-
Notifications
You must be signed in to change notification settings - Fork 214
iOS Keychain Access
From ADAL 4.x, you can specify a Keychain Security Group to use for persisting the token cache across multiple applications. This enables you to share the token cache between several applications having the same keychain security group including those developed with MSAL.NET, ADAL.NET Xamarin.iOS applications, and native iOS applications developed with ADAL.objc or MSAL.objc).
Sharing the token cache allows single sign-on between all of the applications that use the same Keychain Security Group.
To enable this, you need to set the AuthenticationContext.iOSKeychainSecurityGroup property to the same value in all of the applications.
An example of this using ADAL v5.x-preview would be:
AuthenticationContext authContext = new AuthenticationContext(_authority);
// Make sure this pre-compilation constant exists in your enviroment!
#if __IOS__
authContext.iOSKeychainSecurityGroup = "com.microsoft.adalcache";
#endifNote that you can define any security group.
Previously, from ADAL 4.x, developers were forced to include the TeamId prefix when using the KeychainSecurityGroup property, which will change between dogfood and development time.
Now, from ADAL 5.0.x-preview, when using the new iOSKeychainSecurityGroup property, ADAL will resolve the TeamId prefix during runtime. When using this property, the value should not contain the TeamId prefix.
Use the new iOSKeychainSecurityGroup property, which does not require developers to provide the TeamId, as the previous KeychainSecurityGroup property is now obsolete.
From MSAL 2.x and ADAL 4.x, the TeamId is used to access the keychain, this enables the authentication libraries to provide Single Sign-On (SSO) between applications of the same publisher.
What is the TeamIdentifierPrefix (TeamId)? It is a unique identifier (company or personal) in the App Store. The AppId is unique for an app. If you have more than one app, the TeamId for all the apps will be the same, but the AppId will be different. The keychain access group is prefixed by TeamId automatically for each group by the system. It's how the OS enforces that apps from the same publisher can access the shared keychain.
When initializing the AuthenticationContext, if you receive an AdalClientException with the message: TeamId returned null from the iOS keychain..., you will need to do the following in the iOS Xamarin app:
-
In VS, under Debug tab, go to nameOfMyApp.iOS Properties...
-
Then go to iOS Bundle Signing
-
Under Custom Entitlements, click the ... and select the Entitlements.plist file from your app
-
In the csproj file of the iOS app, you should have this line now included:
<CodesignEntitlements>Entitlements.plist</CodesignEntitlements> -
Rebuild the project.
This is in addition to enabling keychain access in the Entitlements.plist file, using either the below access group or your own:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
</array>
</dict>
</plist>- Home
- Why use ADAL.NET?
- Register your app with AAD
- AuthenticationContext
- Acquiring Tokens
- Calling a protected API
- Acquiring a token interactively
- Acquiring tokens silently
- Using Device Code Flow
- Using Embedded Webview and System Browser in ADAL.NET and MSAL.NET
- With no user
- In the name of a user
- on behalf of (Service to service calls)
- by authorization code (Web Apps)
- Use async controller actions
- Exception types
- using Broker on iOS and Android
- Logging
- Token Cache serialization
- User management
- Using ADAL with a proxy
- Authentication context in multi-tenant scenarios
- Troubleshooting MFA in a WebApp or Web API
- Provide your own HttpClient
- iOS Keychain Access