All geek questions in one place

Azure Mobile Service and Azure Web Application Authentication

I get two different SIDs for the same user when the user logs in through the Azure Web App (ASP.NET MVC) and Xamarin.iOS

Customization

Azure WebApp ASP.NET 5 with API Controllers

Xamarin iOS app with Microsoft.WindowsAzure.Mobile.Client SDK Azure B2C AAD

User online

I get the ObjectIdentifier value, which is the AID SID:

var userClaim = ClaimsPrincipal.Current.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier").Value;

User on mobile devices

I get only NameIDifier and not ObjectIdentifier

 ClaimsPrincipal mobileUser = this.User as ClaimsPrincipal; var mobileUserClaim = mobileUser.FindFirst("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier");

The SID is completely different, the SID for user authentication from Mobile receives SID: xxxx, while from the Web it receives xxx

I know that if I configure one Azure Mobile application and one Azure Web App, then the SID will be identical during authentication. But I do not want to manage two sites for the small size of my application. The purpose of the application is a simple web application to perform certain actions and the same actions on the phone, from the phone I use the Azure Mobile Service SDK and InvokeAPIAsync to use the API controller in the web application.

thanks

+5
source share
2 answers

I want to clarify the situation. You observe two SIDs:

1) From AAD by logging into AAD through a web browser.

2) From the Azure App Service (web application and mobile application), probably from using LoginAsync from our client. This method will refer to server login streams.

This is by design. MobileServiceClient receives App Service tokens and authenticates using your mobile application with this token. You can exchange the authentication token you receive from the Azure App Service for the AAD SID by creating a GET for the .auth / me endpoint.

After your client is authenticated using the App and AAD services, you can get additional information about the AAD user (or any other identity provider) by calling your site.azurewebsites.net/.auth/me and analyzing the response to the claim I want:

({"typ": " http://schemas.microsoft.com/identity/claims/objectidentifier ").

Another strategy would be to use ADAL ( http://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/ ) from your client application to log in with AAD, and then use the AAD access token to get the Mobile App token using the appropriate LoginAsync overload:

https://github.com/Azure/azure-mobile-apps-net-client/blob/master/src/Microsoft.WindowsAzure.MobileServices.iOS/Extensions/MobileServiceClientExtensions.cs#L55

The added parameters must be in the format {"access_token": "[AAD access_token value]"}

The Brett Samblanet wiki page on the .NET server about user IDs should help you understand what is going on: https://github.com/Azure/azure-mobile-apps-net-server/wiki/Understanding-User-Ids

+1
source

I finally got it to work:

 string authority = "https://login.windows.net/[TentantId].onmicrosoft.com/"; string resourceId = "[myApiClientId]"; string clientId = "[clientId]"; string redirectUri = "https://[URL]/.auth/login/done"; AuthenticationContext ac = new AuthenticationContext(authority); AuthenticationResult ar = await ac.AcquireTokenAsync(resourceId, clientId, new Uri(redirectUri), new PlatformParameters(this)); JObject payload = new JObject(); payload["access_token"] = ar.AccessToken; string authHeader = ar.CreateAuthorizationHeader(); HttpClient client = new HttpClient(); HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, "[API URL Route]"); request.Headers.TryAddWithoutValidation("Authorization", authHeader); HttpResponseMessage response = await client.SendAsync(request); string content = await response.Content.ReadAsStringAsync();
0
source

Source: https://habr.com/ru/post/1245802/

More articles:


All Articles