-
Notifications
You must be signed in to change notification settings - Fork 329
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PublicClientApplication constructor throws exception when iPhone screen is locked #626
Comments
@tipa - Can you please provide detailed repro steps? Thank you. |
I am using a geofence in my iOS app. When a user enters or leaves a geofence, the phone screen might be locked when the app is invoked in the background. I then want to read or write from or to OneDrive.
|
@tipa - I wasn't able to repro this issue. |
I am not creating a UIParent because the |
To be sure, I understand, @tipa : your app is started with the screen unlocked, and the screen get locked, and the app is re-invoked in the backgroud, which does call the constructor again? (sorry for my lack of knowledge of iOS) |
Yes, I create a new instance of |
Thanks for the quick update, @tipa |
Thanks! As I wrote in my initial message, I would simply add |
@jennyf19 @jmprieur : to me what @tipa says make perfect sense. only question I would have is whether we should allow it to roam to another device (my first reaction is no). Thus we should rather be using AlwaysThisDeviceOnly. @tipa would this setting work for you? (perhaps the suggestion you had with AfterFirstUnlockThisDeviceOnly is the better choice, though I would even say AlwaysThisDeviceOnly would be fine) |
TeamId can be always accessible, as there's no private information in it. |
* allow teamid to be accessible * change to _defaultAccessiblityPolicy [MSAL issue](AzureAD/microsoft-authentication-library-for-dotnet#626)
@tipa @jennyf19 @jmprieur @oldalton I get this behavior on Xamarin.iOS with ADAL 4.1.0-preview and 4.0.0-preview (and I cannot change to MSAL since we use Brokered SSO in some scenarios). (ref issue AzureAD/azure-activedirectory-library-for-dotnet#1206 even though that thread is mixing two different problems) We get this error when we try to get a new access token by the refresh token. And when this error has occurred, there is no way to get it to work again - the user may tap on "try again" but every time it fails; the only way to get it to work again is to force close the application. Could anyone explain that? I can not really see how it would be related to the lock screen in my case. It is true that the user may receive a notification and tap on the notification on the lock screen, and the first thing that happens when the app opens upp, if the old access token has expired, is that we are using AuthenticationContext to get a new one. BUT, this does not happen every time, not even often. And then, how to explain, that once it has failed, the only remedy is to force close and then when open up the app again, everything works fine. I understand that this description is not possible for anyone to reproduce, but I would very much appreciate if anyone could shed some light on what mechanisms in iOS + ADAL that may cause this. There are a few issues for ADAL and MSAL related to GetTeamId(). It would be great if the mechanism to get the team id would be more robust, maybe with retry logic. And the maybe worst part of all, that the user get stuck, if he or she does not force close the app in our case. Any help appreciated. Thank you |
@jennyf19 It's difficult to see what way to proceed. Do you have any suggestion going forward? Thank you |
@jennyf19 It would be interesting to inspect SecStatusCode when our app is failing, to help us understand under what circumstances it's impossible to read from keychain until force refresh of the app. SecRecord match = SecKeyChain.QueryAsRecord(queryRecord, out SecStatusCode resultCode); If I want to instrument this myself, is it the dev branch I should use for my testing? Thank you |
@magnusnorberg : yes this is the To build MSAL.NET, see https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/ADAL-.NET-Build-&-Run |
Which Version of MSAL are you using ?
MSAL 2.1.0-preview
Which platform has the issue?
Xamarin.iOS
What authentication flow has the issue?
Mobile
Repro
Expected behavior
The constructor does not crash
Actual behavior
An NullReferenceException is thrown in method GetTeamId(). More specifically, the variable
match
is null.This is because the
Accessible
parameter isn't specified - it defaults toWhenUnlocked
: https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlockedPossible Solution
Adding
Accessible = SecAccessible.Always
(orAfterFirstUnlockThisDeviceOnly
) to this line:https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/blob/1d3eb8c49be9039d99c1bf0057e98506c256b6de/core/src/Platforms/iOS/TokenCacheAccessor.cs#L89
On a different note: Isn't there any better, less-hacky way to get the
TeamId
?The text was updated successfully, but these errors were encountered: