Microsoft.Identity.Client.MsalClientException: The application does not have keychain access groups enabled...failure to save to the iOS keychain.

Which Version of MSAL are you using ? MSAL 2.5.0-Preview

Which platform has the issue? xamarin iOS

What authentication flow has the issue?

• Desktop / Mobile
  • Interactive

Repro We currently have an interoperability issue with MSAL and Microsoft App Center. We have set up MSAL correctly with the required keychain sharing capabilities in Entitlements.plist. We build in Azure Devops using an ad-hoc provisioning profile which includes the UUIDS of all our development devices. Our builds work fine and we can successfully authenticate against our Azure B2C and access Azure resources.

Our issue manifests when we try to push the app to new iOS testers whose devices are provisioned via App Center’s automatic provisioning. When checking the output from the OSX codesign tool, we see:

In the original working build from ADO, this is the output (with our AppID redacted)

??qq1<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
       <key>get-task-allow</key>
       <false/>
       <key>application-identifier</key>
       <string>XXXXXXXXXX.XXX.XXXXXXXX.XXXXXX.app</string>
       <key>com.apple.developer.team-identifier</key>
       <string>XXXXXXXXXX</string>
       <key>keychain-access-groups</key>
       <array>
              <string>XXXXXXXXXX.com.microsoft.adalcache</string>
       </array>
       <key>com.apple.developer.healthkit</key>
       <true/>
</dict>
</plist>
 

In the newly re-signed build from App Center, this is what we see.

??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
       <key>application-identifier</key>
       <string>XXXXXXXXXX.XXX.XXXXXXXXXXX.XXXXXXX.app</string>
       <key>com.apple.developer.associated-domains</key>
       <string>*</string>
       <key>com.apple.developer.healthkit</key>
       <true/>
       <key>com.apple.developer.healthkit.access</key>
       <array>
              <string>health-records</string>
       </array>
       <key>com.apple.developer.team-identifier</key>
       <string>XXXXXXXXXX</string>
       <key>get-task-allow</key>
       <false/>
       <key>keychain-access-groups</key>
       <array>
              <string>XXXXXXXXXX.*</string>
       </array>
</dict>
</plist>

We suspect that the problem is the expansion using wildcards of the keychain access groups because if we purposely setup our entitlements.plist to contain this form, then our ADO build (which normally works) throws the same MSAL exception.

We’ve raised this with the App Center team who have been able to reproduce the same issue.

Expected behavior MSAL to save access token.

Actual behavior MSAL authenticates ok, but then throws an exception:

Microsoft.Identity.Client.MsalClientException: The application does not have keychain access groups enabled in the Entitlements.plist. As a result, there was a failure to save to the iOS keychain.

Possible Solution MSAL to save access token in local keychain if fails to write to shared keychain.

Additional context/ Logs / Screenshots https://stackoverflow.com/questions/53829119/xamarin-with-msal-cannot-save-access-token-as-keychain-access-groups-changed-dur?noredirect=1#comment94998265_53829119