Keychain for MSAL on iOS

Token caching is an essential functionality of MSAL SDK. When MSAL signs user in or refreshes the token, it will try to write tokens into iOS keychain. App needs to configure its entitlements correctly, so that MSAL can write cached tokens to iOS keychain.

You can learn more about keychain access groups in Apple documentation

Default keychain access group

MSAL will use the "com.microsoft.adalcache" access group by default. This is the shared access group used by both MSAL and ADAL SDKs and ensures the best SSO experience between multiple apps from the same publisher.

In order to use the default keychain access group, you need to add the "com.microsoft.adalcache" keychain group into your app's entitlement. You can do so under Project settings -> Capabilities -> Keychain sharing

Custom keychain access group

If you'd like to use a different keychain access group, you can pass your custom group when creating MSALPublicClientApplicationConfig before creating MSALPublicClientApplication:

MSALPublicClientApplicationConfig.cacheConfig.keychainSharingGroup

e.g.

    MSALAuthority *authority;
    MSALPublicClientApplicationConfig *config = [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"your-client-id"
                                                                                                redirectUri:@"your-redirect-uri"
                                                                                                  authority:authority];
    
    config.cacheConfig.keychainSharingGroup = @"custom-group";

Disable keychain sharing

If you don't want to use any keychain access group and share SSO state between multiple apps, you can disable keychain sharing by passing the application bundle ID as your keychainGroup.

    MSALPublicClientApplicationConfig *b2cApplicationConfig = [[MSALPublicClientApplicationConfig alloc]
                                                                   initWithClientId:@"your-client-id"
                                                                   redirectUri:@"your-redirect-uri"
                                                                   authority:authority];
    config.cacheConfig.keychainSharingGroup = [[NSBundle mainBundle] bundleIdentifier];

-34018 Failed to set item into keychain errors

This normally indicates that keychain hasn't been configured correctly. Please make sure that the keychain access group that has been configured in MSAL matches the ones configured in entitlements.