-
Notifications
You must be signed in to change notification settings - Fork 145
Authority configuration (B2C, AD FS, sovereign, guest users)
MSALPublicClientApplication is configured with a default authority URL of https://login.microsoftonline.com/common.
https://login.microsoftonline.com/common is suitable for most AAD scenarios and unless you're implementing advanced scenarios or working with B2C, you won't need to change it.
Active Directory Federation Service (AD FS) is currently not supported.
To work with B2C, MSAL requires a different authority configuration.
MSAL Objective-C currently supports only one format of B2C authority URL unless it is declared as a known authority.
To support an arbitrary URL format for B2C, add to @property MSALAuthority *authority in MSALPublicClientApplicationConfig before creating MSALPublicClientApplication. For more details on configuration, visit Configuration.
The supported format is https://<host>/tfp/<tenant>/<policy>, for example https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/B2C_1_SignInPolicy
When your app requests a new policy, the authority URL needs to be changed, because the authority URL is different for each policy. To configure B2C application, create an instance of MSALB2CAuthority and pass it to the MSALPublicClientApplication.
For example,
// Create B2C authority URL
NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.com/tfp/contoso.onmicrosoft.com/B2C_1_SignInPolicy"];
MSALB2CAuthority *b2cAuthority = [[MSALB2CAuthority alloc] initWithURL:authorityURL
error:&b2cAuthorityError];
if (!b2cAuthority)
{
// Handle error
return;
}
// Create MSALPublicClientApplication configuration
MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
initWithClientId:@"your-client-id"
redirectUri:@"your-redirect-uri"
authority:b2cAuthority];
// Initialize MSALPublicClientApplication
MSALPublicClientApplication *b2cApplication =
[[MSALPublicClientApplication alloc] initWithConfiguration:b2cApplicationConfig error:&error];
if (!b2cApplication)
{
// Handle error
return;
}
If your app needs to work in a specific sovereign cloud, you might need to change the authority URL in the MSALPublicClientApplication. For example, for German AAD cloud use following:
NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.de/common"];
MSALAuthority *sovereignAuthority = [MSALAuthority authorityWithURL:authorityURL error:&authorityError];
if (!sovereignAuthority)
{
// Handle error
return;
}
MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
initWithClientId:@"your-client-id"
redirectUri:@"your-redirect-uri"
authority:sovereignAuthority];
MSALPublicClientApplication *sovereignApplication = [[MSALPublicClientApplication alloc] initWithConfiguration:b2cApplicationConfig error:&error];
if (!sovereignApplication)
{
// Handle error
return;
}
Note: In addition to changing authorities, you might need to pass a different set of scopes for each sovereign cloud. A specific set of scopes depends on the resource that you're using. For example, you could use "https://graph.microsoft.com/user.read" in worldwide cloud, and "https://graph.microsoft.de/user.read" in German cloud.
When authority URL is set to "common", user will be signed into his home tenant. However, some apps want to sign user into a different tenant and some apps only work with a single tenant.
In order to sign user into a specific tenant, configure MSALPublicClientApplication with a specific authority.
Note: MSAL Objective-C doesn't currently support authorities with tenant names. You should use an authority with GUID tenant ID instead.
For example:
Use: https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4
Don't use: https://login.microsoftonline.com/contoso.com
NSURL *authorityURL = [NSURL URLWithString:@"https://login.microsoftonline.com/469fdeb4-d4fd-4fde-991e-308a78e4bea4"];
MSALAuthority *tenantedAuthority = [MSALAuthority authorityWithURL:authorityURL error:&authorityError];
if (!tenantedAuthority)
{
// Handle error
return;
}
MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
initWithClientId:@"your-client-id"
redirectUri:@"your-redirect-uri"
authority:tenantedAuthority];
MSALPublicClientApplication *application =
[[MSALPublicClientApplication alloc] initWithConfiguration:b2cApplicationConfig error:&error];
if (!application)
{
// Handle error
return;
}
MSALAuthority is a base abstract class for all authorities.
You should not try to create instance of it, instead either create one of its subclasses directly (AAD, ADFS, B2C) or use factory method authorityWithURL:error: to create subclasses from url.
Use url property to get NSURL representation of the authority. This property always represents "normalized authority url",
it means that we are ignoring extra parameters, path components or fragments that are not part of authority.
MSALAADAuthority is a subclass of MSALAuthority, represents AAD authority. Authority url should be in the following format, where <port> is optional:
https://<host>:<port>/<tenant>
MSALADFSAuthority is a subclass of MSALAuthority, represents ADFS authority. Authority url should be in the following format, where <port> is optional:
https://<host>:<port>/adfs
Active Directory Federation Service (AD FS) is currently not supported.
MSALB2CAuthority is subclass of MSALAuthority, represents B2C authority. Authority url should be in the following format, where <port> is optional:
https://<host>:<port>/tfp/<tenant>/<policy>
An arbitrary URL can be used if it is declared as a known authority in MSALPublicClientApplicationConfiguration
- Customizing Browsers and WebViews
- Logging
- Sovereign clouds
- B2C
- Auth Telemetry (coming soon)
- MSAL questions, bugs and issues (coming soon)
- Redirect URIs
- Requesting individual claims
- Keychain cache
- SSL issues
- iOS 13 and macOS 10.15 support
- Releases
- Roadmap (coming soon)