MSAL on resigned Swift/iOS app is failing: "Failed to serialize SSO request dictionary for interactive token request, MSALInternalErrorCodeKey=-42008

Question

I'm getting this auth error when trying to authenticate in a resigned app:

I have a Swift app with bundle identifier A.A.A.A, that uses MSAL. It works flawlessly when running the app on my device locally via cable and after archiving in xcode cloud.

If I then try to resign the .ipa with an Enterprise certificate and a new bundle ID A.A.A.B (using fastlane sigh command), then the auth webview doesent open when executing application.context.aquireToken(...).

func getTokenInteractivly() {
    guard let webViewParamaters = webViewParamaters else {
        print("Rootview missing")
        LogService.shared.log(logString: "Rootview missing in getTokenInteractivly()")
        return
    }
    
    do {
        let applicationContext = try tryGetMSALContext()           
        
        let interactiveParameters = MSALInteractiveTokenParameters(scopes: kScopes, webviewParameters: webViewParamaters)
        applicationContext.acquireToken(with: interactiveParameters, completionBlock: { (result, error) in
            guard let authResult = result, error == nil else {
                LogService.shared.log(logString: "Error while acquireToken: \(String(describing: error))")
                // This is where it fails <-----------
                return
            }
            
            LogService.shared.log(logString: "Logged in as \(authResult.account.username ?? "noone")")
            self.setAccountDetails(authResult.account)
        })
        
    } catch {
        LogService.shared.log(logString: "Unexpected error during getTokenInteractivly():  \(error)")
    }
}

I have made sure that both urlschemes are registered in the app info.plist, both bundle IDs are registered in the portal and that the generated redirectUrl is adapting (correctly as per the new bundle ID A.A.A.B).

Are there other things that are tied to the bundle ID in relation to MSAL authentication?

Please notice that this only fails on the resigned .ipa. I'm using fastlane sigh command to resign to another certificate, dev account and bundle ID. The reason for this is that Xcode Cloud is only available to private dev accounts and I want to use it on an app, that are to be distributed with an enterprise account. This is not up for debate.

Answer 1

So the result here is a bit fishy, but I finally found the problem and a solution.

When adding MSAL auth as per M$'a documentation we are required to add a shared keychain, so the behind-the-scenes MSAL app can communicate with our app's keychain. It's done like this: https://github.com/AzureAD/microsoft-authentication-library-for-objc#adding-msal-to-your-project

It turns out that these entitlements are secretly prefixed with the dev team identifier. https://developer.apple.com/documentation/xcode/configuring-keychain-sharing

By checking the entitlements after Xcode Cloud build, before resigning and again after resigning I found out that the resigning replaces the entitlements with generic apple ones. And that is the reason the login webview doesen't show. MSAL discovers that it don't have access to the app's keychain and thinks: "That's no good!".

I experimented with replacing the entitlements after the resigning, but that's difficult since they are baked in to the app binary. Instead I added this parameter to the fastlane sigh command, instructing fastlane to preserve the existing entitlements while resigning. https://docs.fastlane.tools/actions/resign/

This made sure that the entitlements allowing MSAL to share keychaing with the app, is preserved during resign. The webview is now showing as expected.