authenticate from a website to an azure mobile app service - authentication

I have an Azure Mobile App service that I use with my (Cordova and Xamarin) mobile apps. The URL for the Mobile App service is https://gonzo.azurewebsites.net/ (not the real URL). I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
My next step was to create the website and use a different URL https://kermit.azurewebsites.net/. I use social authentication for my app mobile service. When I debug it locally against localhost, everything works perfectly. The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
I thought this can be fixed by allowing the kermit origin in my Azure Mobile App service in CORS. I even tried setting CORS to allow all hosts (*) but that didn’t make a difference. Any idea how to make this work?

I want to create a website (ASP.NET Core 2.0 Web App) that connects to my Azure Mobile App service, just like my apps do. I tried publishing it to the gonzo URL but that overwrote my mobile app service and thus I had to restore it. I’d love to know if there is a way to actually make that work.
Based on your requirement, I assumed that you could deploy your NET Core 2.0 Web App along with your mobile app, at this point your two applications could share the authentication. For Detailed tutorial, you could follow Deploying multiple virtual directories to a single Azure Website.
The problem that I’m running into is that when I try to login from the published website, regardless of the auth provider (facebook, Microsoft, google), instead of getting to the login UI supplied by the login provider, I get a 403 with the URL looking something like this: https://gonzo.azurewebsites.net/.auth/login/facebook/callback?code=long-code.
According to your description, you are using the App Service Authentication / Authorization. I would recommend you directly access https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name> via the browser to make sure you have successfully set up the authentication for your mobile app.
If I understand you correctly that you want to create another Azure Web App to hosting your NET Core 2.0 Website, and your website wants to connect with your mobile app. Here are some approaches, you could refer to them:
For accessing mobile app in the front-end of your .Net Core web app
You could leverage the JavaScript SDK for Azure Mobile Apps in your .Net Core web app to access your mobile app. Details you could follow here. Additionally, if your website would also enable the app service authentication, you could just send GET https://<your-netcore-webapp-name>.azurewebsites.net/.auth/me to retrieve the access_token, then use the Client-managed authentication for logging with your mobile app in the front-end of your netcore website.
For accessing mobile app in the back-end of your .Net Core web app
I assume that your .Net Core web app would also need to enable social authentication via using the App Service Authentication / Authorization, and in the backend of your website you could retrieve the access_token for the current logged user, then you could use Client-managed authentication for logging with your mobile app. The logging request would look like this:
POST https://<your-mobile-app-name>.azurewebsites.net/.auth/login/<provider-name>
Payload: {"access_token":"<the-access-token-for-the-specific-social-provider>"}
Moreover, for retrieving the user logged infos (including the access_token,etc.) from App Service Authentication / Authorization (EasyAuth), you could follow this issue.

Related

Implimenting Single Sign On in ASP.Net Core with Amazon Cognito withoult Hosted UI

I have created user pool and configured with asp.net core API that communicates with AWS for Login/signup etc.
I have three stand alone applications build in asp.net core I want to integrate these application with AWS through that Asp.net Core API.
API is working fine that is able to sign in, signup, forgot password, reset password password etc.
By using AWS Hosted UI (AWS Domain) through Asp.net Core OpenID Connect I am able to perform Single Sign On (SSO). But I don't want to use Hosted UI.
I want to Use Sign In page of my respected app (Every App has its own Sign In) and i will pass that credentials to Api(that is connected with Cognito User Pool). When my Api get Sign In all of my other APPs should get Sign in, that basically impliments Sign On.
Currently I am Passing my data to API and in Api Authentication implemented due to Amazon.AspNetCore.Identity.Cognito.
My Startup file of API:
StartUp
My API Function:
Login Function
My Application's Startup:
App1 StartUp
I am using AWS SDK along with libraries: Amazon.AspNetCore.Identity.Cognito; Amazon.Extensions.CognitoAuthentication;

Bluemix Single Sign on for a mobile app

I'm adding a login page for my mobile app, so that it integrates with Bluemix Single Sign On. I'm at the step to configure the Node.js app following the Bluemix Doc at Configuring a Node.js app. The example here about callback is for a web app. In the mobile app context, I don't have a redirect URL. So this code for example:
app.get('/auth/sso/callback',function(req,res,next) {...}
On the mobile client side, do I do a GET to /login?
I already have a login implemented using Mobile Client Access service. Is it something I can build up upon? For example,
app.post('/apps/:tenantId/:realmName/handleChallengeAnswer', function(req, res {...}
Can I call the Single Sign On API in here?
Thanks a lot for your help!
Jen
Is your mobile application based on nodejs? If so and you use a webview on your mobile application you could leave to the webview component to manage your authentication flow like working with a browser.
You instead have to manage authentication if your application is integrating with Rest APIs, in this case you could use SSO but your application has to manage cookies like a browser.
Bluemix Single Sign On so far has only been tested on web applications. I have no knowledge on whether Single Sign On would work smoothly on mobile applications.
Also, the Bluemix Single Sign On follows the OIDC protocol. So the redirect URL is a mandatory parameter when using the service, unfortunately.
Regarding building upon your login implementation, to my knowledge, it is not possible to include your implemented login in place of what is provided with the Single Sign On service. But you can choose to add the login implementation in addition to the login needed when using Single Sign On.
Hope that addresses your questions.

Azure API App anonymous users and authentication

After looking through multiple tutorials and posts, I have not found an answer or guide as to how to handle the following issue:
There is an Azure API App communicating with an Azure DocumentDB
There will be an Azure Web App (and some day mobile apps) communicating with the API App.
I would like for anonymous users to have access to read only information through the Web App (and only through the Web App). The
API App will serve up documents as requested. Anonymous users
connecting directly to the API App should not be allowed to retrieve
any information.
For contributors, they will be able to add documents using the Web App
when they are logged in. The documents will go through the API App
to be written to the DocumentDB
What are the suggested ways for handling anonymous users and authenticated users so both can use the Web App and the underlying API App successfully while blocking any use of the API App if it does not come from the Web App (or future mobile apps)? I only want anonymous users to be able to retrieve information when using the Web App.
The API App is developed in C# .NET 4.5, and the Web App will be the same. I'm not planning on writing my own authentication since the Azure Gateway takes care of this, but it only has the options of Public (Anonymous), Public (Authenticated), and Internal. Public (Anonymous) lets everyone in, while Public (Authenticated) blocks the anonymous users that I would like to have read only access. I'm very new to dealing with Authentication so I'm not even sure if this is possible without having to write my own authentication engine.
For clarification, this question is purely for Authentication between the Web App and the API App.
Thanks,

Cross platform ServiceStack Authentication

What is the best way to architect the following solution for authentication?
I have a standalone (not integrated with MVC) ServiceStack REST service layer. This service is the entry point to all my data. No data is stored on the client.
I have multiple clients (ASP.Net MVC 4 site, MonoTouch app, MonoDroid app, Silverlight app, MonoMac app, etc).
I would like to provide authentication (Facebook, Twitter, etc) at the service level, including storing the users in the MongoDBAuthRepository, but allow the clients to provide the login UI (do I want this?). For example, for the MVC site, I'd like to integrate the remote ServiceStack authentication service (including Facebook, Twitter), with MVC's authentication system. It seems like the actual authentication should occur on the service side, but the client side needs to hold on to the authentication response.
I've read the wiki, looked at SocialBootstrap, and read the forum, but I'm still confused as to how this is supposed to work in a distributed way.
For OAuth options like Twitter + Facebook your authentication should happen in a browser as they each require redirections from their respected auth provider to capture trusted verification from each user. Some mobile apps do this by embedding a browser widget for Twitter + FB Auth.
Once a user is authenticated with Twitter + Facebook and Credentials in the same authenticated session, ServiceStack's AuthProviders automatically merges all Auth info into the same account. So later you will be able to login with 1 auth provider but get access to info available on all 3. The SocialBootstrapApi project provides an example of this.

Accessing a WCF Service secured by ACS from javascript

I am looking to create a WCF (possibly WebApi) web service that sits on top of some of our existing code. Eventually this service will be used by external clients but we are going to start using it with our own mobile app.
As some clients will want to use Gmail and ADFS authentication it seems to make sense to use Azure ACS (this is where our webservices are hosted). However we won't need multiple providers for a while and we will start by using a custom STS that authenticates users against our existing authentication logic.
We already have a rough prototype of the above working using a MVC web application acting as the client.
My problem is how do I integrate this with a mobile application? It looks as if the mobile app will be written using AppCelerator which means I need to authenticate using javascript. We only want users to authenticate to our custom STS so would I need to use Active Authentication? I.e.
Ask user to enter username and password
Directly authenticate with custom STS and retrieve token
Pass STS token to ACS and retrieve ACS token
Pass ACS token to wcf service for each request.
I guess my questions are: am I on the right track and if so how would I achieve this in javascript?
If you want to support mobile devices, it is recommended to provide a web based login interface in your STS. In most cases, a mobile device will navigate to your STS’s sign in page in a web browser. After your STS authenticates the user, it sends claims to ACS. ACS in turn uses JavaScript notification to notify the host application.
You can refer to http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSAndWindowsPhone7 for a tutorial about working with ACS in Windows Phone. Similar process can be used for other mobile devices.
Hope this helps.
I think it is possible to issue SAML over Https request. As a starting point Id suggest to look at Thinktecture IdentityServer sources by Dominick Baier. This will help to understand different strategies and how you can use em(there are some goodies for WebApi on Github also):
http://identityserver.codeplex.com/