Share via

Mobile SSO for an Android app that interacts with various service providers

Alex Linder 20 Reputation points
2024-05-08T06:38:48.1033333+00:00

Hey,

I working on an Android application for employees that leverages several private services as service providers.

I keen to provide a single-sign-on user experience, expecting the user to login only once (interactive), and interact with all of the services without prompting the user to sign-in again (silent).

Mobile app interacts on the behalf of the user with 3 service providers

  1. MS Graph API - sharepoint (upload and download files)
  2. SAP - REST API
  3. Web Portal - the integration is based on WEBVIEW (web components) that would be opened inside a child browser in the app.

All the Service providers were configured to use MS Entra ID as their Identity provider.
Three Entra ID oauth apps were configures (Mobile App (oauth app 1), SAP (oauth app 2), Web Portal (oauth app2) ).

Gaps:

  1. session/token - not being silently acquired by MSAL when interacting with the Web Portal - nothing being passed to the portal. tried to use WEBVIEW and BROWSER for authorization_user_agent. Mobille device was configured with brokerage authentication using MS authentication app.
  2. oauth audience exception - when interacting with SAP API (oauth app 2) - exception thrown "audience rejected" - I assume it's because access token have the mobile app client id set in the access token aud passed to the SAP authorization endpoint.

Questions:

  1. Is there a reference architecture + code samples available for a similar scenario? not specifically with SAP - nevertheless contains interaction of an app with various different service providers, API and Web.
  2. What configuration is required on the Entra ID per app (oauth apps per app - scopes, audience, authorized party).
  3. Is there a way with Entra ID to have more then one client_id in the audience field of the access token (JWT)? user is authenticated for the mobile app (oauth app1)
  4. Can the AcquireTokenInteractive.WithExtraScopeToConsent - be used for different resource urls? thank you
Microsoft Security | Microsoft Entra | Microsoft Entra ID

Answer accepted by question author

  1. Shweta Mathur 30,456 Reputation points Microsoft Employee Moderator
    2024-05-10T06:41:54.18+00:00

    Hi @Alex Linder ,

    Thanks for reaching out.

    Please find the answer inline below:

    1. Is there a reference architecture + code samples available for a similar scenario? not specifically with SAP - nevertheless contains interaction of an app with various different service providers, API and Web. Sample - https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-android
    2. What configuration is required on the Entra ID per app (oauth apps per app - scopes, audience, authorized party). The configuration required on the Entra ID per app will depend on the specific requirements of each app. You'll need to configure the scopes, audience, and other configuration for each app based on what it needs to access.
    3. Is there a way with Entra ID to have more then one client_id in the audience field of the access token (JWT)? user is authenticated for the mobile app (oauth app1) It's not possible to have more than one client_id in the audience field of the access token (JWT) with Entra ID. The audience field is used to specify the intended recipient of the token, and it should only contain the client ID of the app that is intended to receive the token.
    4. Can the AcquireTokenInteractive.WithExtraScopeToConsent - be used for different resource urls? the AcquireTokenInteractive.WithExtraScopeToConsent method can be used to request additional scopes for a specific resource URL. The user will need to consent to each additional scope that you request. Reference - https://learn.microsoft.com/en-us/entra/msal/dotnet/acquiring-tokens/desktop-mobile/acquiring-tokens-interactively#withextrascopestoconsent Hope this will help.

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Linder 20 Reputation points
    2024-05-13T09:29:33.68+00:00

    thanks for replying @Shweta Mathur

    Is there a code reference for MSAL android SDK that showcase silent authentication with a web site via webview or device browser that you may share?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.