We have a Xamarin.Forms application, and trying to use MSAL authentication, and face an issue with iOS project. It works in an emulator, but when built by the Azure pipeline and installed on real iPhone, an exception happens:
MSAL.Xamarin.iOS.4.14.0.MsalClient Exception: ErrorCode: missing_entitlements Microsoft.Identity.Client.MsalClientException: The application does not have keychain access groups enabled in the Entitlements.plist. As a result, there was a failure to save to the iOS keychain. The keychain access group "OURID.com.microsoft.adalcache' is not enabled in the Entitlements.plist...
OURID is of course a replacement for the real value.
Here is what we have in the entitlements.plist:
 <key>keychain-access-groups</key>
  <array>
     <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
  </array>
In B2CAuthenticationService constructor:
            var builder = PublicClientApplicationBuilder.Create(B2CConstants.ClientID)
            .WithB2CAuthority(B2CConstants.AuthoritySignInSignUp)
            .WithIosKeychainSecurityGroup(B2CConstants.IOSKeyChainGroup)
            .WithRedirectUri($"msal{B2CConstants.ClientID}://auth");
What can I be missing that causes the exception?
ADDED: If I add a variable replacement task to the pipeline, even then those can only replace values in xml and json config files; not plist files.
I fixed the issue by editing the project in a text editor and specifying entitlements.plist in
    <CodesignEntitlements>Entitlements.plist</CodesignEntitlements>
within property group
  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|iPhone' ">
When I did it previously through the project GUI, it affected only property group
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|iPhoneSimulator' ">
That is why it worked for me in the emulator, but not on the real device.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With