Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,150 questions
Keycloak configured with Azure as IDP and MSAL on Android
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGE%3C/text%3E%3C/svg%3E)
Geir Eilertsen
0
Reputation points
I'm currently developing an Android application and I'm trying to introduce MSAL with my current Keycloak / Azure authentication flow. However, my backend is set up to validate by Keycloak tokens and I need to maintain this setup.
Here's the flow I'm trying to achieve:
- Authenticate users with Keycloak + Azure AD using MSAL.
- After successful Azure AD authentication, redirect to Keycloak.
- Keycloak redirect to APP.
I'm looking for guidance on how to implement this flow. Specifically, I'm not sure how to configure Keycloak as IDP from MSAL / Authenticator. If this is not possible, are there any workarounds or alternative approaches to achieve this? I'm currently developing an Android application and I'm trying to introduce MSAL with my current Keycloak / Azure authentication flow. However, my backend is set up to validate by Keycloak tokens and I need to maintain this setup.
Here's the flow I'm trying to achieve:
- Authenticate users with Keycloak + Azure AD using MSAL.
- After successful Azure AD authentication, redirect to Keycloak.
- Keycloak redirect to APP.
I'm looking for guidance on how to implement this flow. Specifically, I'm not sure how to configure Keycloak as IDP from MSAL / Authenticator.
If this is not possible, are there any workarounds or alternative approaches to achieve this?
Sequence diagram of current flow:
Sequence diagram of wanted flow:
I have tried to configure MSAL to use Keycloak but couldn't find any way to do that. I have also looked into B2C which should support other authentication mechanisms but it seemed to be impossible in MSAL for Android, was present in MSAL js. The authentication flow with keycloak and Azure configured as an identity provider is working perfect, but just need to add MSAL into the picture to achieve SSO. As keycloak will redirect to Azure at login we should be able to reuse the same Azure session if it already has been established by another APP/Browser on the Android phone. Any help would be greatly appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Shweta Mathur 29,756 Reputation points Microsoft Employee2024-02-15T08:07:06.3566667+00:00 Hi @Geir Eilertsen ,
Thanks for reaching out.
You can refer https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/6869 to configure MSAL with Keycloak.
-
Geir Eilertsen 0 Reputation points
2024-02-16T10:12:58.3866667+00:00 Thanks for the reply @Shweta Mathur =)
I have successfully implemented login functionality in our app using the AppAuth library, which leverages OAuth 2.0 and OpenID Connect to work with Azure AD and Keycloak. This solution is functioning well. However, we have a new client whose employees use phones with the Microsoft Authenticator App installed. These devices have Shared Device Mode activated, enabling Single Sign-On (SSO) and device-wide sign out for Microsoft Teams and other apps that support this mode. The client wants our app to support the same functionality.
My understanding is that while AppAuth is a versatile library, it doesn't inherently support Microsoft-specific features like Shared Device Mode. To utilize Shared Device Mode, it seems that the use of MSAL (Microsoft Authentication Library) is necessary. More specifically, I believe we need to use the 'MSAL for Android' library for our application. The link provided earlier pertains to an issue with the 'MSAL for JS' library, which is not directly applicable to our Android app scenario.
Please correct me if any part of this understanding is incorrect or incomplete.
-
Shweta Mathur 29,756 Reputation points Microsoft Employee
2024-02-19T08:16:32.3166667+00:00
Sign in to comment