Reputation: 258
Proper OAuth flow using Azure AD to authenticate a internal, single-tenant mobile app
My company has an internal web app and several other services that use Azure AD for authentication. Because they are SPA and single-tenant, they are able to use implicit grant flow in order to avoid the use of access and refresh tokens.
I am building an internal mobile app that needs to use Azure AD for auth and should also be single-tenant(my org). My understanding is that this is insecure for mobile applications. The only flows I see that apply to mobile include using access tokens to gain access to Microsoft protected API's. I understand that I am able to expose my internally hosted API but that doesn't seem to be allowed in Azure AD with a single-tenant configuration. Therefore I cannot request API access as a scope and the whole system of access and refresh token breaks down.
In addition, all of the client libraries I see are setup for the access token and not sending raw ID tokens or refreshing them. Is something like firebase on top on my app a solution? I have been all over the microsoft docs on this and am struggling.
Upvotes: 0
Views: 312
Answers (1)
Reputation: 14376
I understand that I am able to expose my internally hosted API but that doesn't seem to be allowed in Azure AD with a single-tenant configuration.
This is incorrect. You can use Azure AD to secure access to your API even when used by a single-tenant client app.
You can create an app registration for your backend API (where you would define at least one scope), and a separate app registration for you client app (which would request the scope defined for your backend API).
If the client app and backend are really all one logical app, you could also define a since app registration, define at least one scope for it, and the client app would request that scope.
In both cases, the client app ends up with an access token to the backend API, and can use that for API requests.
I strongly recommend not implementing the flows directly. Use an SDK that will handle all the token juggling. The Microsoft Authentication Library (MSAL) for iOS and Android is available for production use now and really makes this fairly trivial: https://developer.microsoft.com/en-us/graph/blogs/microsoft-authentication-libraries-for-android-ios-and-macos-are-now-generally-available/
Upvotes: 2
Related Questions
- How to authenticate with Azure AD from iOS app using AppAuth?
- Oauth2 flow for native app with back-end web app calling Graph API
- Azure AD SSO for native mobile application
- Azure Mobile App Authentication & Azure AAD B2C
- using Azure Mobile App for Google authentication
- Single-Sign-On between web app and native app using ADAL
- Azure AD Auth for Mobile Apps?
- How to use Azure AD for authenticate users for third-party applications?
- How to make Native Client Application available to multiple tenants?
- Azure Active Directory - OAuth Authentication with Authorization Code Grant Flow and mobile