Xamarin & Azure AD SSO: Watch out iOSHidePrivacyPrompt
One of the mean little things you just need to know …
This thing costed me a whole morning of trying around. And by now I know that it was meaningless, because this little guy blocked any progress for my search.
We recently had the idea of introducing Single-Sign-On (SSO) for our mobile apps. That means you just have to log in one time with any of our apps and can then just use the shared login data for every other app. We also wanted a possibility for other app providers to use this data so we could not simple store it in the shared storage but needed to solve this over the system browser.
Fortunately there exists an awesome library for this requirement from microsoft the Azure Active Directory libraries for .NET that allows you to just specify the endpoints and configure the UI and stuff, but will handle all of the complexity by itself. So far so great.
As most of the time there exits some samples for showing how it is meant to be used, but in the end there is no way around trying it yourself and changing some pices to fit your needs. In one of the samples there was this AcquireTokenInteractiveParameterBuilder with its WithSystemWebViewOptions(SystemWebViewOptions options) method. They were setting the iOSHidePrivacyPrompt to false.
As I was a totally beginner with SSO and this specific library I was not thinking anything bad about this statement. “If they use it like this it will be alright.”, I thought. And was getting crazy about “why on earth does this thing not reuse my login data but request it newly every single time???”. Also checking the documentation did not help, seriously look at the propertys documentation and try to make the connection.
In the end I really was starting to check the source code and to see what was going on and there I finally found the root of all evil:
In the background this iOSHidePrivacyPrompt property is setting the ASWebAuthenticationSession.PrefersEphemeralWebBrowserSession property that tells us:
Set prefersEphemeralWebBrowserSession to true to request that the browser doesn’t share cookies or other browsing data between the authentication session and the user’s normal browser session.
Or with my own words:
Don’t reuse data. Start over.
After removing this statement everything finally worked as exspected.
So I learned two things from this problem:
- Don’t just blindly copy code from samples. Try to understand it, especially if you got problems with getting it to work
- Don’t use settings you don’t understand. Stick to default if possible
I hope that I can save some others a morning full of frustration with this article :-) Have a second coffee for me instead 😉☕