microsoft-authentication-library-for-objc
microsoft-authentication-library-for-objc copied to clipboard
AzureAD
Catalyst support
Are there any plans to bring catalyst support to this library. I'd love to bring my iPad app to the Mac, but as of the current betas selecting the Mac target on a iOS app results in the project not building.
It is under discussion right now. I will let you know when I have an update.
Incase extra support will help it be prioritised- I'd also be very interested in Catalyst support 😄
We found some potential blockers with this feature. To provide a bit more details, conditional access on macOS currently relies on ADAL or MSAL being able to read the macOS login keychain. However, Catalyst apps can only access the iOS-style keychain, so wouldn't be able to complete conditional access policies. We're hoping to be able to work it around in the future, but we cannot provide a definite timeline at this point because it needs to be coordinated with other MDM providers outside of Microsoft.
@oldalton I realize it's been a while and understand the limitations, however is there no news on this? Mac Catalyst has become a reality now with Big Sur and I can imagine we'll have more developers adopting it in the near future. MSAL is currently the only external library we rely on that isn't compatible.
We found some potential blockers with this feature. To provide a bit more details, conditional access on macOS currently relies on ADAL or MSAL being able to read the macOS login keychain. However, Catalyst apps can only access the iOS-style keychain, so wouldn't be able to complete conditional access policies. We're hoping to be able to work it around in the future, but we cannot provide a definite timeline at this point because it needs to be coordinated with other MDM providers outside of Microsoft.
does this limitation applies also on NTLM/Kerberos authentication used in Catalyst apps? I have iOS app that is able to connect to server configured with NTLM authentication and it works fine there. But in Catalyst app on macOS it's not working. Is it due to sandboxing and inaccessibility to macOS login keychain?
We found some potential blockers with this feature. To provide a bit more details, conditional access on macOS currently relies on ADAL or MSAL being able to read the macOS login keychain. However, Catalyst apps can only access the iOS-style keychain, so wouldn't be able to complete conditional access policies. We're hoping to be able to work it around in the future, but we cannot provide a definite timeline at this point because it needs to be coordinated with other MDM providers outside of Microsoft.
does this limitation applies also on NTLM/Kerberos authentication used in Catalyst apps? I have iOS app that is able to connect to server configured with NTLM authentication and it works fine there. But in Catalyst app on macOS it's not working. Is it due to sandboxing and inaccessibility to macOS login keychain?
I don't think access to keychain would impact, but NTLM challenge relies on OS understanding Negotiate/NTLM challenges and forwarding them to us. So I'm not sure if it would work for Catalyst. Have you checked where it is failing? Do we receive an OS challenge but don't handle it, or we don't even receive a challenge?
In case it helps someone, we managed to support MSAL in our Catalyst app by simply removing && !TARGET_OS_MACCATALYST from line 29 in file MSIDBrokerConstants.m in pod MSAL.
Not sure wether or not this could fix the current issue, and how this could be properly implemented in the original code
@oldalton can you please give us an update? It’s been quite some time since the last one. Did you have any progress? Thank you!
We still don't have a clear timeline set for official Catalyst support. @deepiksdev - since MSAL doesn't have official code-level support for Catalyst, such a workaround is not encouraged, since not all of the scenarios would work without an official code-level support from our side.
It looks like 1.2.2 dropped, any luck it includes support for Catalyst? I need to come up with a solution using MSAL, some Javascript solution or to just pull MSAL out of my app. Thanks!
@oldalton Will the conditional access issue blocking Catalyst support be resolved with the new Partner Compliance Management API that will be released for MDM providers this year?
If that will still be a blocking issue, +1 for supporting Catalyst anyway with a big warning that it may not work with some conditional access policies.
Hi, I'd like to report some issues I've got when I tried to compile for mac catalyst:
If I change the code above to this:
#if TARGET_OS_IPHONE
enum {
#if TARGET_OS_MACCATALYST
#else
CSSM_ALGID_NONE = 0x00000000L,
CSSM_ALGID_VENDOR_DEFINED = CSSM_ALGID_NONE + 0x80000000L,
#endif
CSSM_ALGID_AES
};
#endif
then I got a different error:
Here I got no clue on how to fix it.
Hi @EddieLukeAtmey, we don't have a plan to support Catalyst at this moment.
Analysis of the conversation do date.
- This is blocked by conditional access which for some reason needs to work differently on mac than on ios.
- There is a workaround to enable this by editing https://github.com/AzureAD/microsoft-authentication-library-common-for-objc/blob/b866985de1444c74fabe0ce59b96af50a21c9c79/IdentityCore/src/MSIDBrokerConstants.m#LL29C1-L29C1 , which presumably makes the library function identically to iOS.
- Despite the fact that most cross-platform usage (including logging into apps on MAUI or Avalonia etc.) would only want to enable login and would be happy to have iOS behaviour, the org in charge of this repo decides to block support for everyone if conditional access cannot be enabled.
- The organization, despite living within Microsoft, doesn't appear to be aware of overall Microsoft cross-platform strategy including MAUI (which is based around maccatalyst) and ADB2C (which is just simple logins) or aware of the needs of its users (only a minority of whom would be interested in conditional access on maccatalyst).
- There appears to be an understanding of technical details but not an ability to prioritize.
Not sure if there are channels of communications within Microsoft but something to put on your radar @davidortinau that this issue makes MSAL incompatible with MAUI on Mac. It's a 1-line change but there is a lot of politics involved. Currently MSAL is the suggested way to do authentication in MAUI so if it doesn't get fixed you'll need a new strategy.
@oldalton - could we keep this feature request open ? It is clearly needed by the community in both ObjC and .NET MSALs.
Why is this Closed? Our product now uses Entra ID for authentication. WIndows, iOS and Android clients - all work. But the Mac client needs to work too As said above, .NET MSAL/MAUI is crying out for it too. https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3527
C'mon this is beyond ridiculous. This is the only SDK endorsed by Microsoft to sign in using Microsoft accounts. Adding support for Catalyst on top of a package that worked on iOS has been a non-issue for virtually all packages out there. It's been 5 years since this issue opened.
This is a major platform, blocked based on inexplicable technical reasons, closed as a wontfix. Not exactly inspiring confidence in the SDK. Is there any further explanation on why "macOS style Keychain API" is absolutely required on Catalyst but not on iOS? How do iOS apps on macOS (without Catalyst, just iPad apps on macOS) work around this insurmountable problem? What's preventing Catalyst apps from doing the same?
Anybody interested in knowing how to implement it without the library? I implemented it on my app and I can post a step-by-step tutorial.
We had to pull auth out of our app because this was never fixed. We ended up with a web login screen that passed a token to the app after successful login.
Honestly, after doing that, I'm not sure I'd ever want to put third party auth code in my app again. It is too vital to the experience.