xamarin and azure ad
play

Xamarin and Azure AD Authenticating and Authorizing Your Mobile - PowerPoint PPT Presentation

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that


  1. Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps

  2. Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that can be assigned to users and groups and defines a level of access, (e.x. Editor, Reviewer, Publisher, Author, Administrator)

  3. Azure Active Directory Terms Tenant: A dedicated Active Directory instance hosted by Azure but controlled by an organization Application: A piece of software that needs to integrate with Azure AD, such as an MVC application, mobile app, or Web API Multi-tenanted application: An application that allows access from multiple tenants Graph API: A RESTful API that Microsoft has exposed that provides information and management options Authority: The URL used to authenticate the user, https://login. windows.net/{tenantId|common}

  4. Managing Azure Active Directory Currently you have to use the “classic” Azure portal to ● manage AAD (https://manage.windowsazure.com) The web UI has the ability to manage some of the settings ● Each application has a JSON manifest file that can be edited ● directly that exposes a few other settings Microsoft has a comprehensive REST API, https://msdn. ● microsoft.com/en-us/library/azure/ad/graph/api/api-catalog, that exposes pretty much everything else

  5. Why Azure Active Directory? It is reachable from anywhere (no VPN necessary) ● It can sync with your onsite Active Directory ● It is relatively easy to integrate with any type of application ● You can join a Windows 10 computer to an AAD domain for ● authentication similar to an onsite AD domain If you pay for basic or premium editions of AAD then you can ● skin and brand the authentication page with your company’s information

  6. Registering the Backend Application The backend application should be registered as a “Web ● Application” in Azure Active Directory Users and groups can be granted access to the application ● Roles can be defined specifically for the application and ● assigned to users and groups The app can enable group claims which adds the user’s ● group memberships to the JWT token You will probably want to use Bearer token authentication for ● the WebApi controllers that are exposed to your mobile application

  7. Registering the Mobile Application The mobile application should be registered as a “Native ● client application” in AAD You will also need to configure the app in AAD to ask for ● permissions from other applications (i.e. your WebApi) Your mobile app in AAD is a “thin” client and will delegate ● authorization to the registered backend applications

  8. Authentication Restrictions Authentication can be thought of as a user requesting access ● for a resource from a given client The user must authenticate successfully with AAD ● The user must have access to the requested resource ● (WebApi application) The client (mobile app) must have been configured with the ● WebApi application as a required resources If any of those three conditions fail then the user will not be ● granted an access token

  9. How AAD Auth Works You do not have to manually implement an OAuth2 flow ● ADAL will give you an access token for each resource ● ADAL caches these access tokens along with a refresh token ● in the local token cache ADAL will attempt to use a refresh token to get a new access ● token as needed, but will not expose the refresh token to the developer ADAL will use a refresh token for any resource to generate ● an access token (this is important to remember when implementing logout functionality)

  10. Refresh Token Details Users should only have to authenticate with AAD once, ● regardless of how many resources they are accessing Refresh tokens are multi-resource refresh tokens ● As long as you have a refresh token for any resource, you ● will not be presented with a UI to reauthenticate When logging a user out, you need to make sure to clear all ● of their cached access tokens

  11. Auth Modes AcquireTokenAsync - attempts to acquire or refresh an ● existing access token and presents a UI to have the user authenticate with Azure AD if needed AcquireTokenSilentAsync - attempts to use or refresh an ● existing access token and fails if UI interaction is needed AcquireTokenByAuthorizationCodeAsync - If you are ● plugging into a web application that receives an authorization code from AAD, you can use this to exchange that auth code for an access token that is cached in the token cache

  12. Auth Modes (continued) AcquireDeviceCodeAsync - useful for cases when a device ● may not be able to present a UI to the user. It will give the user a URL and a security code, and will poll AAD to receive a device code once the user has finished entering that code at that URL AcquireTokenByDeviceCodeAsync - this will retrieve and ● cache an access token in the cache using the device code. Even though the device code grants access, other calls to AcquireToken* will use the cached access/refresh tokens

  13. Setting Up Your Code Install the Microsoft.IdentityModel.Clients.ActiveDirectory (a. ● k.a. ADAL) NuGet package Determine if you are going to be authenticating against ● multiple tenants Your authority should be https://login.windows.net/{tenantId} ● or https://login.windows.net/common if you are multi-tenanted Find your mobile application’s client id ● Find the resource id for the backend service ● Find the redirect uri for your mobile app that you specified in ● the AAD setup

  14. Performing Authentication

  15. Completing Android Authentication

  16. Silently Authenticating

  17. Bearer Authentication - Backend Service

  18. Token Cache ● ADAL has a default token cache that it uses for access and refresh tokens ● You can pass in a custom token cache when creating the AuthenticationContext in case you wanted to do something like store them in a DB or in a file ● Your custom class doesn’t directly interact with the in-memory cache since Microsoft controls that, but you can sync a custom cache store with the in-memory cache

  19. Logging Out ● To truly log the user out you must remove all of their access tokens so that they do not have any valid refresh tokens in the cache ● This can be achieved by clearing the whole cache, or serializing the cache items and manually removing the individual items that match the user ● You should also consider clearing any cookies that might have been saved from requests that were sent out while they were authenticated

  20. MSAL (preview) ● Microsoft is currently developing a new authentication library - Microsoft Authentication Library (MSAL) ● This is the successor library to ADAL and it includes a unified API to authenticate against Azure AD, Azure B2C, and Microsoft Accounts ● Your app would need to be registered in Azure, but you will not need an Azure account to do that ● Azure B2C currently supports Facebook, Google+, LinkedIn, Amazon, and Microsoft accounts

  21. Demo

  22. Contact Details https://github.com/jpeters5392/AzureAdMobile ● https://github.com/jpeters5392/SampleAzureADBackend ● https://www.linkedin.com/in/joelpeterson2 ●

Recommend


More recommend