Xamarin and Azure AD Authenticating and Authorizing Your Mobile - - PowerPoint PPT Presentation

xamarin and azure ad
SMART_READER_LITE
LIVE PREVIEW

Xamarin and Azure AD Authenticating and Authorizing Your Mobile - - PowerPoint PPT Presentation

Nov 17, 2023 254 likes •493 views

Xamarin and Azure AD Authenticating and Authorizing Your Mobile Apps Basic Active Directory Terms Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that

slide-1
SLIDE 1

Xamarin and Azure AD

Authenticating and Authorizing Your Mobile Apps

slide-2
SLIDE 2

Basic Active Directory Terms

Domain: A directory of users, groups, roles, etc... User: An individual accounts Group: A collection of other users and groups Role: Something that can be assigned to users and groups and defines a level of access, (e.x. Editor, Reviewer, Publisher, Author, Administrator)

slide-3
SLIDE 3

Azure Active Directory Terms

Tenant: A dedicated Active Directory instance hosted by Azure but controlled by an organization Application: A piece of software that needs to integrate with Azure AD, such as an MVC application, mobile app, or Web API Multi-tenanted application: An application that allows access from multiple tenants Graph API: A RESTful API that Microsoft has exposed that provides information and management options Authority: The URL used to authenticate the user, https://login. windows.net/{tenantId|common}

slide-4
SLIDE 4

Managing Azure Active Directory

  • Currently you have to use the “classic” Azure portal to

manage AAD (https://manage.windowsazure.com)

  • The web UI has the ability to manage some of the settings
  • Each application has a JSON manifest file that can be edited

directly that exposes a few other settings

  • Microsoft has a comprehensive REST API, https://msdn.

microsoft.com/en-us/library/azure/ad/graph/api/api-catalog, that exposes pretty much everything else

slide-5
SLIDE 5

Why Azure Active Directory?

  • It is reachable from anywhere (no VPN necessary)
  • It can sync with your onsite Active Directory
  • It is relatively easy to integrate with any type of application
  • You can join a Windows 10 computer to an AAD domain for

authentication similar to an onsite AD domain

  • If you pay for basic or premium editions of AAD then you can

skin and brand the authentication page with your company’s information

slide-6
SLIDE 6

Registering the Backend Application

  • The backend application should be registered as a “Web

Application” in Azure Active Directory

  • Users and groups can be granted access to the application
  • Roles can be defined specifically for the application and

assigned to users and groups

  • The app can enable group claims which adds the user’s

group memberships to the JWT token

  • You will probably want to use Bearer token authentication for

the WebApi controllers that are exposed to your mobile application

slide-7
SLIDE 7

Registering the Mobile Application

  • The mobile application should be registered as a “Native

client application” in AAD

  • You will also need to configure the app in AAD to ask for

permissions from other applications (i.e. your WebApi)

  • Your mobile app in AAD is a “thin” client and will delegate

authorization to the registered backend applications

slide-8
SLIDE 8

Authentication Restrictions

  • Authentication can be thought of as a user requesting access

for a resource from a given client

  • The user must authenticate successfully with AAD
  • The user must have access to the requested resource

(WebApi application)

  • The client (mobile app) must have been configured with the

WebApi application as a required resources

  • If any of those three conditions fail then the user will not be

granted an access token

slide-9
SLIDE 9

How AAD Auth Works

  • You do not have to manually implement an OAuth2 flow
  • ADAL will give you an access token for each resource
  • ADAL caches these access tokens along with a refresh token

in the local token cache

  • ADAL will attempt to use a refresh token to get a new access

token as needed, but will not expose the refresh token to the developer

  • ADAL will use a refresh token for any resource to generate

an access token (this is important to remember when implementing logout functionality)

slide-10
SLIDE 10

Refresh Token Details

  • Users should only have to authenticate with AAD once,

regardless of how many resources they are accessing

  • Refresh tokens are multi-resource refresh tokens
  • As long as you have a refresh token for any resource, you

will not be presented with a UI to reauthenticate

  • When logging a user out, you need to make sure to clear all
  • f their cached access tokens
slide-11
SLIDE 11

Auth Modes

  • AcquireTokenAsync - attempts to acquire or refresh an

existing access token and presents a UI to have the user authenticate with Azure AD if needed

  • AcquireTokenSilentAsync - attempts to use or refresh an

existing access token and fails if UI interaction is needed

  • AcquireTokenByAuthorizationCodeAsync - If you are

plugging into a web application that receives an authorization code from AAD, you can use this to exchange that auth code for an access token that is cached in the token cache

slide-12
SLIDE 12

Auth Modes (continued)

  • AcquireDeviceCodeAsync - useful for cases when a device

may not be able to present a UI to the user. It will give the user a URL and a security code, and will poll AAD to receive a device code once the user has finished entering that code at that URL

  • AcquireTokenByDeviceCodeAsync - this will retrieve and

cache an access token in the cache using the device code. Even though the device code grants access, other calls to AcquireToken* will use the cached access/refresh tokens

slide-13
SLIDE 13

Setting Up Your Code

  • Install the Microsoft.IdentityModel.Clients.ActiveDirectory (a.

k.a. ADAL) NuGet package

  • Determine if you are going to be authenticating against

multiple tenants

  • Your authority should be https://login.windows.net/{tenantId}
  • r https://login.windows.net/common if you are multi-tenanted
  • Find your mobile application’s client id
  • Find the resource id for the backend service
  • Find the redirect uri for your mobile app that you specified in

the AAD setup

slide-14
SLIDE 14

Performing Authentication

slide-15
SLIDE 15

Completing Android Authentication

slide-16
SLIDE 16

Silently Authenticating

slide-17
SLIDE 17

Bearer Authentication - Backend Service

slide-18
SLIDE 18

Token Cache

  • ADAL has a default token cache that it uses for access and refresh

tokens

  • You can pass in a custom token cache when creating the

AuthenticationContext in case you wanted to do something like store them in a DB or in a file

  • Your custom class doesn’t directly interact with the in-memory

cache since Microsoft controls that, but you can sync a custom cache store with the in-memory cache

slide-19
SLIDE 19

Logging Out

  • To truly log the user out you must remove all of their access tokens

so that they do not have any valid refresh tokens in the cache

  • This can be achieved by clearing the whole cache, or serializing the

cache items and manually removing the individual items that match the user

  • You should also consider clearing any cookies that might have

been saved from requests that were sent out while they were authenticated

slide-20
SLIDE 20

MSAL (preview)

  • Microsoft is currently developing a new authentication library -

Microsoft Authentication Library (MSAL)

  • This is the successor library to ADAL and it includes a unified API

to authenticate against Azure AD, Azure B2C, and Microsoft Accounts

  • Your app would need to be registered in Azure, but you will not

need an Azure account to do that

  • Azure B2C currently supports Facebook, Google+, LinkedIn,

Amazon, and Microsoft accounts

slide-21
SLIDE 21

Demo

slide-22
SLIDE 22

Contact Details

  • https://github.com/jpeters5392/AzureAdMobile
  • https://github.com/jpeters5392/SampleAzureADBackend
  • https://www.linkedin.com/in/joelpeterson2