AzureAD/azure-activedirectory-library-for-dotnet

Brokered authentication not working on iOS 13 - AdalLoggerBase.cs: Exception type: System.Security.Cryptography.CryptographicException

davidezordan opened this issue · 2 comments

davidezordan commented

Which Version of ADAL are you using ?
ADAL 5.2.7 / Authenticator app v 6.4.6 / iOS 13.4.1

Which platform has the issue?
iOS / Xamarin.Forms

What authentication flow has the issue?
Other? - please describe;
Authentication using broker app

Is this a new or existing app?
a. The app is in production, and I have upgraded to a new version of ADAL but just enabled broker authentication using https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/leveraging-brokers-on-Android-and-iOS

Repro

entitlements.plist

<dict>
       <key>keychain-access-groups</key>
       <array>
          <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
         <string>$(AppIdentifierPrefix)com.microsoft.intune.mam</string>
       </array>
</dict>

info.plist

<key>CFBundleURLTypes</key>
  <array>
    <dict>
      <key>CFBundleTypeRole</key>
      <string>Editor</string>
      <key>CFBundleURLName</key>
      <string>....</string>
      <key>CFBundleURLSchemes</key>
      <array>
        <string>....</string>
      </array>
    </dict>
  </array>
       <key>IntuneMAMSettings</key>
       <dict>
              <key>ADALAuthority</key>
              <string>.....</string>
              <key>ADALClientID</key>
              <string>.....</string>
       </dict>
       <key>LSApplicationQueriesSchemes</key>
       <array>
              <string>https-intunemam</string>
              <string>http-intunemam</string>
              <string>microsoft-edge-https-intunemam</string>
              <string>microsoft-edge-http-intunemam</string>
              <string>ms-outlook-intunemam</string>
              <string>msauth</string>
    <string>msauthv2</string>
    <string>msauthv3</string>
  </array>

Expected behavior
When authenticating using AcquireTokenAsync is performed, authenticator app should be launched permitting the user to select an account and then return the control to the original app

Actual behavior
When AcquireTokenAsync is performed, authenticator app is correctly launched. When an account is selected the control returns to the original app but a System.Security.Cryptography.CryptographicException exception is thrown in the logs:

AdalLoggerBase.cs: A match was found in the MSAL cache ? False
2020-04-28 15:24:45.491 XXXXX[830:119241] 2020-04-28T14:24:45.4911780Z: XXXXX - AdalLoggerBase.cs: Either a token was not found or an exception was thrown.
2020-04-28 15:24:45.493 XXXXX[830:119200] 2020-04-28T14:24:45.4939720Z: XXXXX AdalLoggerBase.cs: iOS Broker (msauthv3://) can be invoked.
2020-04-28 15:24:45.494 XXXXX[830:119241] 2020-04-28T14:24:45.4940470Z: XXXXX - AdalLoggerBase.cs: Trying to acquire a token using the broker...
2020-04-28 15:24:45.500 XXXXX[830:119241] 2020-04-28T14:24:45.5000730Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Failed to save broker key. Security Keychain Status code: DuplicateItem
2020-04-28 15:24:45.502 XXXXX[830:119241] 2020-04-28T14:24:45.5019880Z: XXXXX - AdalLoggerBase.cs: The SecStatusCode from trying to get the broker application token is: SecStatusCode: ItemNotFound
2020-04-28 15:24:45.502 XXXXX[830:119241] 2020-04-28T14:24:45.5020500Z: XXXXX - AdalLoggerBase.cs: Invoking the iOS broker.
2020-04-28 15:24:50.940 XXXXX[830:119238] 2020-04-28T14:24:50.9404810Z: XXXXX - AdalLoggerBase.cs: Processing response from iOS Broker.
2020-04-28 15:24:50.947 XXXXX[830:119238] 2020-04-28T14:24:50.9470720Z: 00000000-0000-0000-0000-000000000000 - AdalLoggerBase.cs: Failed to save broker key. Security Keychain Status code: DuplicateItem
2020-04-28 15:24:50.953 XXXXX[830:119238] 2020-04-28T14:24:50.9530860Z: XXXXX - AdalLoggerBase.cs: Exception type: System.Security.Cryptography.CryptographicException
at Crimson.CommonCrypto.FastCryptorTransform.ThrowBadPaddingException (System.Security.Cryptography.PaddingMode padding, System.Int32 length, System.Int32 position) [0x00047] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/mcs/class/corlib/CommonCrypto/FastCryptorTransform.cs:198
at Crimson.CommonCrypto.FastCryptorTransform.FinalDecrypt (System.Byte[] inputBuffer, System.Int32 inputOffset, System.Int32 inputCount) [0x0011e] in /Library/Frameworks/Xamarin.iOS.framework/Versions/Current/src/Xamarin.iOS/mcs/class/corlib/CommonCrypto/FastCryptorTransform.cs:314
at Crimson.CommonCrypto.FastCryptorTransform.TransformFinalBlock (System.Byte[] inputBuffer, System.Int32 inputOffset, System.Int32 inputCount) [0x0001b] in

henrik-me commented

Do you have the latest version of iOS13 installed? Also the latest version of the Authenticator App?
Did you try the same using MSAL?

Not sure I understand correctly. Are you trying to add broker support to an existing application and that's when you saw this? If not can you pls. describe when you started seeing this issue?

henrik-me commented

@davidezordan : did you try updating to the latest iOS version?

Closing issue, please re-open if you have additional information.