Skip to content

Xamarin iOS Specifics

jennyf19 edited this page Jul 8, 2019 · 15 revisions

Xamarin iOS specific considerations

On Xamarin iOS, there are several considerations that you must take into account when using MSAL.NET

  1. Override and implement the OpenUrl function in the AppDelegate
  2. Enable Keychain groups
  3. Enable token cache sharing
  4. Enable Keychain access

Implement OpenUrl

First you need to override the OpenUrl method of the FormsApplicationDelegate derived class and call AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs.

public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options)
{
    AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs(url);
    return true;
}

You will also need to define a URL scheme, require permissions for your app to call another app, have a specific form for the redirect URL, and register this redirect URL in the Azure portal

Enable keychain access

To enable keychain access, your application must have a keychain access group. You can set your keychain access group by using the WithIosKeychainSecurityGroup() api when creating your application as shown below:

var builder = PublicClientApplicationBuilder
     .Create(ClientId)
     .WithIosKeychainSecurityGroup("com.microsoft.msalrocks")
     .Build();

The entitlements.plist should be updated to look like the following:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>keychain-access-groups</key>
  <array>
    <string>$(AppIdentifierPrefix)com.microsoft.msalrocks</string>
  </array>
</dict>
</plist>

An example of this using MSAL v4.x would be:

PublicClientApplication.iOSKeychainSecurityGroup = "com.microsoft.msalrocks";

When using the WithIosKeychainSecurityGroup() api, MSAL will automatically append your security group to the end of the application's "team ID" (AppIdentifierPrefix) because when you build your application using xcode, it will do the same. See iOS entitlements documentation for more details. This is why you need to update the entitlements to include $(AppIdentifierPrefix) before the keychain access group in the entitlements.plist.

Enable token cache sharing across iOS applications

From MSAL 2.x, you can specify a Keychain Access Group to use for persisting the token cache across multiple applications. This enables you to share the token cache between several applications having the same keychain access group including those developed with ADAL.NET, MSAL.NET Xamarin.iOS applications, and native iOS applications developed with ADAL.objc or MSAL.objc).

Sharing the token cache allows single sign-on between all of the applications that use the same Keychain access Group.

To enable this, you need to set the use the 'WithIosKeychainSecurityGroup()' method to set the keychain access group to the same value in all applications sharing the same cache as shown in the example above.

Earlier, it was mentioned that MSAL added the $(AppIdentifierPrefix) whenever you use the WithIosKeychainSecurityGroup() api. This is because the AppIdentifierPrefix or the "team ID" is used to ensure only applications made by the same publisher can share keychain access.

Note: KeychainSecurityGroup Property Deprecated

Previously, from MSAL 2.x, developers were forced to include the TeamId prefix when using the KeychainSecurityGroup property, which will change between dogfood and development time.

From MSAL 2.7.x, when using the new iOSKeychainSecurityGroup property, MSAL will resolve the TeamId prefix during runtime. When using this property, the value should not contain the TeamId prefix.

Use the new iOSKeychainSecurityGroup property, which does not require developers to provide the TeamId, as the previous KeychainSecurityGroup property is now obsolete.

Sample illustrating Xamarin iOS specific properties

More details are provided in the iOS Specific Considerations paragraph of the following sample's readme.md file:

Sample Platform Description
https://github.com/Azure-Samples/active-directory-xamarin-native-v2 Xamarin iOS, Android, UWP A simple Xamarin Forms app showcasing how to use MSAL to authenticate MSA and Azure AD via the AAD V2.0 endpoint, and access the Microsoft Graph with the resulting token.

Getting started with MSAL.NET

Acquiring tokens

Desktop/Mobile apps

Web Apps / Web APIs / daemon apps

Advanced topics

News

FAQ

Other resources

Clone this wiki locally