2

I am currently working on implementing the Broker authentication for our Android App. In order to support Conditional Access with Intune, having a broker authentication is a requirement.

I am following the Microsoft Intune App SDK for Android developer guide.

My question is about retrieving the special redirectUri for the broker usage.

According to the documentation in order to retrieve the redirectUri for our broker I can use one of the following options:

  1. One of the scripts: brokerRedirectPrint.ps1 on Windows or brokerRedirectPrint.sh on Linux (supplied as part of the samples git project)

  2. Use the following API method: AuthenticationContext.getRedirectUriForBroker(). After retrieving thisRedirectUri` I should list it in one of ours Approved Reply Uri’s in our Azure Application.

Since using the script from #1 requires having the Android_Key_Store, the password and other variables which I don’t have (as we are not the ones signing the application) I am using method #2.

I was wondering how it the getRedirectUriForBroker works? Is it receiving this redirect Uri based on the APK signature on run time?

I have called this API from a local debug build and also from an official signed APK build and received two different redirectUris. Is this expected and I should register both of them in the Azure approved Reply Uris?

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
ZiviMagic
  • 1,034
  • 2
  • 10
  • 25

1 Answers1

0

ADAL is going away and MSAL is the new recommended library to use. AzureAD/microsoft-authentication-library-for-android Wiki

If you've opted into Google Play managed signing you will need to download the certificate they offer in the Play Console for your app to extract the signature hash. How to configure Signature Hash with Google Play Signing · Issue #1550 · AzureAD/microsoft-authentication-library-for-android

The reason you receive two different values is the redirectURI will include the bundle ID of the application and the signature hash of the signing key for that bundle ID. The local/debug build is signed using a debug.keystore that was created by Android Studio specific to your machine (so another developer on your team might get a different redirectURI "signatureHash" portion), while the official signed APK build should be a consistent hash based on the upload/signing keystore from the Play Console.

This answer shows how to get the signatureHash itself in a debug build if you want to confirm that it differs between machines/developers.

https://stackoverflow.com/a/51206438

dragon788
  • 3,583
  • 1
  • 40
  • 49