[Bug] How to disable keychain access group sharing.

[dora-emo]

Library version used

Microsoft.Identity.Client 4.45.0

.NET version

Xamarin.Forms 5.0.0.2515

Scenario

PublicClient - mobile app

Is this a new or an existing app?

This is a new app or experiment

Issue description and reproduction steps

■Follow below site and disable keychain sharing https://learn.microsoft.com/en-us/entra/identity-platform/howto-v2-keychain-objc?tabs=swift#disable-keychain-sharing

• In WithIosKeychainSecurityGroup, change the keychain settings with application bundle ID

   PublicClient = PublicClientApplicationBuilder
  .Create(ClientID)
  .WithIosKeychainSecurityGroup(application bundle ID)
  .WithRedirectUri("msal[tenantid]://auth")
  .Build();

• Delete the definition of keychain-acessgroup in Entitlements.plist

  <?xml version="1.0" encoding="UTF-8" ?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  </dict>
  </plist>

2. When login or logout, the following error occurs

   11:53:21.519220+0900 securityd xxx/1#4 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client explicitly specifies access group com...but is only entitled for (
   "123456789.com..."
   )" UserInfo={numberOfErrorsDeep=0, NSDescription=Client explicitly specifies access group com... but is only entitled for (
   "123456789.com..."
   )}

### Question

1. Why does the above error occur?
2. Is the keychain enabled or disabled after implementing the above steps?

Relevant code snippets

No response

Expected behavior

No error appears when login or logout

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

[bgavrilMS]

The keychain group is required, see https://learn.microsoft.com/en-us/entra/identity-platform/msal-net-xamarin-ios-considerations

[dora-emo]

The keychain group is required, see https://learn.microsoft.com/en-us/entra/identity-platform/msal-net-xamarin-ios-considerations

@bgavrilMS how can i disable keychain sharing?

[bgavrilMS]

You can't fully disable it. Note that the keychain access group will be prefixed with your TeamID value, so only apps published by you / your organization can share the keychain value and thus get SSO between them.

If you don't want this, use WithIosKeychainSecurityGroup to specify a keychain access group unique to your app.

Here's the code that accesses the KeyChain - https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/blob/main/src/client/Microsoft.Identity.Client/Platforms/iOS/iOSTokenCacheAccessor.cs#L18

Read here more about key chain sharing: https://learn.microsoft.com/en-us/entra/identity-platform/msal-net-xamarin-ios-considerations#enable-token-cache-sharing-across-ios-applications

[dora-emo]

If you don't want this, use WithIosKeychainSecurityGroup to specify a keychain access group unique to your app.

@bgavrilMS Sorry for the additional question.

If i use specify a keychain access group( not the app bundle id) in your app.

App bundle ID : com.dora.emon1
→ Bundle ID of the app to be published
WithIosKeychainSecurityGroup() : com.dora.emon2
→ Dummy bundle ID

Set keychain access group with dummy bundle ID (com.dora.emon2), not App bundle ID

var builder = PublicClientApplicationBuilder .Create(ClientId)
.WithIosKeychainSecurityGroup("com.dora.emon2")
.Build();

Question 1

Do I have to modify the value in Entitlements.plist to com.dora.emon2

<dict>      
    <key>keychain-access-groups</key>   
    <array> 
        <string>$(AppIdentifierPrefix)com.dora.emon2</string>
    </array>    
</dict>

Question 2

After the above steps, the published app is not sharing token cache by com.dora.emon1 keychain?