intune-app-wrapping-tool-ios icon indicating copy to clipboard operation
intune-app-wrapping-tool-ios copied to clipboard

Published 20 hours ago verified publisher icon msintuneappsdk

Use Intune wrap tool can get the AAD token on the project side?

Open AceChen1 opened this issue 2 years ago • 11 comments

Describe the bug: I just want to clear, if the AAD as KEYCLOAK IDP in us project, if we use intune wrapping tool to wrap, then have any way can get the AAD token from the wrapping tool side ? for we need use the AAD token to exchange the keycloak token.

To Reproduce

Expected behavior:

Screenshots and logs:

Smartphone (please complete the following information):

Intune app wrapping tool (please complete the following information):

Additional context:

AceChen1 avatar Apr 04 '22 01:04 AceChen1

If you app uses ADAL or MSAL and you use that to get the AAD token, then it should occur with the acquire token call whenever y'all need it. The wrapper will use the linked version of ADAL or MSAL inside the app and acquire a token through that library which will share the token between the SDK and app.

gastaffo avatar Apr 04 '22 16:04 gastaffo

If you app uses ADAL or MSAL and you use that to get the AAD token, then it should occur with the acquire token call whenever y'all need it. The wrapper will use the linked version of ADAL or MSAL inside the app and acquire a token through that library which will share the token between the SDK and app.

you mean if i AAD login on the wrapping tools, then i can use msal lib to get the token and no need login again ?

AceChen1 avatar Apr 06 '22 03:04 AceChen1

@AceChen1 yes. The wrapper will force a login and require policy exist (this is automatically handled) and it will do this using MSAL/ADAL (if the app doesn't already have MSAL/ADAL then we inject it). After that though, if you use AAD for authentication then you can call acquireToken silently and it shouldn't need to prompt for another login. There might be an edge case if its different users logging in or different UPNs.

gastaffo avatar Apr 06 '22 14:04 gastaffo

@AceChen1 yes. The wrapper will force a login and require policy exist (this is automatically handled) and it will do this using MSAL/ADAL (if the app doesn't already have MSAL/ADAL then we inject it). After that though, if you use AAD for authentication then you can call acquireToken silently and it shouldn't need to prompt for another login. There might be an edge case if its different users logging in or different UPNs.

I see, thanks your message share! BTW, may i know if i don't want to get the AAD token but want to get the login session after wrapping tool login, any way we can do that? for i want follow the Oauth standard flow : Keycloak see the AAD already login, no need pop the keycloak login page again, then redirect callback url with keycloak grant code, then i can use the grant code to get the keycloak token.

AceChen1 avatar Apr 07 '22 01:04 AceChen1

@AceChen1 Im not too familiar with ADAL/MSAL or Oauth so Im not sure what you mean by the login session. However when you use ADAL/MSAL to my knowledge you ask for a token and if needed it will show the login screen, unless you ask for a silent token which it will fail instead of show a login.

This page could be a better resource for MSAL related questions https://github.com/AzureAD/microsoft-authentication-library-for-objc

gastaffo avatar Apr 07 '22 17:04 gastaffo

@AceChen1 Is this issue resolved?

gastaffo avatar Apr 11 '22 16:04 gastaffo

@AceChen1 Is this issue resolved?

Hi @gastaffo thanks your follow, i change to MSAL github to ask the question, let me close this, Thanks.

AceChen1 avatar Apr 12 '22 01:04 AceChen1

@gastaffo hello , if i use wrap tool login successfully, then i use silently token function to get the token with the current account, i found i can't get the current login account at once, may i know this case is your meet before.

AceChen1 avatar Apr 28 '22 02:04 AceChen1

@AceChen1 What behavior are you seeing and what are you expecting? Is the token not coming back? Are you trying to get the UPN of the currently authenticated user?

gastaffo avatar Apr 28 '22 17:04 gastaffo

@AceChen1 What behavior are you seeing and what are you expecting? Is the token not coming back? Are you trying to get the UPN of the currently authenticated user?

The flow is: i want get the login user after wrap tool login successfully, and then i need to use current login user account to get the current user's login token.

AceChen1 avatar Apr 29 '22 02:04 AceChen1

@AceChen1 Sorry for the slow response. This might be a flow that would be better supported by directly integrating the SDK if you could. https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-ios

From their you control when the AAD screen appears and keep track of who is logged in. You can still require the app is only used with policy like a wrapped app by using MAMPolicyRequired and AutoEnrollOnLaunch which will force a login and enrollment upon launch. After a successful enrollment and policy applied you could get the logged in user by using [IntuneMAMPolicyManager primaryUser] or [IntuneMAMEnrollmentManager enrolledAccount].

gastaffo avatar May 05 '22 17:05 gastaffo