2

I've been searching for a solution that makes sense for the past few days, so forgive me if I overlooked something or am ignorant to the correct path.

I have an existing Website built with asp.net framework MVC where users register for Individual Accounts and are stored in a MSSQL Database. I'm creating a Xamarin.Forms app where we want users to login with their website credentials.

I've been looking at Microsoft docs to try and accomplish this. In the past I created an Apache Cordova app (2014) that communicated in a similar fashion successfully (potentially in an insecure way) that called the /Token endpoint and Authenticated the user with 'grant_password' flow and returned the user data to the app.

So I landed on this documentation: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

However, from what I can gather it basically says this should be avoided moving forward and a MSAL approach should be used if possible.

After reading through hours and hours of documentation trying to make sense of it all, I can't seem to grasp what my options are. It seems to me that in any MSAL flow, users will have to login with Microsoft accounts or other social accounts (facebook, google).

Am I missing something?

Am I going to have to go against Microsoft's advice and end up storing the client_id and client_secret within the Xamarin app source code? Which from everything I've read is a big security concern, especially with Android apps.

References: 1. Restrict API requests to only my own mobile app 2. How to secure an API REST for mobile app? (if sniffing requests gives you the "key")

Any help or direction would be really appreciated. Thank you

rsnyder
  • 383
  • 1
  • 6
  • 19
  • You need to add your platform as android app , then app will call the api with that application credential and get the token , try the sample in the docs : https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-app-registration , https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-mobile-call-api , – ColeX Sep 01 '21 at 09:44
  • @ColeX-MSFT Thank you for your response. I just got done looking at those samples and docs many times. But, I'm still running into the situation where I end up having to pop up a mobile browser and ask a user for their Microsoft login. Am I missing something? Thank you for your help – rsnyder Sep 01 '21 at 22:13
  • Did you try to login in the pop browser ? What happened after that ? – ColeX Sep 06 '21 at 09:43
  • @ColeX-MSFT Are you saying to log in the pop browser into my web api? – rsnyder Sep 07 '21 at 16:10
  • @ColeX-MSFT I've logged in with the pop browser (i think) with my microsoft account. And that works successfully. But, that's not how I want users to log in – rsnyder Sep 07 '21 at 20:22

1 Answers1

1

Your focus should be on requirements + understanding preferred designs rather than jumping to a technology.

DIRECTION

Standard modern systems look like this:

  • Mobile apps use OpenID Connect to sign users in
  • Authorization Server issues access tokens to the mobile app
  • APIs authorize requests via JWTs containing scopes and claims

Aim to make iterative steps towards this type of architecture.

PATTERNS

  • Plug in an Authorization Server, which uses your existing database as a credential store
  • Mobile app uses AppAuth Libraries to sign users in and receives access tokens
  • Back end can handle JWTs without data security risks

DIFFICULT AREAS

Your existing back end may have no support for mobile clients, and be too web focused - eg requiring cookies to access data, so may need to be split in be into 2 entry points.

Choosing an Authorization Server (while you are learning) is difficult, because you may not know what you want yet.

The mobile app will spin up the system browser and present a login page from the Authorization Server, so the login UX could be unexpected.

STEP 1

Ensure that you can authenticate from the mobile app, then make API calls with JWTs and ensure that requests for data are properly authorized. This could use ropc and involve a temporary API. But the deliverable should be that your back end now supports calls from mobile apps.

STEP 2

Integrate AppAuth into the mobile app, which is tricky but there are resources online such as Curity Mobile Guides. Update the mobile app to use the Code Flow and integrate an Authorization Server, then deal with connecting to credential stores.

SUMMARY

This stuff is hard and reflects the cost of modernising architectures. It requires people agreement as well as the technical stuff. Happy to answer follow up questions if it helps.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thank you for your answer, it helps give a better understanding of the big picture and ways to think about direction moving forward. I appreciate it – rsnyder Sep 10 '21 at 14:23