![]() The MSAL token cache and service principal entries are saved as encrypted files on Windows, and plaintext files on Linux and MacOS. According to Microsoft docs, the cached tokens will be stored in files as cleartext if you are using Service Principals for authentication on macOS: Side note: Azure CLI on macOS uses also MSAL in the recent versions. Therefore, most of the research results should be covered scenarios with „Enterprise SSO plug-in“ as well. Token caching in Keychain (by using access group “”) seems to be the default for apps using MSAL. Note: I’ve used an Azure AD unregistered device without Enterprise SSO plug-in for the following tests and use cases. Reference to user’s objectId is included. Various refresh token, primary refresh and access token has been cached. , Microsoft Edge Safe Storage com.microsoft Microsoft Teams Identities Cache, .Ĭom.microsoft.oneauth. I have found the following Keychain entries in relation to authentication for various Microsoft products on a macOS device: Product Source: Configure keychain - Microsoft identity platform - Microsoft Docs SSO is achieved via the keychain access groups functionality. Caching tokens in the keychain allows MSAL to provide silent single sign-on (SSO) between multiple apps that are distributed by the same Apple developer. ![]() When the Microsoft Authentication Library for iOS and macOS (MSAL) signs in a user, or refreshes a token, it tries to cache tokens in the keychain. macOS Keychain items from Microsoft productsĪccording to Microsoft docs, Keychain plays a central role to store cached tokens which provides SSO between MSAL apps: Overview of the sign-in, token cache flow and potential replay attack paths on macOS devices.
0 Comments
Leave a Reply. |