Search Unity

  1. We are migrating the Unity Forums to Unity Discussions. On July 12, the Unity Forums will become read-only.

    Please, do not make any changes to your username or email addresses at id.unity.com during this transition time.

    It's still possible to reply to existing private message conversations during the migration, but any new replies you post will be missing after the main migration is complete. We'll do our best to migrate these messages in a follow-up step.

    On July 15, Unity Discussions will become read-only until July 18, when the new design and the migrated forum contents will go live.


    Read our full announcement for more information and let us know if you have any questions.

Question Microsoft.Identity.Client for OAuth flow to AAD B2C in Android

Discussion in 'Windows' started by patrick_murphy_, Oct 13, 2022.

  1. patrick_murphy_

    patrick_murphy_

    Joined:
    Apr 16, 2017
    Posts:
    24
    (I realize this is ultimately an Android question but heavily relies on Microsoft client code so figured people in this subforum may know something...)

    Does anyone have any experience stringing these together? I have scoured the web for literally week trying to combine as much as I can to make this work...

    I am using the MSAL PublicClientApplication pattern for OAuth flow, using Mono/.NET Standard as scripting back in Unity, which works fine in the editor on Windows, but when deploying to various Android devices/OS versions, the browser prompt for credentials simply never pops.

    It's very difficult getting any information as to why. The furthest I have gotten is using MSAL's isSystemWebviewAvailable() and isEmbeddedWebviewAvailable(), which both return false on Android, and this is after setting up the manifest for internet permissions and associated webview activities. (For completeness, isSystemWebviewAvailable() returns true on Windows, where the flow works fine.)

    After investigation it seems that system webviews are considered an attack surface by Google and are possibly restricted from use, and require an unrealistic configuration on the part of each Android user to get them to work... but then to really complicate it, MSAL does not support embedded webviews either (for the most part, specifically for .NET Standard or .NET Core in Android). So it looks like this is just a dead end?

    I was hoping to avoid a classic authentication model and having to manage and secure user credentials, password resets, etc., and was really hoping I could leverage AAD B2C to take this off my plate, but at this point it looks like a much more desirable option than the quite frankly absurd amount of work (I have left *a lot* of detail and Android requirements out) it would take to get OAuth flows to Azure working on Android.