Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keychain problems with getDeviceInformation and getWPJMetaDataDevice #2393

Open
petarov opened this issue Nov 15, 2024 · 4 comments
Open

Keychain problems with getDeviceInformation and getWPJMetaDataDevice #2393

petarov opened this issue Nov 15, 2024 · 4 comments
Assignees
@Veena11

Comments

@petarov
Copy link

petarov commented Nov 15, 2024

Hi,

Similar questions seem to have been asked a couple of time already, but I'm stuck and I'd appreciate some help.

I'm new to Entra and I'm working on an app that initiates a WPJ using Authenticator as a broker. My end goal is to fetch the registered Device ID into my app and send it to another 3rd party service. My app has the $(AppIdentifierPrefix)com.microsoft.adalcache keychain entitlement and I'm using the {"access_token":{"deviceid":{"essential":true}}} device claim with the acquireToken call, so that seems to work.

Now I'm trying to use the MSALPublicClientApplication calls getDeviceInformation or getWPJMetaDataDevice to fetch the extraDeviceInformation dictionary and read the Device ID. Unfortunately there are always errors being produced and the dictionary remains empty.

Examples:

self.applicationContext?.getDeviceInformation(with: nil, completionBlock: { (deviceInformation, error) in
    
    guard let deviceInfo = deviceInformation else {
        self.updateLogging(text: "Device info not returned. Error: \(String(describing: error))")
        return
    }
    
    print("*** Reading deviceInformation.extraDeviceInformation")
    
    for (key, value) in deviceInfo.extraDeviceInformation as? [NSString: Any] ?? [:] {
        print("\tKey: \(key), Value: \(value)")
    }
})

Logs:

TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Querying device info
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] GetDeviceInfo: Should call Sso Extension decision: 0
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Broker is not present on this device. Defaulting to personal mode
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Checking Legacy keychain for registration.
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Failed to find workplace join private key with status -34018
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Checking keychain for default registration done using ECC key.
*** Reading deviceInformation.extraDeviceInformation
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] Error Domain=MSIDKeychainErrorDomain Code=-25300 "(null)" UserInfo={MSIDCorrelationIdKey=166EBD2F-E392-46CC-B43F-39DD16CECDF1, MSIDErrorDescriptionKey=Could not get default primary registration tenantId.}
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42] GetDeviceInfo: Completing filling device info: Masked(not-null), error: Masked(null)
TID=486295 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:05:42 - 166EBD2F-E392-46CC-B43F-39DD16CECDF1] [MSAL] Retrieved device info Masked(not-null)

print("*** isCompatibleAADBrokerAvailable = \(self.applicationContext?.isCompatibleAADBrokerAvailable)")
       
self.applicationContext?.getWPJMetaDataDevice(with: nil, forTenantId: "<my-tenant-id>", completionBlock: { (msalWPJMetaData, error) in
    
    guard let data = msalWPJMetaData else {
        self.updateLogging(text: "MSALWPJMetaData info not returned. Error: \(String(describing: error))")
        return
    }
    
    print("*** Reading msalWPJMetaData.extraDeviceInformation")
    
    for (key, value) in data.extraDeviceInformation as? [NSString: Any] ?? [:] {
        print("\tKey: \(key), Value: \(value)")
    }
})

Logs:


*** isCompatibleAADBrokerAvailable = Optional(true)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Querying WPJ MetaData for tenantId: Masked(not-null)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking Legacy keychain for registration.
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -34018
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking keychain for default registration done using RSA key.
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -25300
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Checking keychain for default registration done using ECC key.
*** Reading msalWPJMetaData.extraDeviceInformation
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17] Failed to find workplace join private key with status -25300
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Returning RSA private device key from legacy registration..
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] wpjMetaDataDeviceInfo: Completing filling device info for tenant Id: Masked(not-null) Masked(not-null)
TID=488848 MSAL 1.6.1 iOS 18.1 [2024-11-15 12:11:17 - 27F7D0F8-89AC-4F12-9218-C9FCB88EC0CE] [MSAL] Retrieved metadata device info Masked(not-null)

I'm testing with the latest Authenticator app from TestFlight and using Xcode Debug Run on an iPhone device.

What am I missing or doing wrong here?
@Veena11
Copy link
Contributor

Veena11 commented Nov 21, 2024
edited
Loading

@petarov , is the device registered ?

Please check if your device is registered via Authenticator

You can see it via Authenticator app -> Settings -> Device Registration

@Veena11
Copy link
Contributor

Veena11 commented Nov 21, 2024

I see you already mentioned you have com.microsoft.adalcache in keychain entitlement . When you acquireToken with deviceId claim, does it return the deviceId ?

@Veena11
Copy link
Contributor

Veena11 commented Nov 21, 2024

Both key and value in extraDeviceInformation dictionary is of type NSString

@Veena11 Veena11 self-assigned this Nov 21, 2024
@petarov
Copy link
Author

petarov commented Nov 22, 2024

Hi and thanks for coming back to me @Veena11

Yes, the device is registered in Authenticator and it also gets shown on Microsoft Entra under Devices - All devices.

When you acquireToken with deviceId claim, does it return the deviceId ?

Yes, the claim "deviceid":"58f0e261-xxxx-xxxx-xxxx-xxxxxxxxxxxx", can be seen in the access token json result.

If I send device claims for the id token i.e. MSALClaimsRequestTargetIdToken, then both the Access token and ID_token contain the deviceid claim. However, in all cases the extraDeviceInformation remains empty - I've stepped into with the debugger to double check.

I can probably just use the claim by accessing result.account.accountClaims?["deviceid"] with the acquireToken call, but I thought using extraDeviceInformation is the right way. Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Veena11 Veena11

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petarov @Veena11