MSALPublicClientApplication

Objective-C

@interface MSALPublicClientApplication : NSObject

Swift

class MSALPublicClientApplication : NSObject

Representation of OAuth 2.0 Public client application. Create an instance of this class to acquire tokens. One instance of MSALPublicClientApplication can be used to interact with multiple AAD clouds, and tenants, without needing to create a new instance for each authority. For most apps, one MSALPublicClientApplication instance is sufficient.

To create an instance of the MSALPublicClientApplication, first create an instance MSALPublicClientApplicationConfig. Setup MSALPublicClientApplicationConfig with needed configuration, and pass it to the [MSALPublicClientApplication initWithConfiguration:error:] initializer.

For example:

NSError *msalError = nil;

MSALPublicClientApplicationConfig *config =
        [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"your-client-id-here"];

MSALPublicClientApplication *application =
        [[MSALPublicClientApplication alloc] initWithConfiguration:config error:&msalError];

Configuration

  • A copy of the configuration which was provided in the initializer. Any changes to mutable properties on the configuration object will not affect the behavior of the Public Cilent Application. Parameter to be used to configure MSALPublicClientApplication. It contains all values to be used in the instance and is a superset of all properties known to this class.

    Declaration

    Objective-C

    @property (readonly, nonnull) MSALPublicClientApplicationConfig *configuration;

    Swift

    var configuration: MSALPublicClientApplicationConfig { get }

  • Deprecated

    Use knowAuthorities in MSALPublicClientApplicationConfig instead (create your config and pass it to -initWithConfiguration:error:)

    When set to YES (default), MSAL will compare the application’s authority against well-known URLs templates representing well-formed authorities. It is useful when the authority is obtained at run time to prevent MSAL from displaying authentication prompts from malicious pages.

    Declaration

    Objective-C

    @property BOOL validateAuthority;

    Swift

    var validateAuthority: Bool { get set }

  • Deprecated

    Use webviewParameters to configure web view type in MSALInteractiveTokenParameters instead (create parameters object and pass it to -acquireTokenWithParameters:completionBlock:)

    The webview type to be used for authorization.

    Declaration

    Objective-C

    @property MSALWebviewType webviewType;

    Swift

    var webviewType: MSALWebviewType { get set }

  • Deprecated

    Use webviewParameters to configure custom web view in MSALInteractiveTokenParameters instead (create parameters object and pass it to -acquireTokenWithParameters:completionBlock:)

    Passed in webview to display web content when webviewSelection is set to MSALWebviewTypeWKWebView. For iOS, this will be ignored if MSALWebviewTypeSystemDefault is chosen.

    Declaration

    Objective-C

    @property (nullable) WKWebView *customWebview;

    Swift

    var customWebview: WKWebView? { get set }

Initializing MSALPublicClientApplication

  • Initialize a MSALPublicClientApplication with a given configuration

    Note

    It is important to configure your MSALPublicClientApplicationConfig object before calling MSALPublicClientApplication’s initializer. MSALPublicClientApplication makes a copy of the configuration object you provide on initialization. Once configured, MSALPublicClientApplication object ignores any changes you make to the MSALPublicClientApplicationConfig object.

    Declaration

    Objective-C

    - (nullable instancetype)
    initWithConfiguration:(nonnull MSALPublicClientApplicationConfig *)config
                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    init(configuration config: MSALPublicClientApplicationConfig) throws

    Parameters

    config

    Configuration for PublicClientApplication
    error

    The error that occurred creating the application object, if any (optional)

  • Initialize a MSALPublicClientApplication with a given clientID

    Declaration

    Objective-C

    - (nullable instancetype)initWithClientId:(nonnull NSString *)clientId
                                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    init(clientId: String) throws

    Parameters

    clientId

    The clientID of your application, you should get this from the app portal.
    error

    The error that occurred creating the application object, if any (optional)

  • Deprecated

    Use -initWithConfiguration:error: instead

    Initialize a MSALPublicClientApplication with a given clientID and authority

    Declaration

    Objective-C

    - (nullable instancetype)initWithClientId:(nonnull NSString *)clientId
                                authority:(nullable MSALAuthority *)authority
                                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    init(clientId: String, authority: MSALAuthority?) throws

    Parameters

    clientId

    The clientID of your application, you should get this from the app portal.
    authority

    Authority indicating a directory that MSAL can use to obtain tokens. In Azure AD it is of the form https://authority_instance/authority_tenant, where authority_instance is the directory host (e.g. https://login.microsoftonline.com) and authority_tenant is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
    error

    The error that occurred creating the application object, if any, if you’re not interested in the specific error pass in nil.

  • Deprecated

    Use -initWithConfiguration:error: instead

    Initialize a MSALPublicClientApplication with a given clientID, authority and redirectUri

    Declaration

    Objective-C

    - (nullable instancetype)initWithClientId:(nonnull NSString *)clientId
                                authority:(nullable MSALAuthority *)authority
                              redirectUri:(nullable NSString *)redirectUri
                                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    init(clientId: String, authority: MSALAuthority?, redirectUri: String?) throws

    Parameters

    clientId

    The clientID of your application, you should get this from the app portal.
    authority

    Authority indicating a directory that MSAL can use to obtain tokens. In Azure AD it is of the form https://authority_instance/authority_tenant, where authority_instance is the directory host (e.g. https://login.microsoftonline.com) and authority_tenant is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
    redirectUri

    The redirect URI of the application
    error

    The error that occurred creating the application object, if any, if you’re not interested in the specific error pass in nil.

  • Deprecated

    Use -initWithConfiguration:error: instead

    Initialize a MSALPublicClientApplication with a given clientID, authority, keychain group and redirect uri

    Declaration

    Objective-C

    - (nullable instancetype)initWithClientId:(nonnull NSString *)clientId
                            keychainGroup:(nullable NSString *)keychainGroup
                                authority:(nullable MSALAuthority *)authority
                              redirectUri:(nullable NSString *)redirectUri
                                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    init(clientId: String, keychainGroup: String?, authority: MSALAuthority?, redirectUri: String?) throws

    Parameters

    clientId

    The clientID of your application, you should get this from the app portal.
    keychainGroup

    The keychain sharing group to use for the token cache. (optional) If you provide this key, you MUST add the capability to your Application Entilement.
    authority

    Authority indicating a directory that MSAL can use to obtain tokens. In Azure AD it is of the form https://, where is the directory host (e.g. https://login.microsoftonline.com) and is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
    redirectUri

    The redirect URI of the application
    error

    The error that occurred creating the application object, if any, if you’re not interested in the specific error pass in nil.

  • Returns an array of all accounts visible to this application.

    Declaration

    Objective-C

    - (nullable NSArray<MSALAccount *> *)allAccounts:
    (NSError *_Nullable *_Nullable)error;

    Swift

    func allAccounts() throws -> [MSALAccount]

    Parameters

    error

    The error that occured trying to retrieve accounts, if any, if you’re not interested in the specific error pass in nil.

  • Deprecated

    Use -accountForIdentifier:error: instead

    Returns account for the given home identifier (received from an account object returned in a previous acquireToken call)

    Declaration

    Objective-C

    - (nullable MSALAccount *)
    accountForHomeAccountId:(nonnull NSString *)homeAccountId
                      error:(NSError *_Nullable *_Nullable)error;

    Swift

    func account(forHomeAccountId homeAccountId: String) throws -> MSALAccount

    Parameters

    error

    The error that occured trying to get the accounts, if any, if you’re not interested in the specific error pass in nil.

  • Returns account for the given account identifier (received from an account object returned in a previous acquireToken call)

    Declaration

    Objective-C

    - (nullable MSALAccount *)accountForIdentifier:(nonnull NSString *)identifier
                                         error:(NSError *_Nullable *_Nullable)
                                                   error;

    Swift

    func account(forIdentifier identifier: String) throws -> MSALAccount

    Parameters

    error

    The error that occured trying to get the accounts, if any, if you’re not interested in the specific error pass in nil.

  • Returns account for the given account identifying parameters (received from an account object returned in a previous acquireToken call)

    Declaration

    Objective-C

    - (nullable NSArray<MSALAccount *> *)
    accountsForParameters:(nonnull MSALAccountEnumerationParameters *)parameters
                    error:(NSError *_Nullable *_Nullable)error;

    Swift

    func accounts(for parameters: MSALAccountEnumerationParameters) throws -> [MSALAccount]

    Parameters

    error

    The error that occured trying to get the accounts, if any, if you’re not interested in the specific error pass in nil.

  • Returns account for for the given username (received from an account object returned in a previous acquireToken call or ADAL)

    Declaration

    Objective-C

    - (nullable MSALAccount *)accountForUsername:(nonnull NSString *)username
                                       error:
                                           (NSError *_Nullable *_Nullable)error;

    Swift

    func account(forUsername username: String) throws -> MSALAccount

    Parameters

    username

    The displayable value in UserPrincipleName(UPN) format
    error

    The error that occured trying to get the accounts, if any, if you’re not interested in the specific error pass in nil.

  • Deprecated

    Use other synchronous account retrieval API instead.

    Returns an array of accounts visible to this application and filtered by authority.

    Declaration

    Objective-C

    - (void)allAccountsFilteredByAuthority:
    (nonnull MSALAccountsCompletionBlock)completionBlock;

    Swift

    func allAccountsFilteredByAuthority() async throws -> [MSALAccount]

    Parameters

    completionBlock

    The completion block that will be called when accounts are loaded, or MSAL encountered an error.

  • Returns account for the given account identifying parameters including locally cached accounts and accounts from the SSO extension Accounts from SSO extension are only available on iOS 13+ and macOS 10.15+. On earlier versions, this method will return same results as a local account query.

    Declaration

    Objective-C

    - (void)accountsFromDeviceForParameters:
            (nonnull MSALAccountEnumerationParameters *)parameters
                        completionBlock:(nonnull MSALAccountsCompletionBlock)
                                            completionBlock;

    Swift

    func accountsFromDevice(for parameters: MSALAccountEnumerationParameters) async throws -> [MSALAccount]

    Parameters

    completionBlock

    The completion block that will be called when accounts are loaded, or MSAL encountered an error.

Handling MSAL responses

  • Deprecated

    Use -handleMSALResponse:sourceApplication: method instead.

    Ask MSAL to handle a URL response.

    Declaration

    Objective-C

    + (BOOL)handleMSALResponse:(nonnull NSURL *)response;

    Swift

    class func handleMSALResponse(_ response: URL) -> Bool

    Parameters

    response

    URL response from your application delegate’s openURL handler into MSAL for web authentication sessions

    Return Value

    YES if URL is a response to a MSAL web authentication session and handled, NO otherwise.

  • Ask MSAL to handle a URL response.

    Declaration

    Objective-C

    + (BOOL)handleMSALResponse:(nonnull NSURL *)response
         sourceApplication:(nullable NSString *)sourceApplication;

    Swift

    class func handleMSALResponse(_ response: URL, sourceApplication: String?) -> Bool

    Parameters

    response

    URL response from your application delegate’s openURL handler for MSAL web or brokered authentication sessions
    sourceApplication

    The application that opened your app with that URL. Can be retrieved from options by UIApplicationOpenURLOptionsSourceApplicationKey key. See more info here: https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1623112-application?language=objc

    Return Value

    YES if URL is a response to a MSAL web or brokered session and handled, NO otherwise.

  • Cancels any currently running interactive web authentication session, resulting in the authorization UI being dismissed and the acquireToken request ending in a cancelation error.

    Declaration

    Objective-C

    + (BOOL)cancelCurrentWebAuthSession;

    Swift

    class func cancelCurrentWebAuthSession() -> Bool

Getting a token interactively

  • Acquire a token for a provided parameters using interactive authentication.

    Declaration

    Objective-C

    - (void)acquireTokenWithParameters:
            (nonnull MSALInteractiveTokenParameters *)parameters
                   completionBlock:(nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireToken(with parameters: MSALInteractiveTokenParameters) async throws -> MSALResult

    Parameters

    parameters

    Parameters used for interactive authentication.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

  • Deprecated

    Use -acquireTokenWithParameters:completionBlock instead

    Acquire a token for a new account using interactive authentication

    Declaration

    Objective-C

    - (void)acquireTokenForScopes:(nonnull NSArray<NSString *> *)scopes
              completionBlock:(nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireToken(forScopes scopes: [String]) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

Getting a token interactively with a Login Hint

  • Deprecated

    Use -acquireTokenWithParameters:completionBlock instead

    Acquire a token for a new account using interactive authentication

    Declaration

    Objective-C

    - (void)acquireTokenForScopes:(nonnull NSArray<NSString *> *)scopes
                    loginHint:(nullable NSString *)loginHint
              completionBlock:(nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireToken(forScopes scopes: [String], loginHint: String?) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    loginHint

    A loginHint (usually an email) to pass to the service at the beginning of the interactive authentication flow. The account returned in the completion block is not guaranteed to match the loginHint.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

Acquire Token for a specific Account

  • Deprecated

    Use -acquireTokenWithParameters:completionBlock instead

    Acquire a token interactively for an existing account. This is typically used after receiving a MSALErrorInteractionRequired error.

    Declaration

    Objective-C

    - (void)acquireTokenForScopes:(nonnull NSArray<NSString *> *)scopes
                      account:(nullable MSALAccount *)account
              completionBlock:(nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireToken(forScopes scopes: [String], account: MSALAccount?) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    account

    An account object retrieved from the application object that the interactive authentication flow will be locked down to.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

  • Deprecated

    Use -acquireTokenWithParameters:completionBlock instead

    Acquire a token interactively for an existing account. This is typically used after receiving a MSALErrorInteractionRequired error.

    Declaration

    Objective-C

    - (void)acquireTokenForScopes:(nonnull NSArray<NSString *> *)scopes
                      account:(nullable MSALAccount *)account
                   promptType:(MSALPromptType)promptType
         extraQueryParameters:(nullable NSDictionary<NSString *, NSString *> *)
                                  extraQueryParameters
              completionBlock:(nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireToken(forScopes scopes: [String], account: MSALAccount?, promptType: MSALPromptType, extraQueryParameters: [String : String]?) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    account

    An account object retrieved from the application object that the interactive authentication flow will be locked down to.
    promptType

    A prompt type for the interactive authentication flow
    extraQueryParameters

    Key-value pairs to pass to the authentication server during the interactive authentication flow. This should not be url-encoded value.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

Acquire Token Silent

  • Acquire a token silently for a provided parameters.

    Declaration

    Objective-C

    - (void)acquireTokenSilentWithParameters:
            (nonnull MSALSilentTokenParameters *)parameters
                         completionBlock:
                             (nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireTokenSilent(with parameters: MSALSilentTokenParameters) async throws -> MSALResult

    Parameters

    parameters

    Parameters used for silent authentication.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

  • Deprecated

    Use -acquireTokenSilentWithParameters:completionBlock instead

    Acquire a token silently for an existing account.

    Declaration

    Objective-C

    - (void)acquireTokenSilentForScopes:(nonnull NSArray<NSString *> *)scopes
                            account:(nonnull MSALAccount *)account
                    completionBlock:
                        (nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireTokenSilent(forScopes scopes: [String], account: MSALAccount) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    account

    An account object retrieved from the application object that the interactive authentication flow will be locked down to.
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

  • Deprecated

    Use -acquireTokenSilentWithParameters:completionBlock instead

    Acquire a token silently for an existing account.

    Declaration

    Objective-C

    - (void)acquireTokenSilentForScopes:(nonnull NSArray<NSString *> *)scopes
                            account:(nonnull MSALAccount *)account
                          authority:(nullable MSALAuthority *)authority
                    completionBlock:
                        (nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireTokenSilent(forScopes scopes: [String], account: MSALAccount, authority: MSALAuthority?) async throws -> MSALResult

    Parameters

    scopes

    Permissions you want included in the access token received in the result in the completionBlock. Not all scopes are guaranteed to be included in the access token returned.
    account

    An account object retrieved from the application object that the interactive authentication flow will be locked down to.
    authority

    Authority indicating a directory that MSAL can use to obtain tokens. Azure AD it is of the form https://authority_instance/authority_tenant, where authority_instance is the directory host (e.g. https://login.microsoftonline.com) and authority_tenant is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

  • Deprecated

    Use -acquireTokenSilentWithParameters:completionBlock instead

    Acquire a token silently for an existing account.

    Declaration

    Objective-C

    - (void)acquireTokenSilentForScopes:(nonnull NSArray<NSString *> *)scopes
                            account:(nonnull MSALAccount *)account
                          authority:(nullable MSALAuthority *)authority
                      claimsRequest:(nullable MSALClaimsRequest *)claimsRequest
                       forceRefresh:(BOOL)forceRefresh
                      correlationId:(nullable NSUUID *)correlationId
                    completionBlock:
                        (nonnull MSALCompletionBlock)completionBlock;

    Swift

    func acquireTokenSilent(forScopes scopes: [String], account: MSALAccount, authority: MSALAuthority?, claimsRequest: MSALClaimsRequest?, forceRefresh: Bool, correlationId: UUID?) async throws -> MSALResult

    Parameters

    scopes

    Scopes to request from the server, the scopes that come back can differ from the ones in the original call
    account

    An account object retrieved from the application object that the interactive authentication flow will be locked down to.
    authority

    Authority indicating a directory that MSAL can use to obtain tokens. Azure AD it is of the form https://, where is the directory host (e.g. https://login.microsoftonline.com) and is a identifier within the directory itself (e.g. a domain associated to the tenant, such as contoso.onmicrosoft.com, or the GUID representing the TenantID property of the directory)
    claimsRequest

    The claims parameter that needs to be sent to token endpoint. When claims is passed, access token will be skipped and refresh token will be tried.
    forceRefresh

    Ignore any existing access token in the cache and force MSAL/Broker to get a new access token from the service.
    correlationId

    UUID to correlate this request with the server
    completionBlock

    The completion block that will be called when the authentication flow completes, or encounters an error.

Remove account from cache

  • Removes all tokens from the cache for this application for the provided account. MSAL won’t be able to return tokens silently after calling this API, and developer will need to call acquireToken. User might need to enter his credentials again after calling this API

    Declaration

    Objective-C

    - (BOOL)removeAccount:(nonnull MSALAccount *)account
                error:(NSError *_Nullable *_Nullable)error;

    Swift

    func remove(_ account: MSALAccount) throws

    Parameters

    account

    The account to remove from the cache

  • Removes all tokens from the cache for this application for the provided account. Additionally, this API will remove account from the system browser or the embedded webView by navigating to the OIDC end session endpoint if requested in parameters (see more https://openid.net/specs/openid-connect-session-1_0.html). Moreover, if device has an SSO extension installed, the signout request will be handled through the SSO extension.

    As a result of the signout operation, application will not be able to get tokens for the given account without user entering credentials. However, this will not sign out from other signed in apps on the device, unless it is explicitly enabled by the administrator configuration through an MDM profile.

    Declaration

    Objective-C

    - (void)signoutWithAccount:(nonnull MSALAccount *)account
         signoutParameters:(nonnull MSALSignoutParameters *)signoutParameters
           completionBlock:
               (nonnull MSALSignoutCompletionBlock)signoutCompletionBlock;

    Swift

    func signout(with account: MSALAccount, signoutParameters: MSALSignoutParameters) async throws -> Bool

Device information

SingleAccount

  • Gets the current account and return previous account if present. This can be useful to detect if the current account changes. This method must be called whenever the application is resumed or prior to running a scheduled background operation.

    If there’re multiple accounts present, MSAL will return an ambiguous account error, and application should do account disambiguation by calling other MSAL Account enumeration APIs.

    Declaration

    Objective-C

    - (void)getCurrentAccountWithParameters:(nullable MSALParameters *)parameters
                        completionBlock:
                            (nonnull MSALCurrentAccountCompletionBlock)
                                completionBlock;

    Swift

    func currentAccount(with parameters: MSALParameters?) async throws -> (MSALAccount?, MSALAccount?)