Xamarin iOS Specifics
On iOS, you need to override the OpenUrl method of the FormsApplicationDelegate derived class and call the SetAuthenticationAgentContinuationEventArgs method of the AuthenticationAgentContinuationHelper MSAL class.
public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options)
{
AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs(url);
return true;
}You will also need to define a URL scheme, require permissions for your app to call another app, have a specific form for the redirect URL, and register this redirect URL in the Azure portal
On iOS, in order to make the token cache work and have the AcquireTokenSilentAsync work, multiple steps must be followed :
- Enable Keychain access in your
Entitlements.plistfile and specify in the Keychain Groups your bundle identifier. - In your project options, on iOS Bundle Signing view, select your
Entitlements.plistfile for the Custom Entitlements field. - When signing a certificate, make sure XCode uses the same Apple Id.
From MSAL 2.x, you can specify the Keychain Security Group to use for persisting the token cache. This enables you to share the token cache between several applications having the same keychain security group (ADAL.NET and MSAL.NET Xamarin.iOS applications as well as native iOS applications developed with ADAL.objc or MSAL.objc). For this, you need to set the KeychainSecurityGroup property of PublicClientApplication to the same value in all the applications.
Previously, from MSAL 2.x, developers were forced to include the TeamId prefix, which will change between dogfood and development time. Now, from MSAL 2.7.x, MSAL will resolve the TeamId prefix during runtime. When using this property, the value should not contain the TeamId prefix. Use the new iOSKeychainSecurityGroup property, which does not require developers to provide the TeamId, as the previous KeychainSecurityGroup property is now obsolete.
From MSAL 2.x and ADAL 4.x, the TeamId is used to access the keychain, this enables the authentication libraries to provide SSO between applications of the same publisher.
What is the TeamIdentifierPrefix (TeamId)? It is a unique identifier (company or personal) in the App Store. The AppId is unique for an app. If you have more than one app, the TeamId for all the apps will be the same, but the AppId will be different. The keychain access group is prefixed by TeamId automatically for each group by the system. It's how the OS enforces that apps from the same publisher can access the shared keychain.
When initializing the PublicClientApplication, if you receive an MsalClientException with the message: TeamId returned null from the iOS keychain..., you will need to do the following in the iOS Xamarin app:
-
In VS, under Debug tab, go to nameOfMyApp.iOS Properties...
-
Then go to iOS Bundle Signing
-
Under Custom Entitlements, click the ... and select the Entitlements.plist file from your app
-
In the csproj file of the iOS app, you should have this line now included:
<CodesignEntitlements>Entitlements.plist</CodesignEntitlements> -
Rebuild the project.
This is in addition to enabling keychain access in the Entitlements.plist file, using either the below access group or your own:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>
</dict>
</plist>More details are provided in the iOS Specific Considerations paragraph of the following sample's readme.md file:
| Sample | Platform | Description |
|---|---|---|
| https://github.com/Azure-Samples/active-directory-xamarin-native-v2 | Xamarin iOS, Android, UWP | A simple Xamarin Forms app showcasing how to use MSAL to authenticate MSA and Azure AD via the AAD V2.0 endpoint, and access the Microsoft Graph with the resulting token. 
|