search

AzureAD / microsoft-authentication-library-for-objc

Microsoft Authentication Library (MSAL) for iOS and macOS
http://aka.ms/aadv2
MIT License
265 stars 141 forks source link

Keychain problems with getDeviceInformation and getWPJMetaDataDevice #2393

Open petarov opened 1 week ago

petarov commented 1 week ago

Hi,

Similar questions seem to have been asked a couple of time already, but I'm stuck and I'd appreciate some help.

I'm new to Entra and I'm working on an app that initiates a WPJ using Authenticator as a broker. My end goal is to fetch the registered Device ID into my app and send it to another 3rd party service. My app has the $(AppIdentifierPrefix)com.microsoft.adalcache keychain entitlement and I'm using the {"access_token":{"deviceid":{"essential":true}}} device claim with the acquireToken call, so that seems to work.

Now I'm trying to use the MSALPublicClientApplication calls getDeviceInformation or getWPJMetaDataDevice to fetch the extraDeviceInformation dictionary and read the Device ID. Unfortunately there are always errors being produced and the dictionary remains empty.

Examples:

self.applicationContext?.getDeviceInformation(with: nil, completionBlock: { (deviceInformation, error) in

    guard let deviceInfo = deviceInformation else {
        self.updateLogging(text: "Device info not returned. Error: \(String(describing: error))")
        return
    }

    print("*** Reading deviceInformation.extraDeviceInformation")

    for (key, value) in deviceInfo.extraDeviceInformation as? [NSString: Any] ?? [:] {
        print("\tKey: \(key), Value: \(value)")
    }
})

Logs:

TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Querying device info
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] GetDeviceInfo: Should call Sso Extension decision: 0
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Broker is not present on this device. Defaulting to personal mode
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Checking Legacy keychain for registration.
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Failed to find workplace join private key with status -34018
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Checking keychain for default registration done using ECC key.
*** Reading deviceInformation.extraDeviceInformation
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Error Domain=MSIDKeychainErrorDomain Code=-25300 "(null)" UserInfo={MSIDCorrelationIdKey=166EBD2F-E392-46CC-B43F-39DD16CECDF1, MSIDErrorDescriptionKey=Could not get default primary registration tenantId.}
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] GetDeviceInfo: Completing filling device info: Masked(not-null), error: Masked(null)
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Retrieved device info Masked(not-null)
print("*** isCompatibleAADBrokerAvailable = \(self.applicationContext?.isCompatibleAADBrokerAvailable)")

self.applicationContext?.getWPJMetaDataDevice(with: nil, forTenantId: "<my-tenant-id>", completionBlock: { (msalWPJMetaData, error) in

    guard let data = msalWPJMetaData else {
        self.updateLogging(text: "MSALWPJMetaData info not returned. Error: \(String(describing: error))")
        return
    }

    print("*** Reading msalWPJMetaData.extraDeviceInformation")

    for (key, value) in data.extraDeviceInformation as? [NSString: Any] ?? [:] {
        print("\tKey: \(key), Value: \(value)")
    }
})

Logs:


*** isCompatibleAADBrokerAvailable = Optional(true)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Querying WPJ MetaData for tenantId: Masked(not-null)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking Legacy keychain for registration.
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -34018
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking keychain for default registration done using RSA key.
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -25300
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking keychain for default registration done using ECC key.
*** Reading msalWPJMetaData.extraDeviceInformation
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -25300
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Returning RSA private device key from legacy registration..
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] wpjMetaDataDeviceInfo: Completing filling device info for tenant Id: Masked(not-null) Masked(not-null)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Retrieved metadata device info Masked(not-null)

I'm testing with the latest Authenticator app from TestFlight and using Xcode Debug Run on an iPhone device.

What am I missing or doing wrong here?

Veena11 commented 3 days ago

@petarov , is the device registered ?

Please check if your device is registered via Authenticator

You can see it via Authenticator app -> Settings -> Device Registration

Veena11 commented 3 days ago

I see you already mentioned you have com.microsoft.adalcache in keychain entitlement . When you acquireToken with deviceId claim, does it return the deviceId ?

Veena11 commented 3 days ago

Both key and value in extraDeviceInformation dictionary is of type NSString

petarov commented 2 days ago

Hi and thanks for coming back to me @Veena11

Yes, the device is registered in Authenticator and it also gets shown on Microsoft Entra under Devices - All devices.

When you acquireToken with deviceId claim, does it return the deviceId ?

Yes, the claim "deviceid":"58f0e261-xxxx-xxxx-xxxx-xxxxxxxxxxxx", can be seen in the access token json result.

If I send device claims for the id token i.e. MSALClaimsRequestTargetIdToken, then both the Access token and ID_token contain the deviceid claim. However, in all cases the extraDeviceInformation remains empty - I've stepped into with the debugger to double check.

I can probably just use the claim by accessing result.account.accountClaims?["deviceid"] with the acquireToken call, but I thought using extraDeviceInformation is the right way. Any ideas?