search

AzureAD / microsoft-authentication-library-for-dotnet

Microsoft Authentication Library (MSAL) for .NET
https://aka.ms/msal-net
MIT License
1.39k stars 341 forks source link

[Bug] MSAL aquiretokeninteractive does not return after being cancelled when using InTune Company Portal as broker #4409

Open LennoxP90 opened 1 year ago

LennoxP90 commented 1 year ago

Library version used

4.56.0

.NET version

standard 2.1

Scenario

PublicClient - mobile app

Is this a new or an existing app?

The app is in production, I haven't upgraded MSAL, but started seeing this issue

Issue description and reproduction steps

When trying to AquireTokenInteractive if the user hits the back button when the account select screen is there the call never returns

Relevant code snippets

AuthenticationResult result = null;
try
{
  result = result ??
    await App.AzureIdentityClient.AcquireTokenInteractive( _scopes )
      .ExecuteAsync();
}
catch( MsalClientException e )
{
  returnVal.reason = e.Message;
  break;
}

Expected behavior

I expect either an exception being thrown indicating the login was cancelled or the call to return an empty result

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

Workaround

  protected override void OnActivityResult( int requestCode, Result resultCode, Intent data )
  {
    base.OnActivityResult( requestCode, resultCode, data );

    //InTune Company Portal broker does not return the hardware back button the same as the Microsoft Authenticator app
    if(    data == null
        && resultCode == Result.Canceled )
    {
      //Create a dummy Intent to pass in
      Intent newData = new Intent( Instance, typeof( AndroidService ) );
      AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs( 1001,         //BrokerConstants.BrokerRequestId
                                                                               (Result)2001, //BrokerResponseCode.UserCancelled
                                                                               newData );

      return;
    }

    // Return control to MSAL
    AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs( requestCode,
                                                                             resultCode,
                                                                             data );
  }
}
bgavrilMS commented 1 year ago
  1. If the user doesn't hit the "back button" does the auth complete?
  2. Is this on Android, iOS or both?
LennoxP90 commented 1 year ago
  1. yes
  2. only tested on android

the issue i need to capture is when the authentication is cancelled, since the authentication was cancelled the focus is returned to my app with no reason as to why

LennoxP90 commented 1 year ago

this is only when the InTune Company Portal is installed on the device, with Microsoft Authenticator, and no broker at all it works fine and indicates back to my app when authentication was cancelled, I have a tester that has the same issue on his personal device and he states he does not have Microsoft Authenticator, or Intune installed but he does have Outlook, Work, Excel installed

LennoxP90 commented 1 year ago

if i pull the source to MSAL into my app it hangs on this line

await AndroidBrokerInteractiveResponseHelper.ReadyForResponse.WaitAsync().ConfigureAwait(false);

on line 128 of file Platforms/Android/Broker/AndroidContentProviderBroker.cs

it seems like the InTune Company Portal app is not returning the response when the user cancels authentication using the hardware back button

LennoxP90 commented 1 year ago

ok so i found the problem image

data is null

LennoxP90 commented 1 year ago

knowing how the internals work i managed to scrape a workaround

in the Activity of the app running modify the OnActivityResult to include the workaround

  protected override void OnActivityResult( int requestCode, Result resultCode, Intent data )
  {
    base.OnActivityResult( requestCode, resultCode, data );

    //InTune Company Portal broker does not return the hardware back button the same as the Microsoft Authenticator app
    if(    data == null
        && resultCode == Result.Canceled )
    {
      // Create a dummy Intent to pass in
      Intent newData = new Intent( Instance, typeof( AndroidService ) ); 
      AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs( 1001,         //BrokerConstants.BrokerRequestId
                                                                               (Result)2001, //BrokerResponseCode.UserCancelled
                                                                               newData );

      return;
    }

    // Return control to MSAL
    AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs( requestCode,
                                                                             resultCode,
                                                                             data );
  }
}
LennoxP90 commented 9 months ago

is there a chance this will get fixed or is the workaround the intended solution?