Different Broker URI expected than generated

[negberts]

I've followed this article to enable brokers for Android: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS

However, when I try to generate the broker URL from your generateRedirectUriForBroker.ps1 file it is missing the signature.cmd file so it fails to run. So I used https://github.com/AzureAD/azure-activedirectory-library-for-android/blob/dev/GetBrokerRedirectURI.ps1 instead. It generated the following redirect URI: msauth://nl.piminfra.Pim.MobileApp.prd/szeN2o%2bCHciVK%2bDtj4aSg3fGLew%3d

This worked like a charm yesterday. But today a new deployment was done to the play store and suddenly ADAL now says it needs a different redirect URI: msauth://nl.piminfra.pim.mobileapp.prd/UK0cOC8noJ7JWt%2bDK37H8F8v2m8%3d If I download the APK from the play store it still generates the original redirect URI in the powershell script. So why does ADAL expect a different URI?

Is this going to change every deployment? Should I maybe use the GetRedirectUriForBroker method from the "Redirect URI during development" section every time?

I've found this issue as well: https://github.com/AzureAD/azure-activedirectory-library-for-android/issues/729 Looks like the same?

[jmprieur]

@jennyf19 @oldalton : would a deployment of authenticator explain this?

[oldalton]

It might. Or it might be because of using a different signature (prod vs dev). Adding Shane to take a look: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/issues/1654

Thanks, Olga

---

From: Jean-Marc Prieur notifications@github.com Sent: Tuesday, September 17, 2019 9:17 PM To: AzureAD/azure-activedirectory-library-for-dotnet azure-activedirectory-library-for-dotnet@noreply.github.com Cc: Olga Dalton oldalton@microsoft.com; Mention mention@noreply.github.com Subject: Re: [AzureAD/azure-activedirectory-library-for-dotnet] Different Broker URI expected than generated (#1654)

@jennyf19https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjennyf19&data=02%7C01%7Coldalton%40microsoft.com%7C6f4864d1415a48925e1f08d73bef2eed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637043770778091368&sdata=l2Bt0RAmjMPU3q6xkdZoBkWp%2BP6qyG3IWUW2KCUJVts%3D&reserved=0 @oldaltonhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foldalton&data=02%7C01%7Coldalton%40microsoft.com%7C6f4864d1415a48925e1f08d73bef2eed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637043770778091368&sdata=BW0AmmsyUy8qYvGtdekbmPf5g4R6enqA2APqIsy7vuY%3D&reserved=0 : would a deployment of authenticator explain this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzureAD%2Fazure-activedirectory-library-for-dotnet%2Fissues%2F1654%3Femail_source%3Dnotifications%26email_token%3DAGNKJETRSP23BPYMSSRO3MDQKGTXHA5CNFSM4IXLSOEKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD66XVIA%23issuecomment-532511392&data=02%7C01%7Coldalton%40microsoft.com%7C6f4864d1415a48925e1f08d73bef2eed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637043770778101367&sdata=%2Bme1tW9uSF2i8eDMKvoera9%2FSmYkg1gFwzvMxA%2FgR1s%3D&reserved=0, or mute the threadhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAGNKJEXOD3A4TPTAHTM2O23QKGTXHANCNFSM4IXLSOEA&data=02%7C01%7Coldalton%40microsoft.com%7C6f4864d1415a48925e1f08d73bef2eed%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637043770778101367&sdata=ZL6N5vYbiILWnqH4sWMdl%2BBnPV8lBYsli%2Bc8Wk3qLdM%3D&reserved=0.

[negberts]

@jmprieur @oldalton another problem that we seem to have is that the redirect URI is now generated as msauth://nl.piminfra.pim.mobileapp.prd/UK0cOC8noJ7JWt+DK37H8F8v2m8= but the Azure Portal doesn't allow it to be registered, it doesn't allow the = at the end.

If I change it to msauth://nl.piminfra.pim.mobileapp.prd/UK0cOC8noJ7JWt%2bDK37H8F8v2m8%3d with %2b for the + sign and %3d for the = sign, than the azure portal accepts the URI but the app now complains that the URI is not registered at Azure Portal:

How can we fix this?

[jmprieur]

@negberts : did you read this article ? https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps#step-7-make-sure-the-redirect-uri-is-registered-with-your-app

[shoatman]

There is a doc and portal bug here. @hamiltonha - We need to file a bug with the portal team to update the scripts used to generate the redirect URI to ensure that it's base64 and url encoded. The current powershell scripts do that in the Android project... however the documentation for Xamarin and the scripts in the portal do not do that.

[negberts]

@negberts : did you read this article ? https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-net-use-brokers-with-xamarin-apps#step-7-make-sure-the-redirect-uri-is-registered-with-your-app

@jmprieur if broker support is not available for Android, why is it in your documentation than?

@shoatman thank you! Could you maybe also add the signature.cmd file to github that your powershell file is revering to?

[jmprieur]

@negberts : sorry it is in ADAL, not in MSAL yet. my bad.

[negberts]

@jmprieur that's a good thing because I cannot migrate to MSAL as long as MSAL doesn't support setting the tenant ID after initialization.

[jmprieur]

@negberts : MSAL.NET supports setting the tenant ID after initialization (with the .WithAuthority() on the acquire token xx builder

app.AcquireTokenXXX(scopes) .WithAuthority(authority) .ExecuteAsync();

[negberts]

@jmprieur yes but on the IOS and Android apps I have to add a fixed client id to the android manifest and the IOS info.plist

We have 8 different tenants that each have configured the app in their own active directory. On startup of the app they choose their own tenant to login to and authenticate against their own active directory. This scenario works with ADAL. Not with MSAL, because of these limitations.

[oldalton]

Recommended Redirect Uri format has changed for both iOS and Android, and you shouldn't need to have your clientId in Info.plist anymore. Please take a look at some documentation here: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-app-configuration

[negberts]

@oldalton thank you, that looks promising!

[jennyf19]

@negberts are you still having issues w/this?

[negberts]

@jennyf19 Yes and no. I am using the GetRedirectUri method in my app to generate the redirect URI. But I did do a deployment lately and at least it did not generate a 'new' URI since I have not seen issues about a redirect URI missing in Azure. However, it is still a different URI then the powershell generated.

[jennyf19]

@negberts should we close the issue and have you reopen if/when it happens again?

[negberts]

@jennyf19 okay

[jennyf19]

@negberts closing, but please reopen if you encounter it again.