Primary Refresh Token on iOS Devices

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

Our most frequently used applications, which are frequently mobile-based, require an easy and secure authorization process among these resources. Working together to achieve this objective are two titans, Apple and Microsoft, each bringing a different set of cutting-edge technologies. The use of the Primary Refresh Token (PRT), a crucial element of Microsoft's authentication system, on iOS devices is the subject of this post.

Please be aware that while I make every effort to give accurate information, I am not a programmer. My job is to provide a clear overview of technical subjects by breaking them down. Always refer to official documentation or seek the advice of a qualified professional for direct coding or development practices.

Understanding Primary Refresh Tokens

Before we get into the nitty-gritty, let's lay down a foundation. The PRT is an integral part of Microsoft's Azure Active Directory (Azure AD) authentication scheme. It is a multi-resource refresh token that enables applications to retrieve access tokens for different resources without requiring the user to re-authenticate, provided the initial user sign-in is valid.

The PRT is issued to clients by Azure AD upon successful authentication and contains information about the user, device, and session. It is used by applications to retrieve access tokens for secured resources, allowing Single Sign-On (SSO) capabilities across applications.

See one of my other posts for more information.

For starters, what is a Primary Refresh Token?
Some would argue that authentication relies solely on user identity, but you are incorrect 🤥

PRT on iOS Devices

Now that we understand what a PRT is, let's see how it operates on an iOS device.

  1. App Initialization: An application initializes MSAL with the necessary configuration.
  2. User Sign-In: The application prompts the user to sign in. MSAL helps facilitate this by presenting the Azure AD sign-in UI.
  3. Authentication: The user enters their credentials, which are sent securely to Azure AD for authentication.
  4. Token Issuance and software security: Upon successful authentication, Azure AD issues a PRT and an access token. The PRT is securely stored in the iOS Keychain (primary secure storage).
  5. Hardware Security: The Secure Enclave (secondary secure storage) protects the keys that are used to secure the iOS Keychain, including the key that secures the PRT. It processes requests to use the key without exposing it to the rest of the system.
  6. Resource Access: The application uses the access token to access the secured resource on behalf of the user.
  7. Token Refresh: When the access token expires, the application uses MSAL to request a new access token from Azure AD, presenting the PRT as proof of the user's session. If the PRT has also expired, the user may need to sign in again.

Security Aspects

The usage of PRTs in this manner brings several security benefits.

  • The use of the iOS keychain to store PRTs provides a secure storage mechanism, protecting the tokens from theft or misuse.
  • Each PRT is tied to the user's device, providing an additional layer of security. If the PRT is somehow stolen, it cannot be used on a different device.
  • The automatic refresh of the PRT ensures that even if a PRT is somehow compromised, it has a limited window of usability.

Final Thoughts

The integration of Microsoft's Azure AD and Apple's iOS technologies brings together the best of both worlds, creating a secure and seamless user experience. The PRT plays a critical role in this interaction, providing SSO capabilities across applications while maintaining a high level of security.

Understanding the inner workings of these technologies is critical for any technical expert aiming to build secure applications in today's increasingly digital world. As we continue to see the evolution and interplay of technologies from giants like Microsoft and Apple, we can look forward to more innovative and secure solutions in the future.