Reputation: 2437
Authenticating from a cross-platform mobile application consuming data from a WebApi service
I am trying to implement authenticating and identification on a Xamarin cross-platform mobile application consuming data from a WebApi service which I have.
My goal is as follows:
Have the mobile application perform authentication against various Identity Providers, get a security token, and have it passed to the WebApi Service inside the requests' headers.
The service will then implement a DelegatingHandler to validate the token, and extract a userId from it, for later identification and authorization needs.
I would like my client code to be share-able as much as possible !
My options AFAIK are as follows:
Use Azure Mobile Services to generate a federated security token on the client side, and validate the token on the WebApi service. I think it is possible, thanks to this SO answer. Code-Sharing on the client side looks promising, thanks to Xamarin Azure Mobile Services Components.
Use Azure Access Control Service(ACS) to generate a federated security token on the client side, and validate the token on the WebApi service. However, I don't think that consuming the ACS on the client can be easily code-shared. Besides, ACS is not the new guy in town...
Use Xamarin.Auth component to have client side authentication directly against the Identity Providers, generate a JWT security token, and have it validated on the WebApi service. This should give more access to users' data from the IdP. However at the moment the component currently lacks Windows Phone support, and It's not likely it will be available before late fall.
If anyone has already dealt with this scenario, please share your experience and let me know what would be the right way to go.
If my goal is wrong in the first place, don't hesitate to criticize it as well.
Upvotes: 3
Views: 1878
Answers (1)
Reputation: 14212
Are you using a Windows Azure Mobile Services (WAMS) backend at all? Looks like you have your own API which is unrelated to WAMS.
If you want to use WAMS just for their ability to give you a JWT and authenticate with Twitter/FB & Live (their supported IdPs), then you just need to use a token handler that knows how to deal with WAMS' token idiosyncrasies. (This doc shows how they sign the JWT).
It is possible to use ACS, but they have a limited number of IdP too (albeit more than WAMS), and of course your API would have to consider a different token format.
You can take a look at our approach for this type of integration in this 2 tutorials we wrote. They are oriented towards our own identity platform, but the SDKs they use are open source and you can look at how they work (look for the links to the GitHub repository).
A comment on your #3. Not all IdPs are capable of issuing JWT. You need an intermediary to generate that for you (e.g. ACS, a service like ours, etc). It is not a good idea to generate the token in the client code, because the client code is generally "not trusted". (and secrets are not stored in the device).
Upvotes: 2
Related Questions
- Authentication between Web App, Web API and Mobile App
- Web API Authentication for Xamarin Mobile app
- Authenticate Azure AD v1 WebAPI from Azure AD v2 mobile app
- Authenticating Web Api using Azure B2C and MSAL in Xamarin Mobile App
- Azure App Authentication
- Azure Mobile App Authentication using Xamarin
- Authentication with custom API controller with Azure Mobile App and Xamarin
- Azure Mobile Services and Web API authentication
- Aspnet Web API Authentication on mobile clients
- Authentication and authorization using REST and ASP.NET Web Api from cross-platform mobile applications