Skip to content

Redirect URIs in MSAL

Jump to bottom
Olga Dalton edited this page Apr 27, 2019 · 12 revisions

MSAL requires application to have its Redirect URI in a specific format. MSAL also provides a default Redirect URI, in the format of msauth.[Your_Bundle_Id]://auth.

The default Redirect URI will work for all scenarios, including brokered authentication and system web view. However, depending on your app needs you might need to change it for more advanced scenarios.

Scenarios where you need a different Redirect URI

Cross-app SSO

In order for the Microsoft Identity platform to know that it's allowed to share tokens across your applications, each of your applications will need to share the same Client ID or Application ID. This is the unique identifier that was provided to you when you registered your first application in the portal.

However, the Redirect URIs need to be different for each of your iOS apps. This will allow Microsoft Identity service to uniquely identify different apps in case they all share the same Application ID. Each application can have multiple Redirect URIs registered in the onboarding portal. Each app in your suite will have a different redirect URI. An example of how this looks is below:

App1 Redirect URI: msauth.com.contoso.mytestapp1://auth

App2 Redirect URI: msauth.com.contoso.mytestapp2://auth

App3 Redirect URI: msauth.com.contoso.mytestapp3://auth

Migrating from ADAL to MSAL

When you're migrating from ADAL to MSAL, you might already have a Redirect URI configured for your app. You can continue using the same Redirect URI as long as your ADAL app was configured to support brokered scenarios and your Redirect URI satisfies MSAL Redirect URI requirements.

MSAL Redirect URI requirements

MSAL Redirect URI must be in the form of <scheme>://host, where <scheme> is a unique string identifying your app.

You can come up with a unique scheme yourself, or you can reuse your app's Bundle ID, e.g. if your app's Bundle ID is com.contoso.myapp, use something like msauth.com.contoso.myapp://auth.

<scheme> must be registered in your app's Info.plist under CFBundleURLTypes -> CFBundleURLSchemes.

MSAL will verify if Redirect URI is registered correctly and return an error if it's not.

If the <scheme> is https, it doesn't need to be registered in Info.plist. However, there're additional configuration steps involved to support https schemes.

Setting custom Redirect URI

When creating MSALPublicClientApplication pass your custom Redirect URI in the initializer. If the Redirect URI is invalid, initializer will return nil and fill in the error with additional information.

NSError *error = nil;

MSALPublicClientApplication *myApplication = 
[[MSALPublicClientApplication alloc] initWithClientId:@"<enter your clientID>"
                                           authority:nil
                                         redirectUri:@"msauthcom.contoso.myapp://auth"
                                               error:&error];

if (!myApplication)
{
    // Check contents of the error
    NSLog(@"Error: %@", error);
}

Getting started with MSAL SDK

Configure, Build, Test, Deploy

Advanced Topics

Getting Help, Common Issues, and FAQ

Migrating

News

Clone this wiki locally