Sign in Azure AD using AppAuth

I’ve opened a topic before for using the expo-app-auth package with Microsoft Azure Login but did not get any solution. Link to the previous topic: Sign in Azure AD using AppAuth package

But now I was able to get the package to work with Microsoft Provider (hotmail, outlook, live …)

The problem was that the Microsoft APIs were not updated to version 2. And here’s the code for the access token response:

const tokenResponse = await AppAuth.authAsync({
issuer: “https://login.microsoftonline.com/common/v2.0”,
clientId: YOUR_CLIENT_ID,
redirectUrl: AppAuth.OAuthRedirect + ‘://oauthredirect’,
scopes: [
“openid”,
“profile”,
“offline_access”,
“user.read”,
“mail.read”
]
});

This redirect URI is for the Expo Client apps (should be added also in the Azure App Redirect URIs), but in case of standalone apps, it is either the android.package (for Android) or ios.bundleIdentifier (for iOS) value from your app.json. Check the package documentation. The scopes also are according to the required access for your application.

Hope this post helps! :slight_smile:

1 Like

Working Fine, what error are you facing?

Hi Onaggar, thanks for sharing it.

I’m facing this error bellow, do you have any idea how to solve it?

ERR_APP_AUTH: JSON error parsing document at ‘https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration’: Invalid URL: issuer

My config settings are:
const microsoftConfig = {
issuer: ‘https://login.microsoftonline.com/common/v2.0’,
clientId: microsoft_id,
clientSecret: microsoft_secret,
redirectUrl: ${AppAuth.OAuthRedirect}://oauthredirect,
scopes: [‘openid’, ‘profile’, ‘offline_access’, ‘user.read’],
};

Thanks in advance.

Did you add “host.exp.exponent://oauthredirect” to your Azure Application Redirect URIs ?

Yep, also tried adding others uri too but nothing worked =/

I changed the issuer to: https://login.microsoftonline.com/${tenant_id}/v2.0/, and now the popup appears, but nothing returns after I accept the login

I don’t know if you ever resolved this, but I am posting this for anyone else that has wrestled with it.

I also wasn’t getting a response after login, so I changed the redirect URL.

What seems to work for me in development in the expo app is:

Azure Portal redirect:
host.exp.exponent://expo.io/@user-name/slug
App redirect:
AppAuth.OauthRedirect+‘://expo.io/@user-name/slug’

If Microsoft doesn’t allow you to use that from their interface, edit the JSON in the Manifest with the redirect URL. (Microsoft doesn’t appear to allow the ‘@’ symbol)

“replyUrlsWithType”: [
{
“url”: “host.exp.exponent://expo.io/@user-name/slug”,
“type”: “InstalledClient”
}]

4 Likes

Thank you! I had been battling this for ages, and it’s working now.

Glad to hear!

Thank you so much, cgrunke. This also worked for me.

How did you figure out the correct redirect URL?

I figured it out mostly through stubbornness and trial and error.
Not much of a methodology.
Take a look at the AuthSession documentation in the expo docs.
I had used that on another project. Familiarity with AuthSession gave me some insight.

i need to do a single sign on entry-sso with azure to my app , someone can share example to auto login without put name and password ?

i need to do a single sign on -sso with azure for open my app , u can share example to auto login without put name and password to azure ?

As far as I experienced you will somehow need the user to input their username and password, because how can you sign in without knowing this?

There are options to do this silent or manually, but in the end the user would always need to give up their credentials… After that you can just keep refreshing the tokens in the background, but initially you will need a signin.

There is ways to do the SSO (single sign on) same as google and facebook , without to ask the user for username and passord and just go into the app without any asking.
I look for this sdk integration …i really want someone who had this before.

Ah yes, but then you will need AuthSession and a one time consent of the user as described here: Acquire a token to call a web API (desktop app) - Microsoft Entra | Microsoft Docs

We implemented the same thing, but you will always need prior consent by the user, which is handled by the popup you can trigger with AuthSession or by implementing as the documentation states a Requesting individual user consent:

* The user of your application must have previously consented to use the application.
* Or, you've provided a way for users to consent to the application. For more information, see Requesting individual user consent.

If done that, you can simple do a POST to the MS AD endpoints to request tokens in the background and renew them.

Can u send me snack to this sso example?

No sorry I don’t, but it should work like any other oauth based token exchange example. Just make sure you have the consent.

Hey guys,

I am attempting to authenticate via Azure AD via this module:

I have done all that is necessary by registering my app in the AzureAD portal, adding a scheme to my app.json, and such. The ADFS S.S.O. page loads, but after signing in, this page loads:

the same with me !