1

I am writing a MAUI Blazor Hybrid app using MSAL to Authenticate with a B2C Tenant. I have it working in our dev environment with an Azure B2C application ClientId that is used in two places.

Firstly to create the MSAL client object:

authenticationClient = PublicClientApplicationBuilder.Create(mauiAuthenticationConstants.ClientId)
            .WithB2CAuthority(mauiAuthenticationConstants.AuthoritySignIn)
            .WithTenantId(mauiAuthenticationConstants.TenantId)
            .WithRedirectUri($"msal{mauiAuthenticationConstants.ClientId}://auth")
            .WithClientId(mauiAuthenticationConstants.ClientId)
            .Build();

And secondly to configure an Android intent in the manifest:

<activity android:name="microsoft.identity.client.BrowserTabActivity" android:configChanges="orientation|screenSize" android:exported="true">
      <intent-filter>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.DEFAULT" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="msal[**REPLACE THIS WITH THE CLIENT ID OF YOUR APP**]" android:host="auth" />
      </intent-filter>
    </activity>

We will be having seperate Azure environments for each one of our clients and so the app will have a different Client Id in each one.

We need to be able to have the app in the Google store and when it is downloaded go through a process of initialisation where the B2C vars including the Client Id are pulled from a central DB and saved to local secure storage.

I can see how I can set the Client Id in the code but how would I replace the Client Id in the AndroidManifest.xml?

Cheers Brian

Brian Graham
  • 51
  • 5

1 Answers1

1

I have found the answer to this issue.

Basically you have to use a custom Redirect Uri that contains a globally unique string.

In Azure, add a new unique redirect uri to the Mobile and Desktop applications section using the format scheme://auth (eg com.contosa.app://auth)

Note! I had to allow over an hour for this to save and propagate so I thought it was not working!

In code, when you create the PublicClientApplicationBuilder use

.WithRedirectUri("com.contosa.app://auth")

and add this to the AndroidManifest using:

<data android:scheme="com.contosa.app" android:host="auth" />

This then seperates the client id from the Redirect url and so it can now be dynamically assigned at runtime.

Regards Brian

Brian Graham
  • 51
  • 5
  • Doesn't this suffer from the same problem, in that you are hard-coding a value into the AndroidManifest.xml file? If you have dev, test and prod environments how would you switch the redirect uri to the one appropriate to the environment-specific Azure AD B2C tenant at build time? – Jon Knight Jun 28 '23 at 16:15
  • Or do you mean that you can use the same redirect uri (i.e. "com.contosa.app", in your example) in multiple Azure AD B2C tenants? – Jon Knight Jun 28 '23 at 16:22
  • Just to confirm (now I've had a chance to try it), this solution works perfectly. I have been using the [.Net Maui Azure Identity Sample project](https://github.com/Azure-Samples/ms-identity-dotnetcore-maui), and this embeds the Client/App Id into various places in the source code. Changing this to use a custom return uri, rather than "msal{client id}://auth", and then setting up the same return URI in each B2C tenant you want to target works perfectly. I added constants to my project to set the host, scheme and returnUri as appropriate wherever it occurs in the sample code. Thanks, Brian! – Jon Knight Jun 29 '23 at 09:33
  • 1
    Hi @jonknight, the only fly in the ointment I found is that I could not use the same return uri for Android and iOS. So I had to put in: ` #if Android .WithRedirectUri($"com.xxx.client://auth") #else .WithRedirectUri("msauth.com.xxx.client://auth") .WithIosKeychainSecurityGroup("com.microsoft.adalcache") #endif ` – Brian Graham Aug 02 '23 at 21:35