You successfully implemented Azure AD Authentication in your Android app with the Microsoft Authentication Library. The application built and executed perfectly and passed all QA testing with flying colors. And then you published the application on Google Play. And authentication doesn’t work after installing the app. <\/p>\n\n\n\n
If you exposed authentication error messages to the user, or had them sent to your team, then you might see an error like this:<\/p>\n\n\n\n
“The redirect URI in the configuration file doesn’t match with the one generated with the package name and signature hash. Please verify the uri in the config file and your app registration in Azure portal.”<\/mark><\/p>\n\n\n\n
Another potential behavior that might indicate this problem is this: During development and QA testing, you successfully set up your app to use a supported broker to handle authentication and SSO. However, after deployment through Google Play and installation, the app no longer uses the broker for authentication.<\/p>\n\n\n\n
When an Android application is built for installation on a device, it is built as an “apk” compressed package and then signed by a certificate. This certificate signing ensures that the person who built the application was the one who owns the private signing key. This prevents potential impersonation attempts where a hacker might modify the application in a harmful way since the hacker will not be able to sign their version of the application with the original private signing key.<\/p>\n\n\n\n
In the past, Android developers owned and maintained their own private signing keys. However, now, Google Play Services generate and maintain their own private signing key for an Android Developer. This is actually a good thing, since the key will be securely stored by Google. The developer still maintains an upload key so that Google Play Services can verify the authenticity of an uploaded app bundle, but the actual signing is done by the Google-owned signing certificate when a user installs the app on their device.<\/p>\n\n\n\n
How is this relevant? The Microsoft Authentication Library (MSAL) for Android Native and Microsoft Supported Authentication Brokers use the public signature hash of an installed application to identify it during interaction through the Android Operating system necessary during authentication. The public signature hash of an application installed by Google Play will be different from the same application installed before publishing to Google Play. Because of this, Msal will be configured to use the incorrect signature hash.<\/p>\n\n\n\n
Generally, there are three major steps in solving this issue. <\/p>\n\n\n\n
Each of these three steps are covered in more detail below:<\/p>\n\n\n\n
Find the New Signature Hash<\/strong><\/p>\n\n\n\n
There are two ways to get the new Signature Hash: Use Msal’s “Package Inspector” tool and to get the Signature Hash from the Google Play Console.<\/p>\n\n\n\n
For details on how to install and use the Msal Package Inspector, see my article here:
https:\/\/blogs.aaddevsup.xyz\/2022\/03\/package-inspector-for-msal-android-native-guide\/<\/a><\/p>\n\n\n\n
Google Play Console<\/strong><\/p>\n\n\n\n
PowerShell Script to Encode the Signature Hash<\/strong><\/p>\n\n\n\n
Copy the “SHA-1” fingerprint and paste it into the following PowerShell script as the value of the $Thumbprint variable. Run the script to obtain the base64 encoded fingerprint that Msal needs.<\/p>\n\n\n\n
$Thumbprint = \"paste your fingerprint here\"\n$Thumbprint = $Thumbprint.Replace(\":\", \"\")\n\n$Bytes = [byte[]]::new($Thumbprint.Length \/ 2)\n\nFor($i=0; $i -lt $Thumbprint.Length; $i+=2){\n $Bytes[$i\/2] = [convert]::ToByte($Thumbprint.Substring($i, 2), 16)\n}\n\n$hashedString =[Convert]::ToBase64String($Bytes)\n\nWrite-Host $hashedString<\/pre>\n\n\n\nStep 2: <\/h2>\n\n\n\n
Add a new Redirect URI to the App Registration in the Azure Portal with the new signature hash<\/strong><\/p>\n\n\n\n
If you have come this far in developing an Android App using Msal, you likely already understand how to complete this step; however, I will provide basic guidance here.<\/p>\n\n\n\n
Note<\/strong>: I highly recommend adding a new redirect URI rather than modifying the existing redirect URI. Your app registration can contain many redirect URIs. Additionally, modifying the existing redirect URI might result in problems with the development version of your app. This could create headaches while troubleshooting, developing updates, etc.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Log in to your Azure Portal at portal.azure.com<\/a> and navigate to the App registrations portal. This can be done quickly and easily by searching for “App registrations” at the top of the portal screen as indicated in the following screenshot:<\/p>\n\n\n\n