Xamarin and Azure AD

Authenticating and Authorizing Your Mobile Apps

Basic Active Directory Terms

Domain: A directory of users, groups, roles, etc...User: An individual accountsGroup: A collection of other users and groupsRole: Something that can be assigned to users and groups and defines a level of access, (e.x. Editor, Reviewer, Publisher, Author, Administrator)

Azure Active Directory Terms

Tenant: A dedicated Active Directory instance hosted by Azure but controlled by an organizationApplication: A piece of software that needs to integrate with Azure AD, such as an MVC application, mobile app, or Web API Multi-tenanted application: An application that allows access from multiple tenantsGraph API: A RESTful API that Microsoft has exposed that provides information and management optionsAuthority: The URL used to authenticate the user, https://login.windows.net/{tenantId|common}

Managing Azure Active Directory

● Currently you have to use the “classic” Azure portal to manage AAD (https://manage.windowsazure.com)

● The web UI has the ability to manage some of the settings● Each application has a JSON manifest file that can be edited

directly that exposes a few other settings● Microsoft has a comprehensive REST API, https://msdn.

microsoft.com/en-us/library/azure/ad/graph/api/api-catalog, that exposes pretty much everything else

Why Azure Active Directory?

● It is reachable from anywhere (no VPN necessary)● It can sync with your onsite Active Directory● It is relatively easy to integrate with any type of application● You can join a Windows 10 computer to an AAD domain for

authentication similar to an onsite AD domain● If you pay for basic or premium editions of AAD then you can

skin and brand the authentication page with your company’s information

Registering the Backend Application

● The backend application should be registered as a “Web Application” in Azure Active Directory

● Users and groups can be granted access to the application● Roles can be defined specifically for the application and

assigned to users and groups● The app can enable group claims which adds the user’s

group memberships to the JWT token● You will probably want to use Bearer token authentication for

the WebApi controllers that are exposed to your mobile application

Registering the Mobile Application

● The mobile application should be registered as a “Native client application” in AAD

● You will also need to configure the app in AAD to ask for permissions from other applications (i.e. your WebApi)

● Your mobile app in AAD is a “thin” client and will delegate authorization to the registered backend applications

Authentication Restrictions

● Authentication can be thought of as a user requesting access for a resource from a given client

● The user must authenticate successfully with AAD● The user must have access to the requested resource

(WebApi application)● The client (mobile app) must have been configured with the

WebApi application as a required resources● If any of those three conditions fail then the user will not be

granted an access token

How AAD Auth Works

● You do not have to manually implement an OAuth2 flow ● ADAL will give you an access token for each resource● ADAL caches these access tokens along with a refresh token

in the local token cache● ADAL will attempt to use a refresh token to get a new access

token as needed, but will not expose the refresh token to the developer

● ADAL will use a refresh token for any resource to generate an access token (this is important to remember when implementing logout functionality)

Refresh Token Details

● Users should only have to authenticate with AAD once, regardless of how many resources they are accessing

● Refresh tokens are multi-resource refresh tokens● As long as you have a refresh token for any resource, you

will not be presented with a UI to reauthenticate● When logging a user out, you need to make sure to clear all

of their cached access tokens

Auth Modes

● AcquireTokenAsync - attempts to acquire or refresh an existing access token and presents a UI to have the user authenticate with Azure AD if needed

● AcquireTokenSilentAsync - attempts to use or refresh an existing access token and fails if UI interaction is needed

● AcquireTokenByAuthorizationCodeAsync - If you are plugging into a web application that receives an authorization code from AAD, you can use this to exchange that auth code for an access token that is cached in the token cache

Auth Modes (continued)

● AcquireDeviceCodeAsync - useful for cases when a device may not be able to present a UI to the user. It will give the user a URL and a security code, and will poll AAD to receive a device code once the user has finished entering that code at that URL

● AcquireTokenByDeviceCodeAsync - this will retrieve and cache an access token in the cache using the device code. Even though the device code grants access, other calls to AcquireToken* will use the cached access/refresh tokens

Setting Up Your Code

● Install the Microsoft.IdentityModel.Clients.ActiveDirectory (a.k.a. ADAL) NuGet package

● Determine if you are going to be authenticating against multiple tenants

● Your authority should be https://login.windows.net/{tenantId} or https://login.windows.net/common if you are multi-tenanted

● Find your mobile application’s client id● Find the resource id for the backend service● Find the redirect uri for your mobile app that you specified in

the AAD setup

Performing Authentication

Completing Android Authentication

Silently Authenticating

Bearer Authentication - Backend Service

Token Cache

● ADAL has a default token cache that it uses for access and refresh tokens

● You can pass in a custom token cache when creating the AuthenticationContext in case you wanted to do something like store them in a DB or in a file

● Your custom class doesn’t directly interact with the in-memory cache since Microsoft controls that, but you can sync a custom cache store with the in-memory cache

Logging Out

● To truly log the user out you must remove all of their access tokens so that they do not have any valid refresh tokens in the cache

● This can be achieved by clearing the whole cache, or serializing the cache items and manually removing the individual items that match the user

● You should also consider clearing any cookies that might have been saved from requests that were sent out while they were authenticated

MSAL (preview)

● Microsoft is currently developing a new authentication library - Microsoft Authentication Library (MSAL)

● This is the successor library to ADAL and it includes a unified API to authenticate against Azure AD, Azure B2C, and Microsoft Accounts

● Your app would need to be registered in Azure, but you will not need an Azure account to do that

● Azure B2C currently supports Facebook, Google+, LinkedIn, Amazon, and Microsoft accounts

Demo

Contact Details

● https://github.com/jpeters5392/AzureAdMobile● https://github.com/jpeters5392/SampleAzureADBackend

● https://www.linkedin.com/in/joelpeterson2