-
Notifications
You must be signed in to change notification settings - Fork 147
Redirect URIs in MSAL
MSAL requires application to have its Redirect URI registered and used in a specific format. MSAL also uses a default Redirect URI, if you don't specify, in the format of msauth.[Your_Bundle_Id]://auth.
The default Redirect URI format will work for most of the applications and satisfy most scenarios, including brokered authentication and system web view. Therefore, it is recommended to use the default format whenever possible.
However, depending on your app needs you might need to change it for more advanced scenarios.
In order for the Microsoft Identity platform to know that it's allowed to share tokens across your applications, each of your applications will need to have the same Client ID or Application ID. This is the unique identifier that was provided for your first registered application in the portal.
However, the Redirect URIs need to be different for each of your iOS apps. This will allow Microsoft Identity service to uniquely identify different apps with shared Application ID. Each application can have multiple Redirect URIs registered in the onboarding portal. Each app in your suite will have a different redirect URI.
An example of how this looks is below: Application registered with a clientID: ClientID In the application, have multiple redirect URIs registered
- msauth.com.contoso.mytestapp1://auth
- msauth.com.contoso.mytestapp2://auth
- msauth.com.contoso.mytestapp3://auth
For the application:
- App1 uses _ClientID_with redirect URI msauth.com.contoso.mytestapp1://auth
- App2 uses _ClientID_with redirect URI msauth.com.contoso.mytestapp2://auth
- App3 uses _ClientID_with redirect URI msauth.com.contoso.mytestapp3://auth
When you're migrating from ADAL to MSAL, you might already have a Redirect URI configured for your app. You can continue using the same Redirect URI as long as your ADAL app was configured to support brokered scenarios and your Redirect URI satisfies MSAL Redirect URI format requirements.
MSAL Redirect URI must be in the form of <scheme>://host, where <scheme> is a unique string identifying your app and is mostly based on the Bundle Identifier of your application to guarantee its uniqueness.
For example, if your app's Bundle ID is com.contoso.myapp, use something like msauth.com.contoso.myapp://auth.
If you're migrating from ADAL, your Redirect URI will likely be in the following format: <scheme>://[Your_Bundle_Id], where scheme is something unique. This format will continue working for MSAL.
MSAL will verify if Redirect URI is registered correctly and return an error if it's not.
If the <scheme> is https, it doesn't need to be registered in Info.plist. However, there're additional configuration steps involved to support https schemes. For this information, please visit Universal Links for Developers from Apple.
Set redirectUri parameter for MSALPublicClientApplicationConfig and use it for MSALPublicClientApplication initialization. If the Redirect URI is invalid, initializer will return nil and fill in the error with additional information.
MSALPublicClientApplicationConfig *config =
[[MSALPublicClientApplicationConfig alloc] initWithClientId:@"your-client-id"
redirectUri:@"your-redirect-uri"
authority:authority];
NSError *redirectURIError;
MSALPublicClientApplication *application =
[[MSALPublicClientApplication alloc] initWithConfiguration:config error:&redirectURIError];
- Customizing Browsers and WebViews
- Logging
- Sovereign clouds
- B2C
- Auth Telemetry (coming soon)
- MSAL questions, bugs and issues (coming soon)
- Redirect URIs
- Requesting individual claims
- Keychain cache
- SSL issues
- iOS 13 and macOS 10.15 support
- Releases
- Roadmap (coming soon)