I have a need to move an older style Azure Mobile Service to a new Azure Subscription. In the new subscription, you are no longer allowed to create an older style Mobile Service and are required to create one of the newer Azure Mobile Apps. I have already moved the database (fixed changes with the column names, etc.), and have the easy tables and easy API migrated and working based on a NodeJS back-end. The only thing that is left is to add authentication to the mobile app to secure the back-end. The way the app was originally developed is that the mobile client SDK passed a secret key along with the endpoint URL in the MobileServiceClient constructor and a custom username/password form passed the user entered credentials to a mobile API method that would validate the user contained in the database. The updated client SDK now only accepts the endpoint URL.
Everything that I see online for the new Mobile Apps wants to authenticate with AAD, Facebook, Twitter, Microsoft Account, or Google. We do not want to change our authentication. How can I easily add the same type of authentication to the new Mobile App without having to use Facebook, Google, Twitter, etc?
The easiest method is to implement some sort of custom authentication, just like you did in your Azure Mobile Service. The same principals apply - you submit the username / password to the backend. The backend generates a JWT and then the client submits that information for the rest of the session.
I covered Custom Auth in node early on in my blog series: https://shellmonger.com/2016/04/08/30-days-of-zumo-v2-azure-mobile-apps-day-5-custom-authentication/ - that one uses Auth0 to handle the actual user database, but the same principals apply.
Related
I am trying to develop a serverless backend for my xamarin app. and for that I chose azure functions.
Now I already know that Azure Mobile Apps provide an SDK for this purpose with which we can easily enable Authentication with multiple ways which are following
1. Azure Active Directiry
2. Facebook
3. Google
4. Microsoft
5. Twitter
Now I want to allow login with atleast 2 of these in my app, but I am not using azure mobile app as backend, instead I am using azure functions. So how can I achieve the same result with serverless?
Thanks in advance.
AFAIK, when using Easy Auth (Authentication/Authorization in App Service), the user would be directed to {your-app-service-url}/.auth/login/{provider} for logging with Server-managed authentication. Users who interact with your web application through the web browser would have a cookie and they can remain authenticated as the browser your web application. For other clients (e.g. mobile client), a JWT would be contained in the x-zumo-auth header, and the Mobile Apps client SDK would handle it for you.
According to your scenario, you are trying to use user-based authentication with your function. I did some test, you could refer to them:
Firstly, I created a HttpTrigger function wrote in C#, then set the Authorization level to Anonymous.
return req.CreateResponse(HttpStatusCode.OK, req.Headers,JsonMediaTypeFormatter.DefaultMediaType);
Note: I just return all headers with the special headers specified by App Service Authentication / Authentication. Some example headers include:
X-MS-CLIENT-PRINCIPAL-NAME
X-MS-CLIENT-PRINCIPAL-ID
X-MS-TOKEN-MICROSOFTACCOUNT-ACCESS-TOKEN
X-MS-TOKEN-MICROSOFTACCOUNT-EXPIRES-ON
For more details, you could refer to App Service Token Store.
Then I go to Platform features and configure the Microsoft Authentication Provider under Authentication / Authorization. For mobile client, just use the Mobile Apps client SDK for logging and invoke the function endpoint as follows:
In summary, you could use the Mobile Apps client SDK for authentication with your function app. And you could configure the Authentication Providers as you wish, then for your mobile client you could set the related provider name when calling LoginAsync for logging. For your function, you could check the X-MS-CLIENT-PRINCIPAL-IDP header and retrieve the current user info and token for the specific provider.
Since Azure Functions are built on top of App Services, like Mobile Apps, you can still use Azure Active Directory authentication or the API keys for the Http triggered functions.
I'm using Xamarin Forms and Windows Azure for SQL Database. In the last version of windows azure they give you an application key to avoid unauthorized access to the web services but now they remove the application key and now they are using authentication through Facebook, google, etc.
The question is I want to protect my web services but I don't want to use facebook or google authorization because I'm using my own login and password.
I want my web services unprotect
I want to protect my tables but I receive and error while reading the data
According to your screenshot, I assumed that you are using Easy tables with access permission. As I known, when you add a new table under Easy tables, it would automatically create the related Node.js back-end, you could go to App Service Editor (Preview) in the Development Tools section of your mobile app as follows:
For Node.js back-end custom authentication, you need to set auth congiguration for your server side, and build your custom login endpoint to validate the client and generate the JWT token for your client. Here is a similar issue, you could refer to here.
Additionally, you could build the C# back-end by yourself and deploy to the mobile app. For custom authentication, you could refer to adrian hall's book about Mobile Apps Custom authentication. For data access, you need to build table controller for each of your SQL table, you could refer to Implementing Table Controllers.
Note:
You must turn on Authentication / Authorization in your App Service. Set the Action to take when request is not authenticated to Allow Request (no action) and do not configure any of the supported authentication providers.
For client app, you could leverage Azure Mobile Client SDK for connecting with your azure mobile app backend. For more details, you could refer to this tutorial about working with managed client for Azure Mobile Apps.
I need to allow authentication using my ASP.Net Identity from the MVC app (merged into the Mobile App service project) and from the mobile client (Android). Furthermore, I need to allow social authentication providers (Facebook and Google, to be exactly) to be used from the mobile client.
Adrian Hall's book says that for custom auth to work we should not configure the other authentication providers. So, how can I enable both forms of authentication?
I don't remember saying that. I'll have to check. You need to be careful though.
In your MVC app, you need to decide on ASP.NET identity or App Service Identity. If you choose ASP.NET identity, then you have to decide how your mobile application is going to authenticate - you are in completely custom area. If you are using App Service Identity, you need to decide how your application is going to authenticate (since the redirect can only go to one place).
I'd probably do App Service Identity. Configure Facebook and Google first. Then create a custom mobile auth endpoint. For your MVC side, configure a redirect page that displays the "choose your auth provider" page and then directs the user to the appropriate page - Google (/.auth/login/google) or
Facebook (/.auth/login/facebook) or custom (which you will create).
All the redirects will then point back to the callback page so the tokens get stored properly.
Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.
Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).
This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:
Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com
This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.
Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.
So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
The question posed in the answer of the previous SO post somewhat explains my issue:
How can my mobile app access my multi-tenant web api on behalf of the user?
References
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.
TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.
Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.
So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.
This was done using the correct redirect_uri in the AD OAuth code documentation:
For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob
Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.
I've originally used Web API 2 with Individual Accounts so that users can create a new account by supplying a username/email and password which is stored in my DB.
I'm now looking to put this API into Azure API service and have looked at the documentation about authentication but this mostly talks about external authentication. Can we use Individual Accounts with Azure API or will I need to handle this myself within the actual API?
Also, with the third party authentication all the examples use a redirected website (FaceBook, Google) to get the user to log in. I want to call this from a mobile app so does it support extenal authentication using API calls or will I have to do that myself?
Thanks
The is no problem in using the security you originally used. The documentation you are looking at describes how to do claim based authentication, authentication with azure ad and internally secure your application with service principals. When using a mobile device, you can go with claims authentication. However you should first figure out what you really want to do.