Skip to content

Redirect URIs in MSAL

Jump to bottom
Jason Kim edited this page Apr 30, 2019 · 12 revisions

MSAL requires application to have its Redirect URI in a specific format. MSAL also provides a default Redirect URI, if you don't specify, in the format of msauth.[Your_Bundle_Id]://auth.

The default Redirect URI format will work for most of the applications and satisfy most scenarios, including brokered authentication and system web view. Therefore, it is recommended to use the default format whenever possible.

However, depending on your app needs you might need to change it for more advanced scenarios.

Scenarios where you need a different Redirect URI

Cross-app SSO

In order for the Microsoft Identity platform to know that it's allowed to share tokens across your applications, each of your applications will need to have the same Client ID or Application ID. This is the unique identifier that was provided for your first registered application in the portal.

However, the Redirect URIs need to be different for each of your iOS apps. This will allow Microsoft Identity service to uniquely identify different apps with shared Application ID. Each application can have multiple Redirect URIs registered in the onboarding portal. Each app in your suite will have a different redirect URI. An example of how this looks is below:

App1 Redirect URI: msauth.com.contoso.mytestapp1://auth

App2 Redirect URI: msauth.com.contoso.mytestapp2://auth

App3 Redirect URI: msauth.com.contoso.mytestapp3://auth

Migrating from ADAL to MSAL

When you're migrating from ADAL to MSAL, you might already have a Redirect URI configured for your app. You can continue using the same Redirect URI as long as your ADAL app was configured to support brokered scenarios and your Redirect URI satisfies MSAL Redirect URI format requirements.

MSAL Redirect URI format requirements

MSAL Redirect URI must be in the form of <scheme>://host, where <scheme> is a unique string identifying your app and is mostly based on the Bundle Identifier of your application to guarantee its uniqueness.

For example, if your app's Bundle ID is com.contoso.myapp, use something like msauth.com.contoso.myapp://auth.

If you're migrating from ADAL, your Redirect URI will likely be in the following format: <scheme>://[Your_Bundle_Id], where scheme is something unique. This format will continue working for MSAL.

<scheme> must be registered in your app's Info.plist under CFBundleURLTypes -> CFBundleURLSchemes.

MSAL will verify if Redirect URI is registered correctly and return an error if it's not.

If the <scheme> is https, it doesn't need to be registered in Info.plist. However, there're additional configuration steps involved to support https schemes.

Setting custom Redirect URI

Set redirectUri parameter for MSALPublicClientApplicationConfig and use it for MSALPublicClientApplication initialization. If the Redirect URI is invalid, initializer will return nil and fill in the error with additional information.

      MSALPublicClientApplicationConfig *config =
        [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"your-client-id"
                                                        redirectUri:@"your-redirect-uri"
                                                          authority:authority];
    NSError *redirectURIError;
    MSALPublicClientApplication *application =
        [[MSALPublicClientApplication alloc] initWithConfiguration:config error:&redirectURIError];

Getting started with MSAL SDK

Configure, Build, Test, Deploy

Advanced Topics

Getting Help, Common Issues, and FAQ

Migrating

News

Clone this wiki locally