Developerguide Preview
Trimble Identity .NET MAUI SDK Developer Guide
Section titled “Trimble Identity .NET MAUI SDK Developer Guide”Contents
Section titled “Contents”- Overview
- Authentication with Trimble Identity
- Platform differences
- Configure Client
- Code Snippets
- Samples
- FAQ
The Trimble Identity MAUI SDK is a .NET MAUI Class Library that implements the PKCE OAuth grant, which is used to secure authorization codes in public clients with custom URI scheme redirects (Android/iOS) and http scheme redirects (Windows).
.NET MAUI TID SDK MobileAuthenticator lets you start the authentication flow and listens to callback to a specific redirect URI registered in the application.
This SDK helps to authenticate users by exposing functionalities like,
- Login
- Logout
- Handling redirect
- Retrieve Access Token
- Retrieve User Information
- Know a Logged in state
Once the authorization flow is completed in the browser, application will redirect to a URI specified as part of the authorization request, providing the response via query parameters. In order for your app to capture this response:
- Android/iOS: uses a custom scheme based redirect URI (
scheme://path) - Windows: uses a http scheme based redirect URI (
http://localhost:port/callback)- For example: http://localhost/callback, http://127.0.0.1:3000/login
To utilize TID authentication, your identity application must be registered with Trimble Identity. You can conveniently handle the application registration process on Trimble Developer Console.
This section explains the platform-specific differences in MobileAuthenticator when authentication is launched in a browser.
=== “Android” Custom Tabs are used whenever available, otherwise the system browser is used as a fallback.
=== “iOS” Depending on the iOS version, behavior differs:
- <b>iOS 12 or higher:</b>ASWebAuthenticationSession is used.- <b>iOS 11:</b>SFAuthenticationSession is used.- <b>Older iOS versions:</b> SFSafariViewController is used if available; otherwise Safari is used.=== “Windows” The default system browser is used.
Create a single instance of the MobileAuthenticator which will remain for the lifetime of the application. The registration of this object requiring dependency injection should be performed in the CreateMauiApp method of MauiProgram class.
To access the MobileAuthenticator functionality, the following platform-specific setup is required.
=== “Android”
Android requires an Intent Filter setup to handle your callback URI. This is accomplished by inheriting from the WebAuthenticatorCallbackActivity class:
:::note[Android]
```csharp
using Android.App;
using Android.Content.PM;
namespace YourNameSpace;
[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)][IntentFilter(new[] { Android.Content.Intent.ActionView }, Categories = new[] { Android.Content.Intent.CategoryDefault, Android.Content.Intent.CategoryBrowsable }, DataScheme = CALLBACK_SCHEME)]public class WebAuthenticationCallbackActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity{ const string CALLBACK_SCHEME = "<CUSTOM_URI_SCHEME>";}```
If your project's Target Android version is set to Android 11 (R API 30) or higher, you must update your Android Manifest with queries that use Android's package visibility requirements.
In the Platforms/Android/AndroidManifest.xml file, add the following queries/intent nodes in the manifest node:
```xml<queries><intent> <action android:name="android.support.customtabs.action.CustomTabsService" /></intent></queries>```:::=== “iOS”
:::note[iOS]Add your app's callback URI pattern to the Platforms/iOS/Info.plist and Platforms/MacCatalyst/Info.plist files:
```xml<key>CFBundleURLTypes</key><array> <dict> <key>CFBundleURLName</key> <string>App Name</string> <key>CFBundleURLSchemes</key> <array> <string>CUSTOM_URI_SCHEME</string> </array> <key>CFBundleTypeRole</key> <string>Editor</string> </dict></array>```:::=== “Windows”
:::note[Windows]No platform-specific setup is required. The SDK internally handles the redirect.
SDK starts a `LocalhostListener` and listens for callback on the specified localhost redirect uri. When callback is received SDK internally validates the code and returns `isLoggedIn` as true if login was successful.:::Enable offline authentication by setting EnableOfflineAuthentication = true in MobileAuthenticatorOptions (default: false).
- When enabled,
mobileAuthenticator.Login()presents an offline sign‑in page that lets users authenticate with their previously registered passkey (biometric/PIN). - On success, the SDK restores the user session and serves tokens from the secure cache created during an earlier online sign-in.
Prerequisite
- At least one successful online login on the device (to register the passkey and cache tokens).
This SDK supports multi-user workflows and offline authentication with passkeys, enabling secure login without an active internet connection. You can:
- Switch between users
- Add or remove user accounts
- Work seamlessly across online and offline states
Supported operations
AddAccountrequires the device to be online; operation observestimeoutInMsand can be cancelled.SwitchAccountprompts the user to re-authenticate; throws if the target account does not exist.GetAccounts,RemoveAccount, andGetActiveAccountrequire that a user is logged in.- Configure maximum accounts when creating
MultiUserAccountManager(default: 5, Allowed range: 1–10).
A logged-in user is required to perform any of these operations.
The SDK uses Secure Storage for token persistence. It stores data in key and value pairs and gets deleted once the app is uninstalled. Each platform uses the platform provided native API’s for storing data securely:
-
Android: Encryption keys are stored in KeyStore and encrypted data is stored in a named shared preference container (PackageId.Microsoft.Maui.Essentials). As a best practice, you can choose to disable Auto Backup for your application, or You can create a custom rule set to exclude Secure Store items from being backed up.
-
iOS: Data is stored in KeyChain. When developing on the iOS simulator, enable the Keychain entitlement and add a keychain access group for the application’s bundle identifier. For more details refer secure storage on iOS Simulator
-
Windows: DataProtectionProvider is used to encrypt values and it is stored in ApplicationData.Current.LocalSettings, inside a container with a name of [YOUR-APP-ID].microsoft.maui.essentials.preferences.
To disable Secure storage, set EnableTokenPersistence to false in MobileAuthenticatorOptions while instantiating MobileAuthenticator.
Summary
Log the user in. On Login, MobileAuthenticator launches the browser and listens to a callback redirect by invoking OnReceive() to complete authorization flow.
Returns
true if the user was successfully logged in
Summary
Log the user out.
Returns
true if the user was successfully logged out
Set singleSignOut to true to sign out of all SSO session. On Logout, MobileAuthenticator launches the browser and listens for callback redirect using OnReceive() to complete Logout when singleSignOut = true . The same OnReceive() method handles redirect for Login and Logout.
By default singleSignOut is set to false when Logout() is invoked which helps user to logout without clearing the browser session.
Summary
Retrieves access token of authenticated user.
NOTE: If the access token has expired, then the SDK refreshes the access token internally and returns the new access token.
Returns
Access token of authenticated user
Summary
Get the logged in state
Example: How to get the logged-in user info
Section titled “Example: How to get the logged-in user info”Summary
Validates the ID token and returns user claims
Returns
User claims from the ID token
MultiUserAccountManager is responsible for managing user accounts in a multi-user environment
Use the links below to jump to a specific operation:
- Initialize manager
- Add account
- Switch account
- List accounts
- Get active account
- Remove account
- Check capacity
Initializes a new instance of the MultiUserAccountManager class.
Add a new account.
Switch to an existing account.
Retrieve a list of all stored accounts.
Retrieve the currently active account.
Remove a specific account by its Id.
Check if more accounts can be added.
Explore working examples in the repository:
- MauiSampleApp: samples/identity/MauiSampleApp
- MauiMultiUserAccountSampleApp: samples/identity/MauiMultiUserAccountSampleApp
Do you have questions? Do not worry, we have prepared a complete FAQ answering the most common questions.