microsoft-authentication-library-for-android: Redirect URI doesn't match with the one generated with package name and signature hash.

This had to be true all along that my Signature Hash was wrong. I follow the steps on Azure Portal but Android Studio gives me an error log. So I come across this. There was a code that I can use to Log the Signature Hash directly from the project.

This is the code.

try {
    info = getPackageManager().getPackageInfo("com.you.name", PackageManager.GET_SIGNATURES);
    for (Signature signature : info.signatures) {
        MessageDigest md;
        md = MessageDigest.getInstance("SHA");
        md.update(signature.toByteArray());
        String something = new String(Base64.encode(md.digest(), 0));
        //String something = new String(Base64.encodeBytes(md.digest()));
        Log.e("hash key", something);
    }
} catch (NameNotFoundException e1) {
    Log.e("name not found", e1.toString());
} catch (NoSuchAlgorithmException e) {
    Log.e("no such an algorithm", e.toString());
} catch (Exception e) {
    Log.e("exception", e.toString());
}

Finally, I can make the right redirect_uri.

Thank you everyone for helping me out.

As an additional tip: For an APK already pushed to a device, there is a handy tool provided in the MSAL repo here which can export the signature hash of an app installed on a device. You can cross reference this value against your configuration in the application and in the Azure Portal.

Here’s a screenshot of our test app:

@OrionStark

Step 1: `{ “client_id” : “value”, “authorization_user_agent” : “DEFAULT”, “redirect_uri” : “value”, “account_mode” : “SINGLE”, “broker_redirect_uri_registered”: false, “authorities” : [ { “type”: “AAD”, “authority_url”: “value”

} ] } ` Step 2: Go to Google play console -> App Signing -> App Certificate -> download it Step 3: Go to Azure Portal -> App Registrations -> Certificates and Secrets. Upload the file there.

@OrionStark setting broker_redirect_uri_registered=false means the app will never use Broker (and therefore making it pointless for MSAL to verify redirect url against the app’s signature hash, which is why it was skipped).

That means the user will not get SSO, and I’d advise against it, especially if your app is developed for organizational user.

I’d suggest printing out signature hash to a log file (or logcat) after you’ve uploaded the app with Google Play (but don’t publish it yet), and compare with the redirect uri you use in the app. See the sample code here.

Basically when you are debugging in Android Studio, it will use the androiddebugkey found in the keystore located in your user folder/.android/debug.keystore

The default password to get into the debug.keystore is android, the default password for the key is android

So generating your own key/keystore when setting up the app registration will lead to the wrong redirect URI error, since it will use the debug one when running locally.

For the command to get the key signature see https://github.com/AzureAD/microsoft-authentication-library-for-android/wiki/MSAL-FAQ

Note I had to add the keytool to my user path

@shoatman would you mind updating the wiki to be a little more clear about this. Also with the default password.

@DivyaYadav25 Mercy!!!, thanks for the solutions.

@OrionStark Have you registered the release keystore’s signature hash with the portal?

(Also, could you please open a new issue next time? That way it is easier for us to notice.)

@tulika17 - Be sure that your configuration file has the correct value. Unfortunately the encoding differs between the android manifest and the configuration file. In the portal you can see examples of both so it’s a good idea to take a look. @hamiltonha do you want to add this to the FAQ?