search

Azure-Samples / ms-identity-android-java

A reference application demonstrating how to use MSAL Android to sign in users and access Microsoft Graph
MIT License
32 stars 28 forks source link

The redirect URI in the configuration file doesn't match with the one generated with package name and signature hash #46

Open Prabhakaran-Ganesan opened 3 years ago

Prabhakaran-Ganesan commented 3 years ago

Basic information:

I am trying out the sample from this link (https://github.com/Azure-Samples/ms-identity-android-java/)
 to integrate with Microsoft identity platform
The sample app is working fine with the default configuration.

I also followed this tutorial (https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-shared-device-mode)
to enable shared-device mode using the Authenticator app.

This also working fine.
The problem occurred when I replace the client Id and other configurations in the config file using
 the App registration from our Azure Active Directory 

Please find more details in the repro steps below

Minimal steps to reproduce

  1. Download the sample from this link (https://github.com/Azure-Samples/ms-identity-android-java/)

  2. Set up the Authenticator App using this tutorial (https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-shared-device-mode)

  3. Register an app in the azure active directory and add an android platform in the authentication section

  4. Generate a config file by providing package name and signature hash

  5. Then open the sample app and open the auth_config_single_account.json file and replace content with the file generated from the App registration in Azure Active directory

  6. Open AndroidManifest.xml file and change the data path value in BrowserTabActivity (Line No. 35) with the generated signature hash

  7. Run the app

  8. On opening the app, it is showing the following exception.

com.microsoft.identity.client.exception.MsalClientException: The redirect URI in the configuration file doesn't match with the one generated with package name and signature hash. Please verify the uri in the config file and your app registration in Azure portal.

I have found a workaround for removing this error as follows. But this workaround doesn’t make the application to run in Shared-Device mode and the app is working in regular mode only even though the “mSingleAccountApp.isSharedDevice()“ returns ‘true’

Workaround steps

  1. Add a extra character like typo in the redirect uri in the config file as shown below and also include this redirect uri in the app registration in the azure active directory

    ORIGINAL

    "redirect_uri" : "msauth://com.azuresamples.msalandroidapp/ga0RGNYHvNM5d0SLGQfpQWAPGJ8%3D"

WORKAROUND

"redirect_uri" : "msauth://com.azuresamples.msalandroidappz/ga0RGNYHvNM5d0SLGQfpQWAPGJ8%3D"

  1. Also change the same in the AndroidManifest.xml (Line No. 34)

    ORIGINAL

    android:host="com.azuresamples.msalandroidapp"

WORKAROUND

android:host="com.azuresamples.msalandroidappz"

  1. After these changes, the app is working in regular mode but not working in Shared-Device mode

Please help me resolve this issue.

Device Details

Device : Redmi 4A Android version: 7.1.2

@rpdome For traceability, mentioning the microsoft support ticket number 120120326004885

Mention any other details that might be useful

Thanks! We'll be in touch soon.

Naakhta commented 3 years ago

@rpdome - Hi Dome , Prabhakaran has followed your steps to Invalidate caches and Restart in android however the result is same and the application is still not working as per the shared device mode. Please suggest here.

rpdome commented 3 years ago

@Prabhakaran-Ganesan Could you please try debugging with the code in the following function - and see what signature hashes you're getting?

https://github.com/AzureAD/microsoft-authentication-library-for-android/blob/6999c4d2a54951b70d03706a775ec7b18fc5098a/msal/src/main/java/com/microsoft/identity/client/PublicClientApplicationConfiguration.java#L490

Prabhakaran-Ganesan commented 3 years ago

@rpdome Using the above code, I have got a different signature instead of the one generated with my keystore. Then I changed my project configs and azure portal with this new signature.

After this the problem got resolved.

For clarification, I have created another new sample project and new key store. Here also the same issue occurred. Again I used the above code to solve the problem.

Below are the steps I followed.

  1. In Android Studio(4.1.2), A new project was created
  2. The MSAL dependencies and related code were added
  3. A new keystore file(testkey.jks) was added using the Android studio
  4. Then the following command was used to generate the signature hash

keytool -exportcert -alias myalias -keystore "E:\Keystore\testkey.jks" | "E:\openssl-0.9.8k_X64\bin\openssl.exe" sha1 -binary | "E:\openssl-0.9.8k_X64\bin\openssl.exe" base64

  1. After entering the password, I have got the signature hash. Then I inlcuded this in my azure app registration to get the configuration file.

  2. The signed release apk was generated using Android studio.

  3. The same error occured after installing the apk.

  4. I used the same code to verify the signature but I found a different one.

  5. Then I changed the signature hash in my project and azure app registration with the one found above

  6. The issue got solved.

Here What I observed is that the issue got solved by using the signature hash obtained using the code and also it is not matching with the signature generated with the following command line

keytool -exportcert -alias SIGNATURE_ALIAS -keystore PATH_TO_KEYSTORE | openssl sha1 -binary | openssl base64

(Same occurred for debug signature too)

Is this a bug or am I missing something?

rpdome commented 3 years ago

@Prabhakaran-Ganesan I'm suspecting that

  1. The testkey.jks is not used at all - could be some configuration issue in Android Studio or in your gradle file.
  2. When I was trying with AzureSample's keystore and accidentally input a wrong path, the command would still generate a string. Are you getting prompted for password when you're executing the command? Could you please try just keytool -exportcert -alias myalias -keystore "E:\Keystore\testkey.jks" and see if you're getting something out?
Prabhakaran-Ganesan commented 3 years ago

Greetings, @rpdome

I have verified the input path and also I got the prompt for password as well but still getting the same signature. As suggested , I have got the following result upon executing the command

keytool -exportcert -alias myalias -keystore "E:\Keystore\testkey.jks"

image

Prabhakaran-Ganesan commented 3 years ago

Dear @rpdome ,

We are awaiting for your response.

Thanks and Regards Prabhakaran

fabaumann91 commented 3 years ago

Confirmed @rpdome, This is a bug that was resolved by adding z to the end of my package name. Thank you @Prabhakaran-Ganesan for finding it.