Authenticating Azure AD registered app on macOS #35
Description
I have registered an app on Azure AD, it has permissions set for MicrosoftGraph Contacts.ReadWrite. I can obtain the ClientID; clientSecret, authorizationEndpoint(authURI) and tokenEndpoint(tokenURI) from the Azure Dashboard.
The readme states: "...You can also chose to handle authentication via any means that suits your needs.." Since MSAL is for iOS only (plug to support the Mac!) I am using openID to authenticate.
Per the instructions in the readme on using the SDK I have the following:
NSString * kScopes = @"https://graph.microsoft.com/Users.Read";
completionHandler = ^(NSString *accessToken, NSError *error){
...
};
self.msAuthProviderOptions = [[NSObject alloc] init]; //warning--Assigning to 'id' from incompatible type 'NSObject *'
self.msAuthProviderOptions.scopesArray=@[kScopes];
self.msAuthProvider=[[MSAuthProvider alloc] init];
[self.msAuthProvider getAccessTokenForProviderOptions:self.msAuthProviderOptions andCompletion:completionHandler];
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:self.msAuthProvider];
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/me"]]];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
...
}];
[meDataTask execute];
I am completely baffled as to how this would work at all - there is no clientID passed anywhere.
Please help me understand what I am missing here.
In the meantime I try to pursue a more familiar route using the usual openID approach:
OIDServiceConfiguration *configuration = [[OIDServiceConfiguration alloc] initWithAuthorizationEndpoint:authURI tokenEndpoint:tokenURI];
OIDAuthorizationRequest *request =
[[OIDAuthorizationRequest alloc] initWithConfiguration:configuration
clientId:kClientID
clientSecret:kClientSecret
scopes:@[@"https://graph.microsoft.com/contacts.readwrite"]
redirectURL:redirectURI
responseType:OIDResponseTypeCode
additionalParameters:nil];
self.appDelegate.office365AuthorizationFlow =
[OIDAuthState authStateByPresentingAuthorizationRequest:request
callback:^(OIDAuthState *_Nullable authState,
NSError *_Nullable error) {
NSLog(@"%s authState: %@",func,authState);
...
}];
This all works and the redirect is calling the registered custom URL...
The returned url appears useful BUT I cannot get anything out and it does not return an error.
The tab that appears in Safari has no url and simply shows the overlay requesting to open the app. There is no information presented as to the permissions being requested...
It 'feels' like that I don't have something configured correctly in the backend but I am stumped and I just don't see any useful data...
BTW the returned url in the app contains the correct redirect and then a 'code' and 'session_state' parameters. The block parameters (authState and error) are both null....
Not confident that 'scopes' is correctly stated also not confident that 'responseType' is correct for microsoftgraph...
Assuming I can get this to work how would I use this within the 'httpClient' paradigm outlined in the 'How to Use SDK'?
Any helpful thoughts really appreciated!