Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From maui-skills
Adds authentication to .NET MAUI apps using WebAuthenticator for OAuth 2.0/social logins and MSAL.NET for Microsoft Entra ID/Azure AD, with broker support, token caching, platform setups for Android/iOS/Windows, and bearer token API calls.
How this skill is triggered — by the user, by Claude, or both
Slash command
/maui-skills:maui-authenticationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> ❌ **Never embed client secrets, API keys, or signing keys in a mobile app binary.** They can be extracted trivially via decompilation.
❌ Never embed client secrets, API keys, or signing keys in a mobile app binary. They can be extracted trivially via decompilation.
The correct pattern:
WebAuthenticator pointing to your server endpointWindows WebAuthenticator is currently broken. See dotnet/maui#2702. Use MSAL or a WinUI-specific workaround for Windows auth flows.
Apple only returns the user's name and email on the first sign-in. Cache them immediately — subsequent sign-ins won't include them.
Set to true on iOS 13+ to force a fresh login prompt. When false (default), the auth session shares cookies with Safari — the user may be auto-logged in, which can confuse logout/switch-account flows.
The most common auth failure is a URI scheme mismatch. The CallbackUrl in code must exactly match:
DataScheme + DataHost in the IntentFilterCFBundleURLSchemes in Info.plistProtocol Name in Package.appxmanifestCallbackUrlWebAuthenticatorCallbackActivity with correct IntentFilter<queries> for Custom Tabs in the manifestCFBundleURLTypes in Info.plistSecureStorage, cleared on logoutTaskCanceledException handled gracefully in UI| Criteria | WebAuthenticator | MSAL.NET |
|---|---|---|
| Identity provider | Any OAuth 2.0 / OIDC | Microsoft Entra ID |
| Broker support (SSO) | ❌ No | ✅ Microsoft Authenticator, Company Portal |
| Conditional Access / MFA | ❌ Manual | ✅ Built-in |
| Token cache & refresh | ❌ Manual (SecureStorage) | ✅ Automatic |
| Complexity | Simple | More setup |
| Use when | Google, Apple, generic OIDC | Entra ID / Azure AD, Microsoft Graph |
Forgetting AuthenticationContinuationHelper.SetAuthenticationContinuationEventArgs in MainActivity.OnActivityResult causes auth to hang silently after the browser returns.
Without Entitlements.plist containing keychain group com.microsoft.adalcache, token caching fails silently and users are prompted to sign in every time.
When AcquireTokenSilent throws MsalUiRequiredException, the cached token is expired and interaction is needed. Always fall back to AcquireTokenInteractive.
// ❌ Ignoring MsalUiRequiredException — user gets a crash
var result = await _pca.AcquireTokenSilent(scopes, account).ExecuteAsync(ct);
// ✅ Fall back to interactive when silent fails
try
{
result = await _pca.AcquireTokenSilent(scopes, account).ExecuteAsync(ct);
}
catch (MsalUiRequiredException)
{
result = await _pca.AcquireTokenInteractive(scopes).ExecuteAsync(ct);
}
// ✅ Don't treat cancellation as an error
catch (MsalClientException ex) when (ex.ErrorCode == "authentication_canceled")
{
return null; // User cancelled — not an error
}
In MAUI Blazor Hybrid apps, authentication must happen at the MAUI layer (MSAL.NET), not in the Blazor WebView. Don't use AddMicrosoftIdentityWebApp or server-side OIDC patterns. Instead:
IAuthService (MSAL.NET)MsalAuthenticationStateProvider exposes auth state to BlazorHttpClient with DelegatingHandler attaches bearer tokens automaticallyMicrosoft.Identity.Client NuGet package addedAuthConfig / appsettings.json has ClientId, TenantId, ScopesAndroidManifest.xml has <queries> for broker and browsersMainActivity.OnActivityResult calls AuthenticationContinuationHelperInfo.plist has CFBundleURLSchemes with msauth.{BundleId}Entitlements.plist has keychain group com.microsoft.adalcacheAppDelegate.OpenUrl calls AuthenticationContinuationHelperIAuthService registered as singleton in DIDelegatingHandler attached to HttpClient for API callsMsalUiRequiredException handled (triggers interactive sign-in)MsalClientException with authentication_canceled handled gracefullynpx claudepluginhub davidortinau/maui-skills --plugin maui-skillsAdds Auth0 login, logout, and token management to .NET MAUI cross-platform apps for iOS, Android, macOS, and Windows.
Guides .NET MAUI apps consuming .NET Aspire backends: AppHost configuration, mobile service discovery, HttpClient DI, MSAL.NET Entra ID auth, emulator networking, Blazor Hybrid.
Adding auth to Blazor. AuthorizeView, CascadingAuthenticationState, Identity UI, per-model flows.