MSAL: PublicClientApplication throws NullReferenceException in constructor on iPhone simulator

[devlanfear]

---

Using https://github.com/Azure-Samples/active-directory-xamarin-native-v2 on iPhone Simulator 11.4
without any changes (also tried with keys from existing apps)

Which Version of MSAL are you using ?
MSAL 2.0.0-preview

Which platform has the issue?
Xamarin.Forms iOS

What authentication flow has the issue?
Mobile

Repro

		PCA = new PublicClientApplication(ClientID)
		{
			RedirectUri = $"msal{App.ClientID}://auth",
		};

Expected behavior
Expecting to create new instance of PublicClientApplication

Actual behavior
Constructor throws NullReferenceException

Additional context/ Logs / Screenshots
at Microsoft.Identity.Core.TokenCacheAccessor.GetTeamId () [0x0003f] in <772466974f16475694ca93a5f7a70108>:0
at Microsoft.Identity.Core.TokenCacheAccessor..ctor () [0x0001c] in <772466974f16475694ca93a5f7a70108>:0
at Microsoft.Identity.Core.Telemetry.TelemetryTokenCacheAccessor..ctor () [0x00000] in <772466974f16475694ca93a5f7a70108>:0
at Microsoft.Identity.Client.TokenCache..ctor () [0x00000] in <772466974f16475694ca93a5f7a70108>:0
at Microsoft.Identity.Client.PublicClientApplication..ctor (System.String clientId, System.String authority) [0x00014] in <772466974f16475694ca93a5f7a70108>:0
at Microsoft.Identity.Client.PublicClientApplication..ctor (System.String clientId) [0x00000] in <772466974f16475694ca93a5f7a70108>:0
at UserDetailsClient.App..ctor () [0x00008] in /Users/devlanfear/Desktop/active-directory-xamarin-native-v2-master 3/UserDetailsClient/UserDetailsClient/App.cs:28
at UserDetailsClient.iOS.AppDelegate.FinishedLaunching (UIKit.UIApplication app, Foundation.NSDictionary options) [0x00007] in /Users/devlanfear/Desktop/active-directory-xamarin-native-v2-master 3/UserDetailsClient/UserDetailsClient.iOS/AppDelegate.cs:27
at (wrapper managed-to-native) UIKit.UIApplication.UIApplicationMain(int,string[],intptr,intptr)
at UIKit.UIApplication.Main (System.String[] args, System.IntPtr principal, System.IntPtr delegate) [0x00005] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.12.0.4/src/Xamarin.iOS/UIKit/UIApplication.cs:79
at UIKit.UIApplication.Main (System.String[] args, System.String principalClassName, System.String delegateClassName) [0x0002c] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.12.0.4/src/Xamarin.iOS/UIKit/UIApplication.cs:63
at UserDetailsClient.iOS.Application.Main (System.String[] args) [0x00001] in /Users/devlanfear/Desktop/active-directory-xamarin-native-v2-master 3/UserDetailsClient/UserDetailsClient.iOS/Main.cs:17

[jmprieur]

@devlanfear : had you installed a previous version of the sample application in the past in the simulator?

[ali-h2010]

I have the same problem
This is the first time I use this library
Should i install an old version of the Microsoft.Client.idintity?

[jennyf19]

I was not able to repro using the dev apps inside of MSAL, but repros with other samples and new Xamarin iOS projects. Workaround is to use Msal-1.1.4-preview
cc: @jmprieur

[devlanfear]

I tried on clean simulator also - same issue @jmprieur

[ali-h2010]

When i try to install the app on a physical device, i get the following error:
Your code signing/provisioning profiles are not correctly configured. Probably you have an entitlement not supported by your current provisioning profile, or your device is not part of the current provisioning profile.

the app is not being deployed to the device. Only when i remove the custom Entitlements.plist that the app is being installed but it doesn't work as expected and i am still getting nulls

[ali-h2010]

I think the issue is in the keychain settings

[ali-h2010]

In this line:
AuthenticationResult ar = await App.PCA.AcquireTokenAsync(App.Scopes, App.UiParent);
UiParent is null for iOS. while there is an activity for the windows device

[ali-h2010]

Key chain security is also null

When i run on the simulator, it fails on the constructor. And when i run on a physical device, it fails on getting the token

[jennyf19]

Simulator does not use the keychain sharing group, but a device will. The issue is possibly stemming from GetTeamId() returning null, but having issues getting a consistent repro. Hopefully will have a better update soon.

cc: @jmprieur

[TruthWithLove]

Thanks for opening this issue, I thought it was some kind of issue with Prism. I'm getting the same error

    public App() : this(null)
    { 
    }

    public App(IPlatformInitializer initializer) : base(initializer)
    {
        //PCA = new PublicClientApplication(AppSettings.MSAL_ApplicationID)
        //{
        //    RedirectUri = $"msal{AppSettings.MSAL_ApplicationID}://auth",
        //};
    }

[ali-h2010]

Any update on this matter?
Is there any temporary work around to authenticate users using AD in iOS?
It's working fine in Android and in ASP.NET it's easy to add enterprise authentication.

[jmprieur]

@ali-h2010, @jennyf19 is looking at it.
Can you please confirm you only see that on the iOS simulator, not on an iPhone device?

[ali-h2010]

@jmprieur , i get Null Reference Exception on both. I have been using keychain on the simulator and it worked fine in all our apps. I tried to add the keychain in the Entitlement and info.plist

[ali-h2010]

@jmprieur , am i the only one who is facing issues when running on a physical device?
@ZeroPKI ,@devlanfear

[jmprieur]

@jennyf19 did not manage to repro it on a physical device, @ali-h2010
which iPhone are you using?

[jmprieur]

Also, @ali-h2010, @jennyf19 mentioned that this seems to be working fine with anything else than the sample: https://github.com/Azure-Samples/active-directory-xamarin-native-v2

[armin-o]

Same Issue here:

Actual behavior Simulator
Constructor throws NullReferenceException

Actual behavior iPhone8/IOS11
var tr = App.PCA.AcquireTokenAsync(App.Scopes, App.UiParent);
tr.Wait(); // <- NullReferenceException

[ali-h2010]

@jmprieur
I tested with this sample for native iOS and it's working as expected on the simulator
https://github.com/Azure-Samples/active-directory-ios-swift-native-v2
But, our focus right now is Xamarin forms.
Please support us in this issue.
cc. @jennyf19

[Rashun001]

Works on the Physical Device, not on the emulator.

[jennyf19]

Thanks for the update @ali-h2010
We are still working on this issue. Will keep you posted. Thanks for your patience.

[HarlowBurgess]

Also, @ali-h2010, @jennyf19 mentioned that this seems to be working fine with anything else than the sample: https://github.com/Azure-Samples/active-directory-xamarin-native-v2

It doesn't work for me even for a new blank project. I also reset the simulator to its initial state just in case.

Repro steps: Create a new blank Xamarin.Forms project with the following:
Xamarin.Forms 3.2.0.839982
.NET Standard 2.0.3
Microsoft.Identity.Client 2.0.1-preview
iPhone X iOS 11.4 Simulator

App.xaml.cs:
public App()
{
InitializeComponent();
PublicClientApplication PCA = new PublicClientApplication(clientId); //==> NullReferenceException!
...
}

I downgraded to MSAL 1.1.4 for now, which appears to be working fine so far.

[jennyf19]

@HarlowBurgess @ali-h2010 - Thanks for the update. I need to update my comment as well, as I was able to reproduce with a blank project (as you did), and in other samples. We are not able to repro it in our dev samples. We will keep you posted. Thanks.

[ali-h2010]

@HarlowBurgess ,@jennyf19
Can you please share with me how to sign out using MSAL 1.1.4 ?
App.PCA.GetUser(String identifier)
require a string identifer
and
App.PCA.Remove(IUser user)
require a reference to the user.

I tested with
var users = App.PCA.Users;
and it returns that there are 0 users in the system. Also, the session is not persistent so i don't think that MSAL 1.1.4 is suitable for production.

[bgavrilMS]

Hi @ali-h2010 - please open a new issue for your problem. MSAL 1.1.4 is used in production env by quite a few people. App.PCA.Users should be populated with users once a token has been acquired. It is essentially a view over the token cache.

Please have a look at the sample as it was configured to work with MSAL 1.1.4: https://github.com/Azure-Samples/active-directory-xamarin-native-v2/tree/4d05148599ee999693bcbc0c9b5a5245dda95029

[tipa]

The same issue occurs for me when the auth is attempted while the phone screen is locked. Then the library cannot access the keychain and get the teamId, resulting in the error. Maybe adding Accessible = SecAccessible.Always to this line resolves the issue: https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/blob/1d3eb8c49be9039d99c1bf0057e98506c256b6de/core/src/Platforms/iOS/TokenCacheAccessor.cs#L89
I think, when not specified, the default for the Accessible property is WhenUnlocked: https://developer.apple.com/documentation/security/ksecattraccessiblewhenunlocked?language=objc

[jennyf19]

@tipa @ali-h2010 @Rashun001 @armin-o @ZeroPKI @devlanfear

Can you try the following:

• In VS, under Debug tab, go to nameOfMyApp.iOS Properties...
• Then go to iOS Bundle Signing
• Under Custom Entitlements, click the ... and select the Entitlements.plist file from your app

In the csproj file of the iOS app, you should have this line now included:
<CodesignEntitlements>Entitlements.plist</CodesignEntitlements>
Also, in Entitlements.plist file, make sure you have enabled access to the keychain, using either the below access group or your own:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>keychain-access-groups</key>
  <array>
    <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
  </array>
</dict>
</plist>

Remember to rebuild. Let me know if this works for you. It worked for me on a new iOS app and on our V2 sample.
cc: @jmprieur

[hig-dev]

@jennyf19 I had the same problem and your solution worked with MSAL 2.1.0-preview on the iPhone Simulator.

[jennyf19]

@hig-dev - Excellent...thanks for the quick response.

[tipa]

@jennyf19 thanks for the update, but I am still a bit confused, as for me it also works with my own, keychain-access-group $(AppIdentifierPrefix)$(CFBundleIdentifier). Is there any benefit from using $(AppIdentifierPrefix)com.microsoft.adalcache?
Also does this solve the issue I experience when trying to create a PublicClientApplication instance when the screen is locked? Should I open a new issue for this?

[jennyf19]

@tipa
answers to your questions:
I am still a bit confused, as for me it also works with my own, keychain-access-group $(AppIdentifierPrefix)$(CFBundleIdentifier). Is there any benefit from using $(AppIdentifierPrefix)com.microsoft.adalcache?

• No benefit. Using your own keychain access group is fine.

Also does this solve the issue I experience when trying to create a PublicClientApplication instance when the screen is locked? Should I open a new issue for this?

• I was unaware of this issue. Can you make sure you have this line:
  <CodesignEntitlements>Entitlements.plist</CodesignEntitlements> in the ios csproj file and see if that makes a difference? Our default accessibility is AfterFirstUnlockThisDeviceOnly, so not sure if it will work with a locked screen. If you want to open a separate issue to continue the discussion there, please do so. Thanks.

[tipa]

@jennyf19 I created a new issue here: #626
The (library!)-default accessibility AfterFirstUnlockThisDeviceOnly is not used everywhere in the library, which causes the issue.

[jennyf19]

@devlanfear @ali-h2010 @ZeroPKI
returning error message in MSAL v2.2.0-preview and updates to wiki for configuration assistance

Please re-open if you continue to have issues w/this. Thanks for all your help!

[djarvis]

Can I enable keychain while still using automatic provisioning?

[jennyf19]

@djarvis you should be able to, yes.

[djarvis]

@djarvis you should be able to, yes.

Not sure how. The "Custom Entitlements" box where I would enter Entitlements.plist is grayed out if I choose "Automatic Provisioning".

[jennyf19]

@djarvis In order to use the keychain, you will need to use Manual provisioning and make sure you have the entitlements set correctly. Sorry for the confusion.

[djarvis]

Cool, thanks. I was able to go through the steps here: https://docs.microsoft.com/en-us/xamarin/ios/get-started/installation/device-provisioning/free-provisioning?tabs=windows and get my app working on a device.