Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must...
Transcript of Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must...
![Page 1: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/1.jpg)
Xamarin and Azure AD
Authenticating and Authorizing Your Mobile Apps
![Page 2: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/2.jpg)
Basic Active Directory Terms
Domain: A directory of users, groups, roles, etc...User: An individual accountsGroup: A collection of other users and groupsRole: Something that can be assigned to users and groups and defines a level of access, (e.x. Editor, Reviewer, Publisher, Author, Administrator)
![Page 3: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/3.jpg)
Azure Active Directory Terms
Tenant: A dedicated Active Directory instance hosted by Azure but controlled by an organizationApplication: A piece of software that needs to integrate with Azure AD, such as an MVC application, mobile app, or Web API Multi-tenanted application: An application that allows access from multiple tenantsGraph API: A RESTful API that Microsoft has exposed that provides information and management optionsAuthority: The URL used to authenticate the user, https://login.windows.net/{tenantId|common}
![Page 4: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/4.jpg)
Managing Azure Active Directory
● Currently you have to use the “classic” Azure portal to manage AAD (https://manage.windowsazure.com)
● The web UI has the ability to manage some of the settings● Each application has a JSON manifest file that can be edited
directly that exposes a few other settings● Microsoft has a comprehensive REST API, https://msdn.
microsoft.com/en-us/library/azure/ad/graph/api/api-catalog, that exposes pretty much everything else
![Page 5: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/5.jpg)
Why Azure Active Directory?
● It is reachable from anywhere (no VPN necessary)● It can sync with your onsite Active Directory● It is relatively easy to integrate with any type of application● You can join a Windows 10 computer to an AAD domain for
authentication similar to an onsite AD domain● If you pay for basic or premium editions of AAD then you can
skin and brand the authentication page with your company’s information
![Page 6: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/6.jpg)
Registering the Backend Application
● The backend application should be registered as a “Web Application” in Azure Active Directory
● Users and groups can be granted access to the application● Roles can be defined specifically for the application and
assigned to users and groups● The app can enable group claims which adds the user’s
group memberships to the JWT token● You will probably want to use Bearer token authentication for
the WebApi controllers that are exposed to your mobile application
![Page 7: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/7.jpg)
Registering the Mobile Application
● The mobile application should be registered as a “Native client application” in AAD
● You will also need to configure the app in AAD to ask for permissions from other applications (i.e. your WebApi)
● Your mobile app in AAD is a “thin” client and will delegate authorization to the registered backend applications
![Page 8: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/8.jpg)
Authentication Restrictions
● Authentication can be thought of as a user requesting access for a resource from a given client
● The user must authenticate successfully with AAD● The user must have access to the requested resource
(WebApi application)● The client (mobile app) must have been configured with the
WebApi application as a required resources● If any of those three conditions fail then the user will not be
granted an access token
![Page 9: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/9.jpg)
How AAD Auth Works
● You do not have to manually implement an OAuth2 flow ● ADAL will give you an access token for each resource● ADAL caches these access tokens along with a refresh token
in the local token cache● ADAL will attempt to use a refresh token to get a new access
token as needed, but will not expose the refresh token to the developer
● ADAL will use a refresh token for any resource to generate an access token (this is important to remember when implementing logout functionality)
![Page 10: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/10.jpg)
Refresh Token Details
● Users should only have to authenticate with AAD once, regardless of how many resources they are accessing
● Refresh tokens are multi-resource refresh tokens● As long as you have a refresh token for any resource, you
will not be presented with a UI to reauthenticate● When logging a user out, you need to make sure to clear all
of their cached access tokens
![Page 11: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/11.jpg)
Auth Modes
● AcquireTokenAsync - attempts to acquire or refresh an existing access token and presents a UI to have the user authenticate with Azure AD if needed
● AcquireTokenSilentAsync - attempts to use or refresh an existing access token and fails if UI interaction is needed
● AcquireTokenByAuthorizationCodeAsync - If you are plugging into a web application that receives an authorization code from AAD, you can use this to exchange that auth code for an access token that is cached in the token cache
![Page 12: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/12.jpg)
Auth Modes (continued)
● AcquireDeviceCodeAsync - useful for cases when a device may not be able to present a UI to the user. It will give the user a URL and a security code, and will poll AAD to receive a device code once the user has finished entering that code at that URL
● AcquireTokenByDeviceCodeAsync - this will retrieve and cache an access token in the cache using the device code. Even though the device code grants access, other calls to AcquireToken* will use the cached access/refresh tokens
![Page 13: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/13.jpg)
Setting Up Your Code
● Install the Microsoft.IdentityModel.Clients.ActiveDirectory (a.k.a. ADAL) NuGet package
● Determine if you are going to be authenticating against multiple tenants
● Your authority should be https://login.windows.net/{tenantId} or https://login.windows.net/common if you are multi-tenanted
● Find your mobile application’s client id● Find the resource id for the backend service● Find the redirect uri for your mobile app that you specified in
the AAD setup
![Page 14: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/14.jpg)
Performing Authentication
![Page 15: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/15.jpg)
Completing Android Authentication
![Page 16: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/16.jpg)
Silently Authenticating
![Page 17: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/17.jpg)
Bearer Authentication - Backend Service
![Page 18: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/18.jpg)
Token Cache
● ADAL has a default token cache that it uses for access and refresh tokens
● You can pass in a custom token cache when creating the AuthenticationContext in case you wanted to do something like store them in a DB or in a file
● Your custom class doesn’t directly interact with the in-memory cache since Microsoft controls that, but you can sync a custom cache store with the in-memory cache
![Page 19: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/19.jpg)
Logging Out
● To truly log the user out you must remove all of their access tokens so that they do not have any valid refresh tokens in the cache
● This can be achieved by clearing the whole cache, or serializing the cache items and manually removing the individual items that match the user
● You should also consider clearing any cookies that might have been saved from requests that were sent out while they were authenticated
![Page 20: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/20.jpg)
MSAL (preview)
● Microsoft is currently developing a new authentication library - Microsoft Authentication Library (MSAL)
● This is the successor library to ADAL and it includes a unified API to authenticate against Azure AD, Azure B2C, and Microsoft Accounts
● Your app would need to be registered in Azure, but you will not need an Azure account to do that
● Azure B2C currently supports Facebook, Google+, LinkedIn, Amazon, and Microsoft accounts
![Page 21: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/21.jpg)
Demo
![Page 22: Apps Authenticating and Authorizing Your Mobile and Azure AD - Slides.pdf · The user must authenticate successfully with AAD The user must have access to the requested resource (WebApi](https://reader030.fdocuments.in/reader030/viewer/2022041016/5ec9637f87a89d58691d071a/html5/thumbnails/22.jpg)
Contact Details
● https://github.com/jpeters5392/AzureAdMobile● https://github.com/jpeters5392/SampleAzureADBackend
● https://www.linkedin.com/in/joelpeterson2