Securing our mobile app and services

Security is one of the most important concerns we need to keep in mind once we design mobile solutions. In this scenario will be reviewing how to implement Azure Active Directory authentication in our mobile application (Xamarin Application) and then how to protect our Azure App Service (Mobile App, Logic App, Function App) to prevent not authorized requests in our service.

Configuring Azure environment

For these scenario we are going to use the following Azure resources:

  • Mobile App Service.
  • Azure Active Directory application (Native).
  • Azure Active Directory application (Web/API).

It’s time to create our App Service, in this sample we are using Mobile App Service, you can also create an App Service family member.

Now you can set the Authentication/Authorization feature to enable the Azure Active Directory authentication provider.

It’s time to create our first Azure Active Directory application in the Express settings. In this sample I used the Prefix: XamarinAdal since is our Project and the Sufix: Backend since is our API REST.

  • Write a name for the Azure Active Directory application: e.g. XamarinAdalBackend.
  • Enable “Grant Graph Permissions” and “Grant Common Data Services Permissions”.
  • Save all the changes.

Once our changes have been applied in the Mobile App Service, we can go to Azure Active Directory workload and search the application recently created, in this sample is: XamarinAdalBackend.

  • Copy the Application ID and save it temporarily.

Go directly to the Azure Active Directory application settings, it’s not required to modify any settings because all permissions are delegated.

Just press “Grant Permissions”.

At this point we have successfully configured our Mobile App Service and the Azure Active Directory application. It’s time to configure our Azure Active Directory application for the mobile application.

Go to Azure Active Directory and select App Registrations, then press “+ New application registration”, and fill the following fields:

  • Write a name for the Azure Active Directory application: e.g. XamarinAdalMobile.
  • Select Native application type.
  • Write the redirect uri, e.g. https://YOUR_APP_SERVICE.azurewebsites.net/.auth/login/done

As the same as Azure Active Directory application for backend (XamarinAdalBackend), go to the application settings, and now add the your backend Azure Active Directory application to the scope of the Azure Active Directory application for mobile (XamarinAdalMobile).

Then press “Grant Permissions”.

Congrats!! :) At this point you have setup all we need to execute our mobile application.

Mobile application (Xamarin)

Clone the project from GitHub repo

git clone https://github.com/rcervantes/xamarin-adal.git

  • Proceed publish the App Service project to your Mobile App Service previously created.

  • Then configure the file: source/XamarinAdal/XamarinAdal/Settings.cs to add the following settings:

APP_SERVICE: The name of your Mobile App Service. RESOURCE_ID: The Application ID of your Azure Active Directory backend application. CLIENT_ID: The Application ID of your Azure Active Directory mobile application.

using System;
namespace XamarinAdal
{
    public class Settings
    {
        public static string AppServiceURL = "https://APP_SERVICE.azurewebsites.net/";
        public static string TenantId = "https://login.windows.net/common";
        public static string ResourceId = "RESOURCE_ID";
        public static string ClientId = "CLIENT_ID";
        public static string ReturnUrl = $"{Settings.AppServiceURL}.auth/login/done";
    }
}

Now it’s time to run our mobile application

The app display the buttons to login and clear token:

When login the app request a valid mail and password:

Proceed with the authentication process and ask the user to grant access to the profile information:

The profile information (name) is displayed in the application and a asynchronous request is made to retrieve data from the Mobile App Service with the token provided:

Credits

I want to thank Michael Watson for the support in this excercise and hope soon have the UWP implementation public.