ADAL in iOS not saving tokens to keychain #1601
Comments
|
@biozal was this working in previous versions?
Base on this...wouldn't this be an intune issue? not adal? Will take a look at the repro. |
|
@jennyf19 as stated in MS Teams - the issue is that the InTune SDK for Xamarin uses bindings between the iOS version of ADAL and itself. It pulls the token out from the Keychain that the Xamarin version of ADAL is supposed to put in keychain as part of the broker setup. When we query the keychain - it's empty so they are stating the Xamarin version of ADAL should be putting the token into keychain so the Native version can pick it up as part of the InTune SDK. |
|
@jmprieur so what your saying then is that if I'm a company and I'm using ADAL with Broker and I have some apps with Xamarin using the Xamarin version of ADAL and I have some native apps using the iOS version of ADAL that they can't use the shared Keychain? This seems like a massive overlook because we were told this does work and there doesn't seem to be anything in the Wiki that states this. |
|
@biozal : If both ADAL native and ADAL Xamarin applications leverage the broker, then this will work. |
|
@jmprieur so in our example it's a single App with two different ADAL libraries in it. Our code uses the Xamarin ADAL.NET library - but the InTune code has a Xamarin Binding to the Native version of ADAL for iOS and Android respectively. One of the bigger questions is why isn't the Xamarin version of ADAL with Broker saving the token to Keychain - because even if I don't call InTune there is a clear problem where the token is not getting saved to the Keychain. If I query the keychain it's empty and I would expect to see an entry for the token in it. |
|
@jmprieur with this statement then InTune's SDK for Xamarin could have never been properly tested to support this because it's Xamarin library is a Native implementation. So our only options are to either bind to the Native Library or live without support. MSAL is great - but we need InTune to support it and I have a feeling that isn't coming tomorrow or the next day. |
|
@jmprieur InTune's SDK for Xamarin is a binding project to the Native SDK for InTune. Because of this, it has a copy of the Native version of ADAL for iOS in the SDK and when it tries to use existing tokens, it's using the Native version of ADAL. We are Xamarin developers, so we are using the Xamarin .NET version of ADAL. This is how we are kind of in this mess. |
|
Hey @jmprieur, token cache sharing between .Net ADAL and Objective-C ADAL is supposed to work, so long as the KeychainSecurityGroup property has been configured to the same keychain access group used by Objective-C ADAL (com.microsoft.adalcache). I worked directly with the ADAL team to get this working, and have a working sample which does not use the broker. From what I've seen, it looks like @biozal is setting this property correctly, but upon returning from the broker the token never gets written to the expected location by .Net ADAL, and therefore Intune is unable to silently enroll as Objective-C ADAL can't find a token in the cache. |
|
@biozal @Kyle-Reis I'm aware of this issue, and was prioritizing the Android broker issue. Will try to take a look at this today. We had followed our Objective-C ADAL team's guidance on this, and tokens should be shared across native and Xamarin apps using the same keychain access group, as @Kyle-Reis, points out. I will try to get some answers and respond here sometime today. Thanks. |
|
Hi, if the broker is involved, ADAL Obj-C currently has the issue that it intercepts any responses coming from broker even if those are meant for ADAL.NET SDK. We've released a fix to address this issue and it's included in ADAL 2.7.11 |
|
We decided today that the fix for this is on ADAL Ojb-C and Authenticator. They do not return client_info to ADAL, which means we do not populate the cache correctly. They will be making this fix in their next release, which should happen in a week. |
|
Issue has been fixed w/the 5.1.0 release and an update in the authenticator app 6.3.6 release. |
Which Version of ADAL are you using ?
ADAL 4.5.1, 5.05
Which platform has the issue?
xamarin iOS
What authentication flow has the issue?
Broker
Other? - please describe;
Is this a new or existing app?
New issue
We have a sample app that has this behavior here:
https://github.com/biozal/Xamarin-Forms-Reference-App
We have entitlements setup properly according to documentation. This becomes an issue for us because the InTune nuget package uses the keychain access group to retrieve a token during the Register and Enroll method in iOS and because the token isn't being written to the keychain the InTune Register and Enroll method fails. I have worked with Kyle Reis @Kyle-Reis from the InTune team and he has recommended we open this bug.
I can provide configuration files including entitlement and info.plist files upon request.
Additional context/ Logs / Screenshots
2019-05-14 13:34:15.532 Mobile.RefApp.CoreUI.iOS[15568:13166127] 2019-05-14T17:34:15.5291900Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: ADAL PCL.iOS with assembly version '5.0.5.0', file version '5.0.5.0' and informational version '5.0.5' is running...
2019-05-14 13:34:15.534 Mobile.RefApp.CoreUI.iOS[15568:13166127] 2019-05-14T17:34:15.5344310Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: === Token Acquisition started:
CacheType: Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache (0 items)
Authentication Target: User
, Authority Host: login.microsoftonline.com
2019-05-14 13:34:15.623 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.6234080Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Returned correlation id '76ae5e96-6f19-4037-b48d-ebbad25f2abf' does not match the sent correlation id '5d68c716-78fb-4328-812f-db40a922a351'
2019-05-14 13:34:15.650 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.6501820Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Loading from cache.
2019-05-14 13:34:15.654 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.6541400Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Looking up cache for a token...
2019-05-14 13:34:15.658 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.6585490Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: No matching token was found in the cache
2019-05-14 13:34:15.658 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.6586180Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Checking MSAL cache for user token cache
2019-05-14 13:34:15.717 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.7171600Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: A match was found in the MSAL cache ? True
2019-05-14 13:34:15.717 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.7174390Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Refreshing the AT based on the RT.
2019-05-14 13:34:15.717 Mobile.RefApp.CoreUI.iOS[15568:13166169] 2019-05-14T17:34:15.7176160Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Refreshing access token...
2019-05-14 13:34:16.509 Mobile.RefApp.CoreUI.iOS[15568:13166170] 2019-05-14T17:34:16.5091770Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Either a token was not found or an exception was thrown.
2019-05-14 13:34:16.515 Mobile.RefApp.CoreUI.iOS[15568:13166170] 2019-05-14T17:34:16.5158020Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Trying to acquire a token using the broker...
2019-05-14 13:34:16.524 Mobile.RefApp.CoreUI.iOS[15568:13166170] 2019-05-14T17:34:16.5243100Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Invoking the iOS broker
2019-05-14 13:34:20.593 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.5925790Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: Storing token in the cache...
2019-05-14 13:34:20.594 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.5947160Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: An item was stored in the cache
2019-05-14 13:34:20.597 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.5976110Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Client Info is missing. Skipping MSAL refresh token cache write
2019-05-14 13:34:20.598 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.5986070Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Serializing token cache with 1 items.
2019-05-14 13:34:20.606 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.6063640Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Failed to remove adal cache record:
2019-05-14 13:34:20.611 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.6110330Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Failed to save adal cache record:
2019-05-14 13:34:20.612 Mobile.RefApp.CoreUI.iOS[15568:13166166] 2019-05-14T17:34:20.6124310Z: 5d68c716-78fb-4328-812f-db40a922a351 - AdalLoggerBase.cs: === Token Acquisition finished successfully. An access token was returned: Expiration Time: 5/14/2019 6:01:01 PM +00:00
The text was updated successfully, but these errors were encountered: