Search code examples
xamarinxamarin.formsxamarin.iosazure-ad-msalazure-authentication

MsalServiceException when using AcquireTokenInteractive. AADSTS80014: Validation request responded after maximum elapsed time exceeded

I have a Xamarin Forms iOS app that uses MSAL (Microsoft.Identity.Client) to acquire access tokens.

var app = PublicClientApplicationBuilder.Create(AppSettings.ClientId)
          .WithTenantId(AppSettings.TenantId)
          .WithIosKeychainSecurityGroup("com.microsoft.adalcache")
          .WithRedirectUri($"msal{AppSettings.ClientId}://auth")
          .Build();

var authResult = await this.app.AcquireTokenInteractive(scopes)
                  .WithParentActivityOrWindow(App.CurrentActivityOrWindow)
                  .ExecuteAsync();

This code works fine on Android, but on iOS, after I enter my username and password, an MsalUiRequiredException is thrown. I have two factor enabled on my Microsoft Work or School account, and the exception seems to be thrown before the second part of the login.

AADSTS80014: Validation request responded after maximum elapsed time exceeded.

The Exception details seem to indicate that a timeout has occurred, so I tried using a custom HttpClientFactory with an increased timeout, but the Exception is still thrown at the same spot.

The OpenUrl override in my AppDelegate does not get called.

public override bool OpenUrl(UIApplication app, NSUrl url, NSDictionary options)
{
    // Never get here
    AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs(url);
    return base.OpenUrl(app, url, options);
}

I have configured the callback scheme in my Info.plist

<key>CFBundleURLTypes</key>
<array>
    <dict>
        <key>CFBundleURLName</key>
        <string>{bundle Id}</string>
        <key>CFBundleURLSchemes</key>
        <array>
            <string>msal{clientId}</string>
        </array>
        <key>CFBundleTypeRole</key>
        <string>Editor</string>
    </dict>
</array>

And enabled keychain access in Entitlements.plist

<dict>
    <key>keychain-access-groups</key>
    <array>
        <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
    </array>
 </dict>

I am pretty sure the Azure side of things is configured correctly because it is working on Android. Is there something else on iOS that I need to do?

Solution

  • This answer isn't likely to apply to anyone else, but the issue was caused by our AD Sync server being offline.

    Existing Access tokens were working, but I could not obtain any new ones.