[Bug] MSAL .NET versions < 4.5.0 do not support system browser on iOS 13

[mtanml]

Edit to original post

If you are using the system browser with iOS 13, please update to MSAL.NET 4.5.0, which uses the required presentation context when authenticating on system browser with iOS 13.

If you are not using 4.5.0+, you will run into the issue listed below:

Starting with iOS 13, when authenticating using the system browser, MSAL .NET is required to provide a presentation context when using ASWebAuthenticationSession. Apple added multi-window support, and therefore they need to specifically know where to present the context (this is a breaking change).

In iOS 12, the AuthenticationSession API was iOS only and apps drew into a single window. However, now, with iPadiOS and macOS support, MSAL .NET will need to give the session a presentationContextProvider, and that presentationContextProvider will provide a window via the PresentationAnchor method.

Customer impact

Your app is impacted if all of the below are true:

• You have a Xamarin iOS App, and
• You are targeting iOS 13+, and
• You use system browser (default in MSAL .NET) for interactive authentication
• You are using a version lower then 4.5.0 of MSAL .NET

Workaround

• Update to MSAL.NET 4.5.0, or higher, which includes the necessary fixes for handling the presentation context on iOS 13.

Or,

• Use the embedded webview. Please see the documentation on enabling the embedded webview on Xamarin iOS

Example:

AuthenticationResult authResult;
authResult = app.AcquireTokenInteractively(scopes)
                .WithUseEmbeddedWebView(true)
                .ExecuteAsync();

Notable Concerns Regarding the Workaround to Use the Embedded Webview

• Caution when targeting B2C using embedded webview and Google auth
• Loss of SSO The great benefit of the system browser, and the reason why it is used by default in MSAL .NET, is the sharing of the SSO state with other applications and with web applications without needing a broker. More information provided here on SSO and the system browser

========

Original Post

Which Version of MSAL are you using ?
MSAL 4.4.0 (also occurs in 4.3.1)

Platform
Xamarin iOS

What authentication flow has the issue?

• Desktop / Mobile
  • [X ] Interactive
  • Integrated Windows Auth
  • Username Password
  • Device code flow (browserless)
• Web App
  • Authorization code
  • OBO
• Web API
  • OBO

Other? - please describe;

Is this a new or existing app?
The app is in production, and works fine on physical iOS devices (on both iOS 12.x and 13.0). I have upgraded my iPhone emulator to iOS 13, and that is where the issue occurs. Everything still works fine in iOS 12.2 on the emulator.

Repro

                    AuthenticationResult ar = await App.PCA.AcquireTokenInteractive(App.Scopes)
                        .WithAccount(Utils.GetAccountByPolicy(accounts, App.PolicySignUpSignIn))
                        .WithParentActivityOrWindow(App.ParentActivityOrWindow)
                        .ExecuteAsync();

Expected behavior
Authentication process initiates

Actual behavior
Immediately returns "authentication_canceled"

Possible Solution

Additional context/ Logs / Screenshots

[andresbj16]

I receive the same error, initially I thought it was for the version of the nuget package but even updating it to version 4.4.0 of MSAL the same error still occurs

[zachgreencbt]

I updated to Xcode 11/iOS 13 last night, and my code is now also returning this error. Was working fine prior to the upgrade.

[rulasg]

We are having the same issue. Since Xcode update to 11 with iOS 13, now code that works on iOS 12 Emulator return authentication_canceled exception. Repro with Microsoft.Identity.client 4.3.1 and 4.4

[jmprieur]

@zachgreencbt @rulasg @andresbj16 @mtanml : does the iOS emulator have the latest version of Microsoft Authenticator?

[jmprieur]

Also adding the Supportability tab as we'd want better error messages if possible than authentication_canceled.

[lperezj]

Mee too. I have the same problem. I update XCode and with the new simulator with IOS 13, not working. I update MSAL from 4.3.x to 4.4.0 and the problem is the same.

[jmprieur]

@lperezj : does the new simulator have the latest Authenticator app?

[uarcho]

Same here, getting the authentication_cancelled error in simulator, still have to test on a phisical device

[lperezj]

@lperezj : does the new simulator have the latest Authenticator app?

I'm testing with IOS 13 simulator. If i test with IOS 12.2 simulator working fine.

[jennyf19]

@jmprieur i don't believe this is related to the iOS broker, looks like an issue with the iOS 13 simulator, as @lperezj points out.
Will investigate.

[jmprieur]

@jennyf19 : and it seems at at least some of the affected apps are B2C apps:
@andresbj16, @zachgreencbt @rulasg @lperezj @uarcho are you building b2C apps?

[rulasg]

On our case, same project as @lperezj, we are using a corp app using corporative AAD Tenant.