Windows phone 8 and Azure AD / ACS - azure

I am developing a WP8 app, which requires authentication in order to get a token to call the web api backend. I don't want to create my own account management mechanism, because it seems silly in our day and age to implement my own account repository.
I am using Azure anyway, so I thought to leverage it for the user management and authentication/authorization. What better place to manage users than Active Directory. If I also use ACS, I can get both "native" accounts and using other providers (Facebook, Microsoft Accounts, etc.) right out of the box.
So I have been searching for DAYS and I can't find even one tutorial or example or even someone talking about a flow that includes WP8, Azure AD/ACS and Web API.
I can only find tutorials on authenticating with Mobile Services and I don't want to use that, as it seems much to simple for what I need.
Is this use case even supported currently? Can one authenticate users of a WP8 app using Azure AD and then receive a token for authorization with a Web API hosted in a VM?

Vittorio has just blogged about this:
A Sample Windows Phone 8 App Getting Tokens from Windows Azure AD and ADFS.
The article also has a link to his earlier one - Fun With Windows Azure AD: Calling REST Services from a Windows Phone 8 App (which may have been one you found?).

Related

azure app service basic api security

I have running the basic todoitem app service running on azure. Calling the below url will display the content in the todoitem table. How can I add basic security to prevent this data from being accessed by anyone, like a basic parameter, ToDoItem?MyToken=12345.
https://MyappService.azurewebsites.net/tables/ToDoItem
How can I add basic security to prevent this data from being accessed by anyone, like a basic parameter, ToDoItem?MyToken=12345.
I would recommend you using the build-in Authentication and authorization in Azure App Service.
App Service supports five identity providers out of the box: Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter. To expand the built-in support, you can integrate another identity provider or your own custom identity solution.
Here are some great tutorials, you could refer to them:
For Node.js backend, you could follow 30 DAYS OF AZURE MOBILE APPS.
For developing azure mobile apps with C#, you could follow here.

Azure AD Authentication for Asp.Net Core

I have configured the Azure AD Authentication for my asp.net core project using the services of "Microsoft.AspNetCore.Authentication.*" packages. The project is expected to be deployed to Azure App Service as a Web App.
While I enabled Azure AD authentication, I also see there is an option to enable the same at the Web App level through Application Settings on Azure Portal.
I have question around which option is recommended. I do see when I don't leverage Azure AD authentication configured via nuGet packages, I don't have OpenId connect service plugged into the StartUp.cs file. And I think these services are pivotal in populating the authentication properties like User.Identity.Name. On the other hand with just portal enabled authentication, I don't see this information populated. So, I presume if I want to do further work with logged in user's identity, like leveraging current claims information for authorization, I won't be able to achieve that with portal only authentication.
Your assessment is basically correct. The portal-enabled authentication runs completely outside your application and isn't capable of setting User.Identity.Name when using .NET Core (that level of integration only works with ASP.NET 4.x).
My recommendation is to use the ASP.NET Core NuGet package so you can get the full integration. It's a lot more work to set up, but once you get it working you should be in good shape and get the full end-to-end experience you want.
If you are interested in using the portal-enabled Azure AD authentication support, then take a look at this StackOverflow question to learn how you can get it to work with User.Identity.Name.

How to implement SSO in azure developer service

We have an API, we planning to publish this API in the Azure marketplace under developer service. For authentication, we are planning to use developer service SSO (Single sign-on) in API. I googled this but can't find any useful link, please suggest some links
Azure AD B2C became generally available recently and it somehow offers what you are looking for. You can use local Azure identity and/or social account for your end users to authenticate with SSO support.
https://azure.microsoft.com/en-us/services/active-directory-b2c/
With that being said and although you can secure your Web API with AAD b2C as in this guide, your customers won't be able to call this WebAPI from their own applications as the calling app must be registered in the same Azure AD directory with the same application Id. This is a limitation that is mentioned here:
Note:
Azure AD B2C currently supports only web APIs that are accessed
by their own well-known clients. For instance, your complete app may
include an iOS app, an Android app, and a back-end web API. This
architecture is fully supported. Allowing a partner client, such as
another iOS app, to access the same web API is not currently
supported. All of the components of your complete app must share a
single application ID.
If the above limitation is OK with you, then you might also be interested in this Azure article to list your app in the Azure AD application gallery.

Give Azure web api client access to web api via Azure management portal

Some weeks ago I followed this article in MSDN Magazine on how to configure client access to a web api, protected by an Azure AD organizational account and hosted in Azure. It worked perfectly.
http://msdn.microsoft.com/en-us/magazine/dn463788.aspx
But now when I was about to add Another api and client, things have changed in the portal.
The Native Client Application configure Page Azure Management Portal seems to have change in the recent days - there is no longer a "web api" section at the bottom where you can select the web api for the client to access, (see figure 6 in the article) instead there is a "Permissions to other applications" section with a list of applications, but your web api's are not shown there, only Exchange, AD and other "default" Azure apps. I'm pretty confused now how to give a client access to a web api... hope this is the right place to ask!
The changes you see are part of the new features released last week. You can read more about them in a Blog post from the AD Team: "New OAuth2.0 features make it easy to write Azure AD connected apps for the Web, iOS, Android & Windows!"
Interestingly enough, when I create a new application and look at the configure tab a "Windows Azure Service Management API" is an option in the first drop down. You might try looking again today. For what it is worth I don't see anything other than WAAD and the management API as something I can select. The selections must be limited for some reason based on account maybe?
Especially in these preview features expect things to change with little to no warning. Probably the best place to seek out more information is on the Windows Azure AD Forums.

Azure Mobile Services - custom authentication provider for all our apps

We plan to use Windows Azure Mobile Services for several of our commercial apps and would like to create a single data store for users instead of creating it for every mobile service. We don't want to use Microsoft or Facebook... providers due to this issue Multiple apps using a single Azure Mobile Service for Live Authentication?
This way, the user data for all our apps is stored in single separate Custom_Auth database and the users won't need to Register again for our other apps. Should we create a separate mobile service that basically enables custom authentication and acts as a provider for other apps?
Do you see any pitfalls with this approach and what steps would I need to take for creating this custom provider as a separate mobile service?
Basically, we want to create our own provider so that user of one our apps can login to the other apps using the same credentials.
I have read through the following links. Posting them here as they may be useful for others starting out with Authentication and Azure Mobile Services.
http://www.thejoyofcode.com/Generating_your_own_ZUMO_auth_token_Day_8_.aspx
http://www.thejoyofcode.com/Fetching_a_basic_user_profile_in_Mobile_Services_Day_9_.aspx
http://www.thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
http://chrisrisner.com/Authentication-with-Windows-Azure-Mobile-Services
Thanks in advance
Hope this helps you
http://chrisrisner.com/Authentication-with-iOS-and-Windows-Azure-Mobile-Services
Someone created a custom authentication API using AZURE
with Parse.com, you are limited to their backend and unfortunately it doesn't have all the nice features as Azure
MS really messed us around with this

Resources