Add Mac Catalyst auth workaround and token persistence

MSAL.NET doesn't ship a maccatalyst TFM (issue #3527), so the generic
.NET assembly is used at runtime. This causes two problems:

1. AcquireTokenInteractive throws PlatformNotSupportedException because
   the generic assembly has no system browser integration.
2. The token cache is in-memory only — tokens are lost on app restart.

Auth fix: Add MacCatalystWebUi implementing ICustomWebUi, which drives
ASWebAuthenticationSession directly. Wired up via a WithMacCatalystWebView()
extension method on AcquireTokenInteractiveParameterBuilder.

Persistence fix: Enable SecureStorage-based token cache serialization for
Mac Catalyst (same mechanism already used on Windows).

Both workarounds reference MSAL issue #3527 and can be removed once MSAL
ships native Mac Catalyst support.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: mattleibow

10.0/MauiBlazorWebEntra/MauiBlazorWebEntra/Platforms/MacCatalyst/MacCatalystWebUi.cs

@@ -0,0 +1,99 @@
+using AuthenticationServices;
+using Foundation;
+using Microsoft.Identity.Client.Extensibility;
+using UIKit;
+
+namespace Microsoft.Identity.Client;
+
+/// <summary>
+/// Extension method to configure Mac Catalyst authentication using
+/// ASWebAuthenticationSession. MSAL doesn't ship a maccatalyst TFM yet,
+/// so the built-in system browser flow throws PlatformNotSupportedException.
+/// This provides an equivalent experience using ICustomWebUi.
+///
+/// Remove this file once MSAL ships Mac Catalyst support:
+/// https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3527
+/// </summary>
+internal static class MacCatalystWebViewExtensions
+{
+    /// <summary>
+    /// Configures the interactive token request to use ASWebAuthenticationSession
+    /// on Mac Catalyst, working around the missing maccatalyst TFM in MSAL.
+    /// Replace with <c>.WithSystemWebViewOptions(new SystemWebViewOptions())</c>
+    /// once MSAL ships Mac Catalyst support.
+    /// </summary>
+    public static AcquireTokenInteractiveParameterBuilder WithMacCatalystWebView(
+        this AcquireTokenInteractiveParameterBuilder builder) =>
+        builder.WithCustomWebUi(new MacCatalystWebUi());
+
+    private class MacCatalystWebUi : ICustomWebUi
+    {
+        public async Task<Uri> AcquireAuthorizationCodeAsync(
+            Uri authorizationUri, Uri redirectUri, CancellationToken cancellationToken)
+        {
+            var tcs = new TaskCompletionSource<Uri>();
+
+            using var registration = cancellationToken.Register(() => tcs.TrySetCanceled());
+
+            var callbackScheme = redirectUri.Scheme;
+
+            MainThread.BeginInvokeOnMainThread(() =>
+            {
+                // The callback-based constructor is deprecated on macCat 17.4+ in favor
+                // of ASWebAuthenticationSessionCallback, but remains the simplest approach
+                // for broad compatibility. Suppress the warning until MSAL ships native
+                // Mac Catalyst support and this file can be deleted entirely.
+#pragma warning disable CA1422
+                var session = new ASWebAuthenticationSession(
+                    new NSUrl(authorizationUri.AbsoluteUri),
+                    callbackScheme,
+                    (callbackUrl, error) =>
+                    {
+                        if (error is not null)
+                        {
+                            if (error.Code == (long)ASWebAuthenticationSessionErrorCode.CanceledLogin)
+                                tcs.TrySetException(new MsalClientException(
+                                    "authentication_canceled", "User canceled authentication."));
+                            else
+                                tcs.TrySetException(new Exception(
+                                    $"ASWebAuthenticationSession error: {error.LocalizedDescription}"));
+                        }
+                        else if (callbackUrl is not null)
+                        {
+                            tcs.TrySetResult(new Uri(callbackUrl.ToString()));
+                        }
+                        else
+                        {
+                            tcs.TrySetException(new Exception(
+                                "No callback URL received from ASWebAuthenticationSession."));
+                        }
+                    });
+#pragma warning restore CA1422
+
+                session.PresentationContextProvider = new PresentationContextProvider();
+                session.PrefersEphemeralWebBrowserSession = false;
+
+                if (!session.Start())
+                {
+                    tcs.TrySetException(new Exception("Failed to start ASWebAuthenticationSession."));
+                }
+            });
+
+            return await tcs.Task;
+        }
+
+        private class PresentationContextProvider : NSObject, IASWebAuthenticationPresentationContextProviding
+        {
+            public UIWindow GetPresentationAnchor(ASWebAuthenticationSession session)
+            {
+                var scene = UIApplication.SharedApplication.ConnectedScenes
+                    .OfType<UIWindowScene>()
+                    .FirstOrDefault();
+
+                return scene?.KeyWindow
+                    ?? scene?.Windows.FirstOrDefault()
+                    ?? throw new InvalidOperationException("No window found for authentication presentation.");
+            }
+        }
+    }
+}

10.0/MauiBlazorWebEntra/MauiBlazorWebEntra/Services/MsalServiceExtensions.cs

@@ -26,9 +26,12 @@ public static IServiceCollection AddMsalClient(this IServiceCollection services)
 
         var msalClient = msalBuilder.Build();
 
-#if WINDOWS
-        // Use .NET MAUI secure storage for Windows as Android and iOS automatically
-        // persist using native platform features.
+#if WINDOWS || MACCATALYST
+        // MSAL persists tokens natively on iOS (Keychain) and Android (SharedPreferences).
+        // Windows and Mac Catalyst need manual persistence — Windows because it uses a
+        // generic .NET assembly, Mac Catalyst because MSAL doesn't ship a maccatalyst TFM yet.
+        // Remove MACCATALYST from this condition once MSAL ships Mac Catalyst support:
+        // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3527
         msalClient.EnableSecureStorageTokenCachePersistence();
 #endif
 
@@ -78,10 +81,19 @@ public static AcquireTokenInteractiveParameterBuilder WithPlatformOptions(this A
 
         return builder.WithParentActivityOrWindow(activity);
 
-#elif IOS || MACCATALYST
+#elif IOS
 
         return builder.WithSystemWebViewOptions(new SystemWebViewOptions());
 
+#elif MACCATALYST
+
+        // MSAL doesn't ship a maccatalyst TFM yet, so WithSystemWebViewOptions
+        // throws PlatformNotSupportedException. Use WithMacCatalystWebView() which
+        // drives ASWebAuthenticationSession via ICustomWebUi.
+        // Remove this #elif once MSAL ships Mac Catalyst support:
+        // https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3527
+        return builder.WithMacCatalystWebView();
+
 #elif WINDOWS
 
         if (IPlatformApplication.Current?.Application is not IApplication app)

10.0/MauiBlazorWebEntra/README.md

@@ -71,6 +71,29 @@ To remove the Azure app registrations:
 pwsh ./scripts/Teardown-Azure.ps1
 ```
 
+## Known Issues
+
+### Windows: MSAL token cache is not persisted by default
+
+On iOS and Android, MSAL persists tokens automatically using native platform features (Keychain and SharedPreferences respectively). On Windows, the generic .NET assembly does not include built-in token persistence, so tokens would be lost when the app restarts.
+
+This sample calls `EnableSecureStorageTokenCachePersistence()` to persist the MSAL token cache using .NET MAUI [`SecureStorage`](https://github.com/dotnet/maui/blob/main/src/Essentials/src/SecureStorage/SecureStorage.windows.cs), which encrypts data using [`DataProtectionProvider("LOCAL=user")`](https://learn.microsoft.com/uwp/api/windows.security.cryptography.dataprotection.dataprotectionprovider) scoped to the current Windows user.
+
+### Mac Catalyst: MSAL does not ship a `maccatalyst` TFM
+
+MSAL.NET (as of v4.x) does not include a `net*-maccatalyst` target framework. When running on Mac Catalyst, the app loads the generic .NET assembly instead of a platform-specific one. This causes two problems:
+
+1. **System browser auth throws `PlatformNotSupportedException`** — MSAL's browser-based interactive login is not implemented in the generic assembly.
+2. **Token cache is not persisted** — the generic assembly has no native token persistence, so users must sign in again every time the app restarts.
+
+#### Workarounds in this sample
+
+**Authentication:** A custom [`ICustomWebUi`](MauiBlazorWebEntra/Platforms/MacCatalyst/MacCatalystWebUi.cs) implementation uses Apple's `ASWebAuthenticationSession` to handle the interactive login flow. It is wired up via a `WithMacCatalystWebView()` extension method in [`MsalServiceExtensions.cs`](MauiBlazorWebEntra/Services/MsalServiceExtensions.cs).
+
+**Token persistence:** The `SecureStorage`-based token cache (normally used only on Windows) is also enabled for Mac Catalyst so that tokens survive app restarts.
+
+Both workarounds include comments referencing [MSAL issue #3527](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/3527) and can be removed once MSAL ships native Mac Catalyst support.
+
 ## Key Differences from MauiBlazorWebIdentity
 
 | Aspect | MauiBlazorWebIdentity | MauiBlazorWebEntra |