Azure Mobile App Service / Xamarin iOS client / Okta Identity Provider example - azure

Here's my current situation:
Xamarin iOS mobile app (using MobileServiceClient to login)
Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication
I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.
I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/
From this post:
IdentityServer 4 as Identity Provider for Azure App Service
Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?
Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.
Client:
Found a working library for OAuth2 and OpenID that worked for integrating with Okta:
https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples
with a Xamarin wrapper:
https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId
Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.

After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:
Okta (identity provider)
set up a native application with an Implicit (Hybrid) grant on it
Mobile Client
use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS
Server / Web Api
converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore
One thing to note that tripped me up along the way:
in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature
read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/

Related

Azure AD SSO: Mobile app with OAuth and SAML

Current State: I have a mobile application that signs users into Azure AD via OAuth using the PKCE flow. Once authenticated, the app uses a token to get various forms of data from some APIs.
As the application has evolved, the need to integrate SSO with another web application has come up (and there will be further service providers added as we move forward). It will act as a service provider and it supports IDP initiated authentication via SAML.
Question: once this service provider is configured under the AD tenant, is there a way to exchange or translate our OAuth token for something that can be passed on to the the SAML SP without having to re-authenticate? Am I even thinking about this in the right way? I'm mainly curious if we will need to re-implement authentication in the mobile app to support SAML (i.e. stand up some sort of web-based SAML service that can act as a proxy for the mobile application)? If that route is a necessity to accomplish our requirements, I'm assuming there's a way to still get a valid OAuth or equivalent token we can use to send to our APIs.
Apologies if this is a repeat question, but I couldn't find anything with similar specifics. Thanks in advance!
You can surely use the OAuth 2.0 OBO flow that allows an OAuth2-based application to access web service API endpoints that consume SAML tokens. You can read more here and it has some really good guidance on how to achieve the same:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow#saml-assertions-obtained-with-an-oauth20-obo-flow
Make sure that you SAML request is well formulated per the details mentioned here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

ASP.NET Core Web API template with AAD authentication - where is a tutorial to make it work?

I have created new web service using VS 2019 ASP.NET Core Web API from the project template with AAD authenticalion. It creates a simple ValuesController and sets up AzureAdBearer authentication in StartUp, but there is no pointers of what do next. There are no doc links in the created project, and no comments. I could not find any documents on https://learn.microsoft.com/ referring this template, all examples there refer to other sample projects, which use different code constructs, authentication types, etc.
Out of the box, the project simply returns 401, whether run locally or published to Azure Web Service.
Is there any guidance on what to do next and make this template work?
A WebApi is out on the internet waiting for a client to call it with an access token in its headers.
Usually, to learn about this scenario, you would create a couple of projects in Visual Studio, a Web Api and a client app of some sort that calls this web api.
The client app will request an access_token for this web api from Azure AD and sent it along in its call to the api.
The generated code validates this access token to ensure that its a valid one and issued for this Api (among other things).
I'd suggest you try one of Please use the samples provided at Azure Active Directory Home page for developers
You can refer to code sample : Calling a web API in an ASP.NET Core web application using Azure AD .
Your web api is now protected by Azure AD , if any client call your api , it should append Azure AD Access token as a Bearer token to the Authorization header in an HTTP request . Your web api will validate the token and authorizes the user using the JWT bearer authentication middleware(AzureAdBearer middleware) .
Your client app could uses the OpenID Connect middleware and the Active Directory Authentication Library (ADAL.NET) to obtain a JWT bearer token for the signed-in user using the OAuth 2.0 protocol. Then the client app can use that token to access your protected API . See TodoListWebApp project .

Call web API from MVC site that is authenticated with Facebook

I'm not an expert in security, so I would like to validate the options here because I'm a bit lost in all the possibilities.
I have an ASP.NET Core MVC web application, and added Facebook authorization to it (there will be others as well, like Microsoft Mail, and integration with an Azure AD). So users currently can click the 'Log In' button, then click the 'Facebook' button; they redirect to Facebook, enter their credentials, and finally come back to my site where they are authenticated. This works fine, and in the claims I receive nameidentifier and email address.
Now I want to add a ASP.NET Core Web API, which is called by the MVC site (and later by other consumers).
As I have to implement my own authorization mechanism in the web API, I was thinking on passing the authentication token from MVC site to the web API, so that in the web API i know the authenticated user, and based on the nameidentifier I find in the token, I handle authorization for this user.
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Is the solution that I propose here feasible for my scenario? Or do you handle this kind of situation typically in another way? Demo applications that I can have a look at maybe?
Yes, you could use Oauth 2.0 on-behalf-of flow to achieve your idea. The OAuth 2.0 On-Behalf-Of flow serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API. The idea is to propagate the delegated user identity and permissions through the request chain.
Here is work flow:
1.The client application makes a request to API A with the token A (with an aud claim of API A).
2.API A authenticates to the Azure AD token issuance endpoint and requests a token to access API B.
3.The Azure AD token issuance endpoint validates API A's credentials with token A and issues the access token for API B (token B).
4.The token B is set in the authorization header of the request to API B.
5.Data from the secured resource is returned by API B.
You can refer to the code sample: Calling a web API in an ASP.NET Core web application using Azure AD.

Authenticate Azure app service with AAD custom login in mobile app

I have created app service for mobile app. Then i have added Authentication to the app service. Then Selected Authentication type as "Log on with Azure AD". It is working fine.
Is it possible to have custom login page instead of browser based login screen?
I was able to get the token by using https://login.microsoftonline.com//oauth2/token. But not able to authorize the app service with this bearer token.
Is it possible to have custom login page instead of browser based
login screen?
This page is the authentication endpoint of AzureAD. Though it can be configured by Company branding, I think it cannot be customlized by yourself for Moblie APP.
I was able to get the token by using
https://login.microsoftonline.com//oauth2/token. But not able to
authorize the app service with this bearer token.
Authencation/Authorization for Web App is a feature that securing Web App behind those IDPs, NOT just like other azure resources you can use REST API to access it. I understand what you want to do . But this action is not recommended or supported.
I was able to get the token by using https://login.microsoftonline.com//oauth2/token. But not able to authorize the app service with this bearer token.
As juunas answered, your token may does not match the AAD provider you configured on Azure Portal. Details you could follow here to check your configuration. Moreover, you could use https://jwt.io/ to decode your access_token and validate the related properties (e.g. the aud should be the clientId you configured on Azure Portal,etc.).
As App Service Authentication / Authorization (EasyAuth) states as follows:
Users who interact with your application through a web browser will have a cookie set so that they can remain authenticated as they browse your application. For other client types, such as mobile, a JSON web token (JWT), which should be presented in the X-ZUMO-AUTH header, will be issued to the client. The Mobile Apps client SDKs will handle this for you. Alternatively, an Azure Active Directory identity token or access token may be directly included in the Authorization header as a bearer token.
For Azure Web App or Azure Mobile App, you could just access your endpoint as follows:
https://{your-app-name}.azurewebsites.net/api/values
Header: Authorization:Bearer {the id_token or access_token of AAD}
Or
https://{your-app-name}.azurewebsites.net/api/values
Header: x-zumo-auth:{authenticationToken}
Moreover, if you retrieve the access_token in your mobile app, you could also use it to retrieve the authenticationToken and use the authenticationToken for communicating with the backend endpoint.
POST https://{your-app-name}.azurewebsites.net/.auth/login/{provider-name,for your scenario, it would be AAD}
Body: {"access_token":"<your-access-token>"}
For your mobile client, you could use the client for Azure Mobile Apps, details you could follow here. Also, you could follow Authenticate users to understand the client-flow and server-flow authentication for App Service Authentication.
As Wayne Yang said, customization of the login page is limited to logos and some text.
I'm not sure if you can use the "Easy Auth" for APIs.
You might need to actually implement the authentication in your app.
In that case your API would validate the incoming JSON Web Token so that its signature is valid and that the audience and issuer are what is expected.
Most frameworks have JWT authentication available, so it mostly comes down to configuring that properly.

Xamarin.Forms Azure Mobile App Services Offline Sync without hosting Web Api on Azure

At the moment I have an app that uses Azure Mobile App Services to manage offline sync as well as authentiation. Authentication is done with Azure Active Directory and the way that I have it setup is that the web api is published as an app service on azure and it is configured as an app in the Active Directory Section. The Native App which is done in Xamarin.Forms is also configured in azure so that whenever the app makes a request it can properly authenticate with the api.
What I want to do now is take this web api and put it in an on-premise server. I have to do this in order to optimize some latency issues that I am having when retrieving data. My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
Where I am mostly having issues is with the authentication part of the implementation.
I appreciate any help.
According to your description, you are using Authentication and authorization in Azure App Service for build-in authentication without having to change code on the app backend. Authentication / Authorization for Azure App Service (Easy Auth) is implemented as a native IIS module that runs on Azure side, details you could follow Architecture of Azure App Service Authentication / Authorization.
My question is how can I use the offline sync functionality with the api in and on-premise server while still using Azure Active Directory as my authenticator.
AFAIK, we could not install the native IIS module easyauth.dll. Based on your scenario, you need to do some additional work to achieve your purpose.
For .NET backend, you could use Microsoft.Azure.Mobile.Server.Authentication OWIN middleware to validate tokens (the JWT authenticationToken). Note: This middle-ware is used to local development and debugging the mobile app .net server on your side.
For Client-managed authentication flow
You need to add a additional endpoint in your app backend for receiving the access_token returned by AAD to the client user, then your app backend would use the access token to access the signed-in user endpoint (e.g. https://graph.windows.net/me?api-version=1.6) to retrieve the user basic info, then encode user info into a JWT token and return to your client. Here is an example for generating the JWT token, you could refer to it.
Note: The App Service build-in authentication would also generate the JWT authenticationToken to the mobile client. For this approach, you retrieve the signed-in user information manually and follow the custom-auth to generate the token by yourself.
For Server-managed authentication flow
You need to provide a login endpoint and redirect the user the AD authorization endpoint, then your app backend receive the authorization_code and retrieve the access_token, then access signed-in user info via the access_token, then encode the user claims to JWT authenticationToken and redirect the token (e.g. https://{your-domain}/.auth/login/done#token={the-json-string-of-LoginResult}) to the client user.
Note: The above two approaches are used to implement some similar features from Easy Auth in your on-premise server.
Moreover, you could just use the middlewares UseWindowsAzureActiveDirectoryBearerAuthentication for AAD v1.0 endpoint or UseOAuthBearerAuthentication for AAD v2.0 endpoint to project your web API instead of the authentication middleware provided by Microsoft.Azure.Mobile.Server.Authentication. Here are some tutorials, you could follow them:
Azure AD .NET Web API getting started
Secure an MVC web API with AAD v2.0 endpoint
For this approach, your mobile client could leverage the ADAL or MSAL client library for acquiring the token. Then when you implement the MobileServiceClient instance, you could specific a custom DelegatingHandler for adding the authorization header with the value to the access token you acquired as the bearer token against your Web API backend. Details you could follow the How to: Customize request headers section under Working with the client SDK.

Resources