CODEWITHSUNDEEP
azure-web-app-serviceazure-api-apps
frigon
frigon

Reputation: 5129

Azure App Services Exchange AuthenticationToken for Session

According to the documentation (https://azure.microsoft.com/en-us/blog/announcing-app-service-authentication-authorization/) clients can update access tokens with an HTTP POST to the /.auth/login/[provider name]

"Alternatively, a client can obtain a token using a provider SDK and exchange it for a session token. Simply submit an HTTP POST to the same endpoint with the provider token in a JSON body under the key “access_token” (or “authenticationToken” for Microsoft Account)."

Alternatively, a client can obtain a token using a provider SDK and exchange it for a session token. Simply submit an HTTP POST to the same endpoint with the provider token in a JSON body under the key “access_token” (or “authenticationToken” for Microsoft Account). "

I'm using facebook and am able to POST an access_key that i receive directly from facebook to the to the /.auth/login/facebook end point. However, the response is in the schema of:

{
    "authenticationToken":[string value],
    "user": {
       "userId": "sid:[hex value]"
     }
}

There doesn't appear to be any documentation as to how it can be exchanged for a session token and/or the AppServiceAuthSession cookie that the web versions appears to work from.

FYI - I only want to use a straight HTTP / REST implementation not any SDKs at this moment.

Upvotes: 1

Views: 759

Answers (1)

Chris Gillum
Chris Gillum

Reputation: 15042

Looks like you're on the right track. In the JSON payload you get back, the authenticationToken is the session token that is being referred to by the documentation:

{
    "authenticationToken":[this is your session token],
    "user": {
       "userId": "..."
     }
}

When using the SDK, this value is automatically parsed and used in all subsequent API calls to your backend service. If you're using REST directly, you can parse this token using any JSON library you wish and then attach it to any HTTP calls you make to your service APIs using the x-zumo-auth HTTP request header.

For example:

GET /api/values
x-zumo-auth: [session token from the previous step]

I hope that helps.

Upvotes: 1

Related Questions