Broker Authentication True, Not Opening Authenticator or Intune

Question

Broker Authentication True, Not Opening Authenticator or Intune

kayvanhaverbeck opened this issue 4 years ago · 5 comments

Please ensure the following information is provided when logging a new issue:
I am upgrading our ADAL Authenticated app from 2-Factor Authentication to Broker Auth.
I followed the steps in Step 11 of Read me and the wiki.

We have:
AuthenticationSettings.INSTANCE.setBrokerSignature("tUf7m5squ+xxx38dUTw=");
AuthenticationSettings.INSTANCE.setBrokerPackageName("com.xxx.xxx.android");
Log.d("redirectURI: ", mAuthContext.getRedirectUriForBroker());

and the acquireToken is being set with:
mAuthContext.acquireToken ( getActivity ( ) , RESOURCE_ID , CLIENT_ID_RF , REDIRECT_URI_RF , "someone@nam.corp.xxx.com" , PromptBehavior.Auto , null , getAuthInteractiveCallback ( ) );

Is there something else that is required to get the App to utilize the broker for login?

Expected behavior:
Authenticator Application to open and provide authentication for app to successfully sign in with Microsoft Azure.
Actual behavior
Android Application is bringing up Microsoft Signin page prompting for users email so it can redirect to 2-Factor Azure Authentication.
Steps to reproduce the problem
Specifications like the version of the library, operating system etc.
Running with Android X libraries and:
compile('com.microsoft.aad:adal:3.0.1') {
exclude group: 'com.android.support'
exclude group: 'com.microsoft.device.display'
}* Relevant logs and traces

Answer 1 · 2020-05-28T13:12:29.000Z

@kayvanhaverbeck I see that you haven't called the method setUseBroker(true) on AuthenticationSettings.INSTANCE. Moreover the setBrokerSignature & setBrokerPackageName should pass in data for the authenticator app and not your package name or signature. Following code should help
AuthenticationSettings.INSTANCE.setBrokerSignature(AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_SIGNATURE); AuthenticationSettings.INSTANCE.setBrokerPackageName(AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME); AuthenticationSettings.INSTANCE.setUseBroker(true);

Answer 2 · 2020-05-28T14:15:58.000Z

I am still getting the same behavior with the updated code:

`
mAuthContext = new AuthenticationContext ( getApplicationContext ( ) , AUTHORITY , false );

        AuthenticationSettings.INSTANCE.setBrokerSignature("tUf7m5squ+SSLeDFSL0VA38dUTw=");
        AuthenticationSettings.INSTANCE.setBrokerPackageName("com.gm.GMSA173561.android");
        Log.d("redirectURI: ", mAuthContext.getRedirectUriForBroker());

        AuthenticationSettings.INSTANCE.setUseBroker(true);

        /* Instantiate handler which can invoke interactive sign-in to get the Resource
         * sIntSignInInvoked ensures interactive sign-in is invoked one at a time */

        mAcquireTokenHandler = new Handler ( Looper.getMainLooper ( ) ) {
            @Override
            public void handleMessage ( Message msg ) {
                if ( sIntSignInInvoked.compareAndSet ( false , true ) ) {
                    if ( msg.what == MSG_INTERACTIVE_SIGN_IN_PROMPT_AUTO ) {
                        Log.d("handle message", "Auto");


                        mAuthContext.acquireToken ( getActivity ( ) , RESOURCE_ID , CLIENT_ID_RF , REDIRECT_URI_RF , "someone@nam.corp.geuc.corp.gm.com" , PromptBehavior.Auto , null , getAuthInteractiveCallback ( ) );
                        //     mAuthContext.acquireToken(getActivity(), RESOURCE_ID, CLIENT_ID_RF, REDIRECT_URI_RF, PromptBehavior.Auto, getAuthInteractiveCallback());

                    } else if ( msg.what == MSG_INTERACTIVE_SIGN_IN_PROMPT_ALWAYS ) {
                        Log.d("handle message", "Always");
                        mAuthContext.acquireToken ( getActivity ( ) , RESOURCE_ID , CLIENT_ID_RF , REDIRECT_URI_RF , "someone@nam.corp.geuc.corp.gm.com" , PromptBehavior.Always , null , getAuthInteractiveCallback ( ) );
                        //  mAuthContext.acquireToken(getActivity(), RESOURCE_ID, CLIENT_ID_RF, REDIRECT_URI_RF, PromptBehavior.Always, getAuthInteractiveCallback());
                    }
                }
            }
        };`

Answer 3 · 2020-06-29T23:59:21.000Z

@kayvanhaverbeck I suspect this issue may be related to specifying the broker signature and package name; have you tried using the test app inside of the ADAL project? It works with broker with the associated configuration code here.

Please let me know if this resolves your issue; I wouldn't expect any call expect setUseBroker is necessary -- @hamiltonha we may need to update the Token Broker documentation, as the config details around package/signature are no longer required IIRC; this document was written in 2014

ADO: Tracking (corpnet reqd)

Answer 4 · 2020-07-06T18:22:02.000Z

Closing due to inactivity

Answer 5 · 2020-07-08T14:01:23.000Z

Sorry for the delay - After working with a microsoft rep we found that the setUseBroker was getting set to false because it was failing an if statement.

We found that the logic was comparing my redirect URI to a version in all lower case, which mine was camelcase and therefore programmatically setting the broker to false in the ADAL plugin logic.