ADAL.NET to handle application token in iOS 13 broker scenario [Part 2]
jennyf19 opened this issue · 8 comments
ADAL.NET will receive an application token from the iOS broker (>v. 6.3.19). This token is per clientId and should be stored in the keychain. When ADAL.NET makes future requests to broker w/this clientId, it should include the application token so SSO is enabled on the broker. The broker issues each calling application a "token" that application is expected to present back to the broker on subsequent requests to get access to its cache.
@jennyf19 we are noticing a bug with ADAL 5.5.2 that might related to this. When using it on all versions of iOS and Broker v 6.3.19 I'm seeing the following exception:
{Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Unencrypted broker response hash did not match the expected hash
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.OAuth2.TokenResponse.GetResult (System.DateTimeOffset expiresOn, System.DateTimeOffset extendedExpiresOn) [0x0015f] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.iOSBroker.ResultFromBrokerResponse (System.Collections.Generic.IDictionary2[TKey,TValue] responseDictionary) [0x00132] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0 at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.iOSBroker.ProcessBrokerResponse () [0x0008a] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0 at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Platform.iOSBroker.AcquireTokenUsingBrokerAsync (System.Collections.Generic.IDictionary2[TKey,TValue] brokerPayload) [0x0026b] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync () [0x0070e] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenCommonAsync (System.String resource, System.String clientId, System.Uri redirectUri, Microsoft.IdentityModel.Clients.ActiveDirectory.IPlatformParameters parameters, Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier userId, System.String extraQueryParameters, System.String claims, System.Threading.SynchronizationContext synchronizationContext) [0x000e8] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync (System.String resource, System.String clientId, System.Uri redirectUri, Microsoft.IdentityModel.Clients.ActiveDirectory.IPlatformParameters parameters) [0x0008c] in <0d6c65707ae94d29ab4fb4ec5df8169f>:0
at EY.Mobile.Lib.ADAL.AzureAuthenticatorService.AuthenticateEndpoint (EY.Mobile.Lib.ADAL.Endpoint endpoint, System.String memberName, System.Int32 lineNumber) [0x00117] in /Users/lebeaaa/Code/EY.Mobile/EY.Mobile/ADAL/AzureAuthenticatorService.cs:89
ErrorCode: broker_response_hash_mismatch
StatusCode: 0}
I've uploaded the Authenticator logs with Incident: BEWE9T4
@biozal Thanks for letting us know. as we discussed on Teams, i'll loop in the iOS team. Seems to be a cert based auth issue on their end. Will keep you posted.
We also get broker_response_hash_mismatch: Unencrypted broker response hash did not match the expected hash when using iOS 13.1.x, MS Authenticator 6.3.22 and ADAL 5.5.2.
I thought 5.5.2 was supposed to fix iOS 13 incompatibility?