Add MS Entra External ID support (CIAM) (#48)

* add ms entra external id (CIAM)

* add support for ios

* add missing authorityType (CIAM) to definitions

---------

Co-authored-by: Juraj Jakubik <[email protected]>

Author: jurusix

README.md

@@ -81,6 +81,8 @@ const result = await MsAuthPlugin.login({
     domainHint: '<domainHint>',
     scopes: ['<scopes, defaults to no scopes>'],
     keyHash: '<Android only, the key hash as obtained above>',
+    authorityType: '<AAD/B2C/CIAM>',
+    authorityUrl: '<To sign the user into a specific CIAM tenant, configure with a specific authority. For example: https://xxx.ciamlogin.com/dddd5555-eeee-6666-ffff-00001111aaaa>',
 });
 
 const accessToken = result.accessToken;

android/src/main/java/nl/recognize/msauthplugin/AuthorityType.java

@@ -2,5 +2,6 @@
 
 public enum AuthorityType {
     AAD,
-    B2C
+    B2C,
+    CIAM
 }

android/src/main/java/nl/recognize/msauthplugin/MsAuthPlugin.java

@@ -12,7 +12,6 @@
 import com.microsoft.identity.client.*;
 import com.microsoft.identity.client.exception.MsalException;
 import com.microsoft.identity.client.exception.MsalUiRequiredException;
-
 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
@@ -124,9 +123,9 @@ private void acquireToken(ISingleAccountPublicClientApplication context, List<St
             try {
                 Logger.info("Starting silent login flow");
                 AcquireTokenSilentParameters.Builder builder = new AcquireTokenSilentParameters.Builder()
-                        .withScopes(scopes)
-                        .fromAuthority(authority)
-                        .forAccount(result.getCurrentAccount());
+                    .withScopes(scopes)
+                    .fromAuthority(authority)
+                    .forAccount(result.getCurrentAccount());
 
                 AcquireTokenSilentParameters parameters = builder.build();
                 IAuthenticationResult silentAuthResult = context.acquireTokenSilent(parameters);
@@ -147,44 +146,43 @@ private void acquireToken(ISingleAccountPublicClientApplication context, List<St
 
         Logger.info("Starting interactive login flow");
         AcquireTokenParameters.Builder params = new AcquireTokenParameters.Builder()
-                .startAuthorizationFromActivity(this.getActivity())
-                .withScopes(scopes)
-                .withPrompt(Prompt.SELECT_ACCOUNT)
-                .withCallback(
-                        new AuthenticationCallback() {
-                            @Override
-                            public void onCancel() {
-                                Logger.info("Login cancelled");
-                                callback.tokenReceived(null);
-                            }
-
-                            @Override
-                            public void onSuccess(IAuthenticationResult authenticationResult) {
-                                TokenResult tokenResult = new TokenResult();
-
-                                IAccount account = authenticationResult.getAccount();
-                                tokenResult.setAccessToken(authenticationResult.getAccessToken());
-                                tokenResult.setIdToken(account.getIdToken());
-                                tokenResult.setScopes(authenticationResult.getScope());
-
-                                callback.tokenReceived(tokenResult);
-                            }
-
-                            @Override
-                            public void onError(MsalException ex) {
-                                Logger.error("Unable to acquire token interactively", ex);
-                                callback.tokenReceived(null);
-                            }
-                        }
-                );
+            .startAuthorizationFromActivity(this.getActivity())
+            .withScopes(scopes)
+            .withPrompt(Prompt.SELECT_ACCOUNT)
+            .withCallback(
+                new AuthenticationCallback() {
+                    @Override
+                    public void onCancel() {
+                        Logger.info("Login cancelled");
+                        callback.tokenReceived(null);
+                    }
+
+                    @Override
+                    public void onSuccess(IAuthenticationResult authenticationResult) {
+                        TokenResult tokenResult = new TokenResult();
+
+                        IAccount account = authenticationResult.getAccount();
+                        tokenResult.setAccessToken(authenticationResult.getAccessToken());
+                        tokenResult.setIdToken(account.getIdToken());
+                        tokenResult.setScopes(authenticationResult.getScope());
+
+                        callback.tokenReceived(tokenResult);
+                    }
+
+                    @Override
+                    public void onError(MsalException ex) {
+                        Logger.error("Unable to acquire token interactively", ex);
+                        callback.tokenReceived(null);
+                    }
+                }
+            );
 
         if (result.getCurrentAccount() != null) {
             // Set loginHint otherwise MSAL throws an exception because of mismatched account
             params.withLoginHint(result.getCurrentAccount().getUsername());
         }
 
         context.acquireToken(params.build());
-
     }
 
     private ISingleAccountPublicClientApplication createContextFromPluginCall(PluginCall call)
@@ -207,8 +205,10 @@ private ISingleAccountPublicClientApplication createContextFromPluginCall(Plugin
             authorityType = AuthorityType.AAD;
         } else if (AuthorityType.B2C.name().equals(authorityTypeString)) {
             authorityType = AuthorityType.B2C;
+        } else if (AuthorityType.CIAM.name().equals(authorityTypeString)) {
+            authorityType = AuthorityType.CIAM;
         } else {
-            call.reject("Invalid authorityType specified. Only AAD and B2C are supported.");
+            call.reject("Invalid authorityType specified. Only AAD, B2C and CIAM are supported.");
             return null;
         }
 
@@ -244,6 +244,9 @@ private ISingleAccountPublicClientApplication createContext(
                 authorityConfig.put("authority_url", authorityUrl);
                 authorityConfig.put("default", "true");
                 break;
+            case CIAM:
+                authorityConfig.put("type", AuthorityType.CIAM.name()).put("authority_url", authorityUrl);
+                break;
         }
 
         configFile.put("client_id", clientId);

ios/Plugin/Plugin.swift

@@ -131,8 +131,8 @@ public class MsAuthPlugin: CAPPlugin {
         let authorityURL = call.getString("authorityUrl")
         let authorityType = call.getString("authorityType") ?? "AAD"
 
-        if authorityType != "AAD" && authorityType != "B2C" {
-            call.reject("authorityType must be one of 'AAD' or 'B2C'")
+        if authorityType != "AAD" && authorityType != "B2C" && authorityType != "CIAM" {
+            call.reject("authorityType must be one of 'AAD' or 'B2C' or 'CIAM'")
             return nil
         }
 
@@ -154,7 +154,7 @@ public class MsAuthPlugin: CAPPlugin {
         }
 
         do {
-            let authority = authorityType == .aad
+            let authority = authorityType == .aad || authorityType == .ciam
                 ? try MSALAADAuthority(url: authorityURL) : try MSALB2CAuthority(url: authorityURL)
 
             if domainHint != nil {
@@ -302,6 +302,7 @@ public class MsAuthPlugin: CAPPlugin {
 enum AuthorityType: String {
     case aad
     case b2c
+    case ciam
 }
 
 extension UIApplicationDelegate {

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@recognizebv/capacitor-plugin-msauth",
-  "version": "3.6.1",
+  "version": "3.6.2",
   "description": "This plugin enables MSAL support for Capacitor.",
   "main": "dist/plugin.cjs.js",
   "module": "dist/esm/index.js",

package.json

@@ -2,7 +2,7 @@ export interface BaseOptions {
   clientId: string;
   tenant?: string;
   domainHint?: string;
-  authorityType?: 'AAD' | 'B2C';
+  authorityType?: 'AAD' | 'B2C' | 'CIAM';
   authorityUrl?: string;
   knownAuthorities?: string[];
   keyHash?: string;