Customizing Browsers & WebViews
In this article we'll explore some of key differences between the different authorization agents MSAL allows your app to use and how to enable them. Choosing a specific strategy for authorization agents is purely optional and represents additional functionality for apps to customize - most apps will find themselves using MSAL's default.
When using MSAL in your Android application, you can choose between using Browser or WebView to launch the interactive sign in experience.
By default, applications will use a browser / custom tabs strategy, the user can achieve SSO and reduce the number of times the user has to enter their credentials - caused by the ability for Microsoft to persist a cookie in browser. Doing so also enables other native android or web apps to also achieve SSO.
If the application chooses to use a WebView strategy without integrating Authenticator or Company Portal support into their app, users will be able to achieve SSO with a single application but not across the device or between native and web apps.
If the application uses MSAL with Authenticator or Company Portal support, then users can achieve SSO across application through the these apps assuming the user has an active sign in with one of these apps.
An app can choose to use the in-app WebView by specifying the following line in their configuration JSON passed into MSAL:
"authorization_user_agent" : "WEBVIEW"By using the in-app WebView, the user signs in directly to the app. The tokens will be kept inside the sandbox of the app - not available outside the app's cookie jar. As a result, the user cannot get the SSO across applications unless they integrate with the Authenticator or Company Portal.
Additionally, the WebView affords apps more customization around the look and feel of the sign in experience. For more on how to do this customization, checkout Android WebViews.
By default, MSAL uses the browser + custom tab strategy. MSAL also allows apps to explicitly indicate this strategy to prevent changes in future releases to DEFAULT using the JSON configuration:
"authorization_user_agent" : "BROWSER"Using the BROWSER approach allows users to achieve SSO with device browser. MSAL is able to utilizes a shared cookie jar allowing other native or web apps to get SSO on the device by using the persist session cookie set by Microsoft.
Due to the diverse nature of Android OEMs, it is impossible for MSAL to specify an exact browser package across different Android phone. As a result, MSAL has developed it's browser selection heuristic focusing on providing the best cross-device SSO. MSALs logic can be found in the following method:
[com.microsoft.identity.common.internal.ui.browser.BrowserSelector.select(final Context context)](https://github.com/AzureAD/microsoft-authentication-library-common-for-android/blob/dev/common/src/main/java/com/microsoft/identity/common/internal/ui/browser/BrowserSelector.java#L57)
To select which browser to use, MSAL retrieves the full list of browsers installed on the device. The list is in the order returned by the package manager, so indirectly reflects the user's preferences i.e. the default browser, if set, is the first entry in the list. The first browser in the list will be selected no matter whether or not the custom tabs supported; however, if it is supported MSAL will launch the Custom Tab. Custom Tabs have a look and feel closer to an in-app WebView and also allow some basic UI customization, to learn more see Custom Tabs in Android.
If there is no browser packages on the device, MSAL will fallback to use the in-app WebView.
Note on the consistency of the browser list: the order of browsers is determined by the operating system and listed from best to worst. If the device default setting is not changed, the same browser should be launched for each sign in ensuring SSO.
Note on Chrome: MSAL will no longer always prefer Chrome if another browser is set as default. For example, on the Samsung S7 which has both Samsung Browser and Chrome pre-installed, the Samsung Browser is set as the default browser. MSAL will use the Samsung Browser unless the end user changes their preference.
Note on broker browsers: there are some browsers that do not support the OAuth2.0 authorization code flow. In a future release, Microsoft will maintain a deny-list to ensure these are never chosen.
| Built-in Browser | Chrome | Opera | Edge | UC Browser | Firefox | |
|---|---|---|---|---|---|---|
| Nexus 4 (API 17) | pass | pass | not applicable | not applicable | not applicable | not applicable |
| Samsung S7 (API 25 ) | pass* | pass | pass | pass | fail | pass |
| Huawei (API 26) | pass** | pass | fail | pass | pass | pass |
| Vivo (API 26) | pass | pass | pass | pass | pass | fail |
| Pixel 2 (API 26) | pass | pass | pass | pass | fail | pass |
| Oppo | pass | not applicable*** | not applicable | not applicable | not applicable | not applicable |
| OnePlus (API 25 ) | pass | pass | pass | pass | fail | pass |
| Nexus (API 28) | pass | pass | pass | pass | fail | pass |
| MI | pass | pass | pass | pass | fail | pass |
*Samsung's built-in browser is Samsung Internet.
**Huawei's built-in browser is Huawei Browser.
***The default browser cannot be changed inside the Oppo device setting.