Xamarin Authenticate and Authorize Users with my Web Api

Question

I've been searching for a solution that makes sense for the past few days, so forgive me if I overlooked something or am ignorant to the correct path.

I have an existing Website built with asp.net framework MVC where users register for Individual Accounts and are stored in a MSSQL Database. I'm creating a Xamarin.Forms app where we want users to login with their website credentials.

I've been looking at Microsoft docs to try and accomplish this. In the past I created an Apache Cordova app (2014) that communicated in a similar fashion successfully (potentially in an insecure way) that called the /Token endpoint and Authenticated the user with 'grant_password' flow and returned the user data to the app.

So I landed on this documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

However, from what I can gather it basically says this should be avoided moving forward and a MSAL approach should be used if possible.

After reading through hours and hours of documentation trying to make sense of it all, I can't seem to grasp what my options are. It seems to me that in any MSAL flow, users will have to login with Microsoft accounts or other social accounts (facebook, google).

Am I missing something?

Am I going to have to go against Microsoft's advice and end up storing the client_id and client_secret within the Xamarin app source code? Which from everything I've read is a big security concern, especially with Android apps.

References: 1. Restrict API requests to only my own mobile app 2. How to secure an API REST for mobile app? (if sniffing requests gives you the "key")

Any help or direction would be really appreciated. Thank you

Answer 1

Your focus should be on requirements + understanding preferred designs rather than jumping to a technology.

DIRECTION

Standard modern systems look like this:

• Mobile apps use OpenID Connect to sign users in
• Authorization Server issues access tokens to the mobile app
• APIs authorize requests via JWTs containing scopes and claims

Aim to make iterative steps towards this type of architecture.

PATTERNS

• Plug in an Authorization Server, which uses your existing database as a credential store
• Mobile app uses AppAuth Libraries to sign users in and receives access tokens
• Back end can handle JWTs without data security risks

DIFFICULT AREAS

Your existing back end may have no support for mobile clients, and be too web focused - eg requiring cookies to access data, so may need to be split in be into 2 entry points.

Choosing an Authorization Server (while you are learning) is difficult, because you may not know what you want yet.

The mobile app will spin up the system browser and present a login page from the Authorization Server, so the login UX could be unexpected.

STEP 1

Ensure that you can authenticate from the mobile app, then make API calls with JWTs and ensure that requests for data are properly authorized. This could use ropc and involve a temporary API. But the deliverable should be that your back end now supports calls from mobile apps.

STEP 2

Integrate AppAuth into the mobile app, which is tricky but there are resources online such as Curity Mobile Guides. Update the mobile app to use the Code Flow and integrate an Authorization Server, then deal with connecting to credential stores.

SUMMARY

This stuff is hard and reflects the cost of modernising architectures. It requires people agreement as well as the technical stuff. Happy to answer follow up questions if it helps.