the portal until I looked closer at the options (see screenshot).

Screen Shot 2022-09-21 at 12 18 09 PM

I ended up doing the msauth version because it seems like Azure wants me to, but this should really be explained and documented on the SDK side, and the SDK updated to use this version in the examples.

J-Swift avatar Sep 21 '22 16:09 J-Swift

msauth://{bundle}/{signature} is useful when talking to a broker (Authenticator app), because app to app communication on Android relies on package signature in the url. This is a security feature Android OS added, to prevent a malicious app from cutting into the communication between 2 apps.

That said, in B2C world there is no broker (Authenticator app is for work and school accounts). So the msal{ClientId}://auth will work too. It's easier to specify too because there is no signature.

Side note - that the signature is different on every dev box and on production, so you end up with N+1 redirect URIs in Azure, where N is the size of your dev team.

But I agree that the screen is strange. I'll follow up.

bgavrilMS avatar Sep 22 '22 10:09 bgavrilMS

So do both auth flows support PKCE, etc? Or are there tradeoffs between them? I'm pretty lost about the differences between them, so it would definitely be helpful to have a clear explanation of which to use and when. It sounds like the broker integration is the only consideration?

J-Swift avatar Sep 22 '22 16:09 J-Swift

Yes, we use PKCE everywhere as it improves security stance.

msal{client_id}://auth is simpler to manage and will work with both embedded webview / system webview, which B2C supports.

https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-xamarin-android-considerations

bgavrilMS avatar Sep 26 '22 14:09 bgavrilMS