From maui-skills
Adds authentication to .NET MAUI apps using WebAuthenticator for OAuth 2.0/social logins and MSAL.NET for Microsoft Entra ID/Azure AD, with broker support, token caching, platform setups for Android/iOS/Windows, and bearer token API calls.
npx claudepluginhub davidortinau/maui-skills --plugin maui-skillsThis skill uses the workspace's default tool permissions.
> ❌ **Never embed client secrets, API keys, or signing keys in a mobile app binary.** They can be extracted trivially via decompilation.
Guides .NET MAUI apps consuming .NET Aspire backends: AppHost configuration, mobile service discovery, HttpClient DI, MSAL.NET Entra ID auth, emulator networking, Blazor Hybrid.
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication setup, API permissions, service principals, and MSAL integration for web, SPA, mobile, and daemon apps.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Share bugs, ideas, or general feedback.
❌ Never embed client secrets, API keys, or signing keys in a mobile app binary. They can be extracted trivially via decompilation.
The correct pattern:
WebAuthenticator pointing to your server endpointWindows WebAuthenticator is currently broken. See dotnet/maui#2702. Use MSAL or a WinUI-specific workaround for Windows auth flows.
Apple only returns the user's name and email on the first sign-in. Cache them immediately — subsequent sign-ins won't include them.
Set to true on iOS 13+ to force a fresh login prompt. When false (default), the auth session shares cookies with Safari — the user may be auto-logged in, which can confuse logout/switch-account flows.
The most common auth failure is a URI scheme mismatch. The CallbackUrl in code must exactly match:
DataScheme + DataHost in the IntentFilterCFBundleURLSchemes in Info.plistProtocol Name in Package.appxmanifestCallbackUrlWebAuthenticatorCallbackActivity with correct IntentFilter<queries> for Custom Tabs in the manifestCFBundleURLTypes in Info.plistSecureStorage, cleared on logoutTaskCanceledException handled gracefully in UI| Criteria | WebAuthenticator | MSAL.NET |
|---|---|---|
| Identity provider | Any OAuth 2.0 / OIDC | Microsoft Entra ID |
| Broker support (SSO) | ❌ No | ✅ Microsoft Authenticator, Company Portal |
| Conditional Access / MFA | ❌ Manual | ✅ Built-in |
| Token cache & refresh | ❌ Manual (SecureStorage) | ✅ Automatic |
| Complexity | Simple | More setup |
| Use when | Google, Apple, generic OIDC | Entra ID / Azure AD, Microsoft Graph |
Forgetting AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs in MainActivity.OnActivityResult causes auth to hang silently after the browser returns.
Without Entitlements.plist containing keychain group com.microsoft.adalcache, token caching fails silently and users are prompted to sign in every time.
When AcquireTokenSilent throws MsalUiRequiredException, the cached token is expired and interaction is needed. Always fall back to AcquireTokenInteractive.
// ❌ Ignoring MsalUiRequiredException — user gets a crash
var result = await _pca.AcquireTokenSilent(scopes, account).ExecuteAsync(ct);
// ✅ Fall back to interactive when silent fails
try
{
result = await _pca.AcquireTokenSilent(scopes, account).ExecuteAsync(ct);
}
catch (MsalUiRequiredException)
{
result = await _pca.AcquireTokenInteractive(scopes).ExecuteAsync(ct);
}
// ✅ Don't treat cancellation as an error
catch (MsalClientException ex) when (ex.ErrorCode == "authentication_canceled")
{
return null; // User cancelled — not an error
}
In MAUI Blazor Hybrid apps, authentication must happen at the MAUI layer (MSAL.NET), not in the Blazor WebView. Don't use AddMicrosoftIdentityWebApp or server-side OIDC patterns. Instead:
IAuthService (MSAL.NET)MsalAuthenticationStateProvider exposes auth state to BlazorHttpClient with DelegatingHandler attaches bearer tokens automaticallyMicrosoft.Identity.Client NuGet package addedAuthConfig / appsettings.json has ClientId, TenantId, ScopesAndroidManifest.xml has <queries> for broker and browsersMainActivity.OnActivityResult calls AuthenticationContinuationHelperInfo.plist has CFBundleURLSchemes with msauth.{BundleId}Entitlements.plist has keychain group com.microsoft.adalcacheAppDelegate.OpenUrl calls AuthenticationContinuationHelperIAuthService registered as singleton in DIDelegatingHandler attached to HttpClient for API callsMsalUiRequiredException handled (triggers interactive sign-in)MsalClientException with authentication_canceled handled gracefully