Azure Mobile App Service Security

Question

I have been researching on Azure Mobile app service and I am freaking out because I think I had it all wrong.

I have one Azure Mobile App service and issue is I am trying to implement "custom" authentication for it (the reason for custom authentication is that I have a web app and web API which uses the same database and send REST requests to mobile service app to update database and both of them use asp.net identity)

But before I implement custom authentication in mobile app service, I just can't get my head around that even though the authentication is custom and I am manually checking users, once the token is generated and user is authorised, the user has access to all the data in the table. So if I am user1 and login, mobile app service will authenticate me and once I have the auth token I can simply do REST request to do anything to all the data.

How do I restrict that the generated token is only used to CRID only that user's data where in my table I have UserId column also.

I am very confused. any help will be appreciated.

Answer 1

How do I restrict that the generated token is only used to CRID only that user's data where in my table I have UserId column also.

Per my understanding, you could follow Per-User Data and leverage the following property to retrieve the current UserID from the incoming Easy Auth token:

public string UserId
{
    get
    {
        var principal = this.User as ClaimsPrincipal;
        return principal.FindFirst(ClaimTypes.NameIdentifier).Value;
    }
}

For the complete tutorial about handling CURD operations which need to be limited to the user who generates the token, you could follow Data Projection and Queries.