Cache tokens don't work with ADAL 5.1.0.0 with broker and InTune SDK #1631
Comments
|
I will also add this didn't start happening to us until we updated Microsoft Authenticator and Company Portal. I'm starting to believe something else has changed with Broker. |
|
@biozal which version of authenticator and company portal is being used? |
iOS: Android: The logs you see are from iOS. |
|
@biozal also....can you share the company portal incident ID and same for authenticator (and send authenticator logs via the app)? Thx |
|
Multiple phones: Waiting for logs in email, will attach when they come into email. |
|
Authenticator: M4RHPPF |
|
@biozal Thank you. |
|
@jennyf19 - I'm have time after 11 AM EST to debug this so I'll try to get more information for you on what's going on. |
|
@biozal sounds good. in the meantime, i'll send those IDs to our broker teams and see if they can provide any additional insights. |
|
Learned something new - XCode Device logs with Pii logs enabled give you a far better idea what's going on. I debugged this time with one of our QA phones and got better logs. I'm going to email them to you because they contain a ton of private information I can't share on the internet. You should be able to give this to the broker team as I think it shows what's going on really well. |
|
So I have found the source of the issue. I opened the bug on the where when we used the string value for the Azure tenant, it would not save tokens properly in 5.1.0.0 here: We put a patch into our apps to change the authority we use from string value to the GUID value of our tenant to resolve this issue. As part of my testing, I removed all the tokens from my phones using the following sample code: The method name is ClearCachedTokens method in that class. Everything started working fine for me. However what I didn't know is that other users continued to get prompted and the token cache continued to not function properly for everyone else. I looked at a few users token cache they have two tokens in the cache: one is for the string value of the authority and one is for the guid value of the authority. I believe this is in conflict where when the ADAL library tries to update the cache token it finds two results back for the same authority and because of that it never updates the token cache and bombs out. I kind of confirmed this by using the XCode Device Console to watch what was going between Microsoft Authenticator and one our apps while it was trying to pull down tokens using the Aquire Token Silent option: default 08:59:02.661791 -0400 securityd insert failed for item <genp,rowid=null,cdat=2019-07-24 12:59:02 +0000,mdat=2019-07-24 12:59:02 +0000,desc=Storage for cache,icmt=ADAL.PCL.iOS Cache,crtr=null,type=null,scrp=null,labl=ADAL.PCL.iOS Label,alis=null,invi=null,nega=null,cusi=null,prot=null,acct=ADAL.PCL.iOS cache,svce=ADAL.PCL.iOS Service,gena=xxxxxxdata=xxxxxxxxxxxxxxxxxx…|2a174ecc7f249d2,agrp=xxxxxxxxxxxpdmn=dk,sync=0,tomb=0,sha1=xxxxxxxxxx,vwht=null,tkid=null,v_Data=<?>,v_pk=xxxxxxx,accc=null,u_Tomb=null,musr=,UUID=xxxxxxx,sysb=null,pcss=null,pcsk=null,pcsi=null,persistref=> with Error Domain=com.apple.utilities.sqlite3 Code=19 "finalize: 0x105464200: [19->2067] UNIQUE constraint failed: genp.acct, genp.svce, genp.agrp, genp.sync, genp.vwht, genp.tkid, genp.musr" UserInfo={NSDescription=finalize: 0x105464200: [19->2067] UNIQUE constraint failed: genp.acct, genp.svce, genp Note I modified the data with xxxx to hide sensitive data about our applications. This is right after the PII logs provided try to write the token to cache. If I completely clear the token cache for these users and then acquire a token, the token cache starts functioning properly since we are only using the GUID value of the authority. Using the XCode Device Console logs - I also validated it's Microsoft Authenticator that in fact is converting the authority from string value that we pass in and returning it as the GUID. I have provide that log in an email message to @jennyf19 as it contains very sensitive information. Our work around is for users to use the development screens we have created to manually clear the token cache from there device, which so far has resolved the issue for us. As for other people having the issue - it would be nice if the ADAL library saw that there were two records in the cache would instead of throwing out the new cache token to write would throw out the two tokens in the cache and replace them with the new one that it just acquired from broker. That would resolve this issue for others and stop the bug from happening again with a different test case. |
|
@jennyf19 : how is MSAL handling the same situation? |
|
@henrik-me I believe this was resolved. I'd have to look back through my notes thought...maybe @biozal has a better memory? we had several of these issues in sequence, not sure the specific outcome of this one. |
|
@biozal : please feel free to reopen if this is not working |
Hey @biozal , I am facing the same issue but in UWP. Can you tell me where exactly can I find the GUID value of the authority? I checked my Azure manifest, but couldn't find any :/ |
Which Version of ADAL are you using ?
5.1.0.0
Which platform has the issue?
Xamarin Android, Xamarin iOS
What authentication flow has the issue?
Other?
ADAL with Broker
Is this a new or existing app?
Existing apps - all 6 apps we have that use Broker and ADAL
Repro
https://github.com/biozal/Xamarin-Forms-Reference-App/blob/master/Mobile.RefApp.Lib/ADAL/AzureAuthenticatorService.cs
Expected behavior
When calling AcquireTokenSilentAsync we expect a token to return after a token is acquired and put into the Token Cache.
Actual behavior
When calling AcquireTokenSilentAsync - the call fails and we handle this via AdalSilentTokenAcquisitionException. In the Exception we call the standard AcquireTokenAsync and that returns a valid token. Upon next call to AcquireTokenSilentAsync it fails again even though when looking at the Pii log there was a token in cache. After the failure, the token is removed from the cache and the next call shows the cache at zero items. Every call to acquire token silent fails so the user is prompted for broker for every call.
Possible Solution
This seems very similar to the other bugs about cache tokens not working:
#1625
#1626
Additional context/ Logs / Screenshots
I have a movie I can make available upon request.
Pii logs are below:
The text was updated successfully, but these errors were encountered: