Microsoft Authenticator broker will not be used in iOS no matter what

[FathersNelsons]

I believe I have uncovered a potential bug in the code tagged with release version 1.5.0 which is currently being used by the MSAL pod on cocoapods. I am not an objective-c developer, but I have been debugging my own mobile app (being built using cordova for access to things like the MSAL plugin) for a couple weeks now and I think I finally found a potential issue in the file MSALPublicClientApplication.m:1109.

Basically I noticed when turning on verbose logging in my app and connecting it up to Safari to be inspected with devtools, the app is throwing the following log message every time regardless of the target ios SDK that I am supplying to the build service:

Requiring default broker type due to app being built with iOS 13 SDK

Line 1109 in the MSALPublicClientApplication.m file is the only place in the codebase this message appears. It also appears that the precompiler condition that wraps the code is as follows:

#if TARGET_OS_IPHONE
    MSIDBrokerProtocolType brokerProtocol = MSIDBrokerProtocolTypeCustomScheme;
    MSIDRequiredBrokerType requiredBrokerType = MSIDRequiredBrokerTypeWithV2Support;

    requiredBrokerType = MSIDRequiredBrokerTypeWithNonceSupport;
    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"Requiring default broker type due to app being built with iOS 13 SDK");

    if ([self.internalConfig.verifiedRedirectUri.url.absoluteString hasPrefix:@"https"])
    {
        brokerProtocol = MSIDBrokerProtocolTypeUniversalLink;
    }

    brokerOptions = [[MSIDBrokerInvocationOptions alloc] initWithRequiredBrokerType:requiredBrokerType
                                                                       protocolType:brokerProtocol
                                                                  aadRequestVersion:MSIDBrokerAADRequestVersionV2];

#endif

As far as I can tell from documentation, this condition will always be true on all ios builds, not just builds where the SDK version is 13. I am not necessarily qualified to be making this observation, but it really does seem suspicious. I am hoping someone can take a look at this and fix it if it is indeed the source of my problems with getting the auth broker to fire in iOS.

If not, I am hoping someone here can maybe tell me what I am doing incorrectly to be getting this error message regardless of the build sdk I am using.

[Veena11]

@FathersNelsons ,

Thanks for reaching out. This log line "MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"Requiring default broker type due to app being built with iOS 13 SDK");" is not an error, it is just an info line and this is printed always because the MSAL SDK's minimum supported OS version is iOS 14 and from iOS 13 onwards we have default broker type. This log line shouldn't be the cause of the issue that you are facing. Could you help us understand what is the issue that you are seeing and provide logs so we can help you resolve it.

[FathersNelsons]

@Veena11 thank you for your response. As far as logs go, I can provide those if necessary. The problem I am experiencing may also just be a misunderstanding so let me just explain what I am expecting and what I am seeing.

In my app implementation, if the user device has Microsoft Authenticator or Microsoft Intune (authentication brokers each) installed on their device, the interactive authentication flow should be occurring through one of those brokers. When I initialize the MSALPublicClientApplication, I am doing so with

MSALGlobalConfig.brokerAvailability = MSALBrokeredAvailabilityAuto;

My understanding of that configuration directive is that if Authenticator or InTune are installed on the device, the interactive signin flow will use that, redirecting the user to the broker app to complete the authentication flow. Instead, the app only opens a web authentication session and when MFA is required, the user needs to tap the notification from Authenticator to navigate to the app where they complete the MFA challenge, and then they have to manually return to my app.

In context, everything seems to be working just fine in Android where the interactive login will open a broker app as an overlay to my app where the user can complete login and any MFA challenge without navigating away from the app.

So is my understanding of how the library works incorrect? I thought maybe iOS just doesn't support this behavior but it's precisely the behavior I get when using Microsoft products on my iPhone. Once a day when accessing Teams, I am automatically redirected to Authenticator to complete auth, complete an MFA challenge, and then I am redirected back to Teams. That's what I'm hoping for.

Perhaps there is something wrong with my implementation? The only reason I brought this up in the context of the error message is that message I was receiving in the logs is the only indicator I had that anything weird whatsoever was happening with the broker.

[Veena11]

@FathersNelsons ,

on iOS for MSAL token requests to use broker, you need to have Microsoft Authenticator app and on macOS you need Intune Company portal app.

For the requests to be routed via broker the MSAL app needs to have some configuration in place. Could you please check if your app has been configured according to the instruction given here : https://learn.microsoft.com/en-us/entra/msal/objc/install-and-configure-msal#ios-only-steps

Alternatively, you can also have SSO extension configured via mdm enrollment to make the MSAL token requests handled via sso extension shipped in authenticator app. (https://learn.microsoft.com/en-us/entra/identity-platform/apple-sso-plugin#requirements)