Authentication on Azure Mobile Apps – Server Flow – AD
Communication, authorization flows, user and rights management, access tokens and IP addresses.. just a few things we worry about when building and securing a web API. If you need a refresh on Mobile Apps and what does that mean in Azure, please read What are Azure Mobile Apps before coming back to this as it will explain the ecosystem and pave the way for this post in which we focus on security.
As mentioned before, Mobile Apps are part of the Azure App Service offering, and that is a PaaS offering that lets you create web and mobile apps for any platform or device and connect to data anywhere, in the cloud or on-premises. App Service includes the web and mobile capabilities that were previously delivered separately as Azure Websites and Azure Mobile Services as described in the article mentioned above. For a great article on App Service security, may I refer you to a Microsoft Docs 2 minute long post “Securing PaaS web and mobile applications using Azure App Service“. As a single integrated service, App Service brings a rich set of capabilities to web, mobile, and integration scenarios.
Let’s quickly create an Azure Mobile App
We’ll do that the easy Azure Way. If you want to know more on this, you may take a look at WHAT ARE AZURE MOBILE APPS as the article explains in more detail why you want a Mobile App and how to create one via Visual Studio. So here we go to our Azure Subscription, open our Resource Group, click New and filter by Mobile App:
Authenticate using Azure AD
Azure AD Authentication is available to all corporate users, as long as AD is in the cloud, either entirely on Azure or your on-premise AD is being connected and thus able to provide a common identity service. Azure AD authentication is a simple and recommended development proposition intended for corporate applications and can live alongside with other authentication providers. One great benefit is built in Multi-Factor-Authentication option and single Sign-On with your company account.
This makes AD authentication great for intranet and corporate applications. But wait .. we are talking about Azure AD B2B.
Recently, the other offering of Azure AD: the AD B2C has become available and it’s works great. Intended for consumer facing applications, it provides the same simplicity as the corporate AD.
Note: The Microsoft Authentication Library is still in preview, but is suitable for use in a production environment. However, there may be breaking changes to the API, internal cache format, and other mechanisms of the library, which may impact your application.
In the newly created Azure Mobile App, find the Settings group on the Mobile App blade and open Authentication / Authorization. You will find App Service Authentication is set to Off. That basically sais that Azure does nothing for your app.. but your app (which is a WebApi) may use its own custom method of authenticating / authorizing. Turning App Service Authentication on on the server side does nothing to your code, does not alter your application and it may well live side-by-side with your own authentication method .. but the behavior may be weird at times and you will want to make your application aware of this environmental specificity
and that brings me to the heart of this post:
A few things happening here:
- First drop-down indicates that we allow anonymous requests to pass through, which is great if you are using your own custom authentication or you have public areas and your application is aware of that. You only want to change that only to secure the all calls before they even reach your app.
- Azure Active Directory indicates it is not configured. A simple click brings you to a well designed blade that seems to me as intuitive as it may ever be:
As you may well see, I’m using the express option so that everything gets created and configured for me. Using the Advanced option will allow you to connect to an existing AD app instance. That would also allow you to connect to an AD B2C tenant as explained in Integrating Azure Active Directory B2C with Azure Mobile Apps.
A key component that will come into play in your Azure Mobile App is the managed client for Azure Mobile Apps and, for all that follows, I will be using C# for the back-end and move out of the node.js EasyTables solution that you may download as a quick-start. Actually, all quick-starts will bring you to EasyTables and I will not be using that in an enterprise level application.
There are clients for all environments and development tastes. A further read will be the Integrating Add authentication to your Windows app and I will come back with the integration of social authentication (Facebook.. Google..) and then I will enable custom authentication and make them live side-by-side to serve the same purpose and allow the Mobile App to serve web and devices in the same way, thus becoming a prime choice within your line of business services offering.