All the samples and documentation provided by Microsoft only mention PCKE for SPA applications in a browser. Is that flow supported for Xamarin native apps when MSAL is used ?
The OAuth 2.0 authorization code grant can be used in apps that are installed on a device to gain access to protected resources, such as web APIs. Using the Microsoft identity platform implementation of OAuth 2.0, you can add sign in and API access to your mobile and desktop apps.In order to use Auth 2.0 authorization code grant for mobile you need to use a native redirect uri (and ask them to register one) or register a URI handler so that the redirect to your app.
Yes you can use OAuth 2.0 authorization code flow with PKCE(Proof Key for Code Exchange) to obtain the Auth code which supports Mobile Devices and the scenario is supported for Xamarin. Please go through the supporting document here.
Please let us know if you still need any help.
Related
I am working in xamarin.ios native app and I have to authenticate/login with microsoft account to access Microsoft Graph Api or other outlook api. I have done the all settings in Azure active directory, So I have already try to implement this by using xamarin.auth but this is not working due to grant_type parameter is not being supplied and throw an error as invalid_grant and invalid_request.
is any other way to authenticate with microsoft account?
can you help me to implement Microsoft Authentication Library for .NET (MSAL) in xamarin.ios native app. I got some sample xamarin.forms but we need it in xamarin.ios. I am not familiar with xamarin.forms code.
When you use Microsoft Authentication Library for .NET (MSAL.NET) on Xamarin iOS, you should:
Override and implement the OpenUrl function in AppDelegate.
Enable keychain groups.
Enable token cache sharing.
Enable keychain access.
Understand known issues with iOS 12 and authentication.
Having a look at this document : https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-xamarin-ios-considerations
I have a mobile app which gets token directly from azure login. And I have a service which is using adal4j in spring boot. I cannot use the mobile generated token to authenticate spring service. Becase I use two different azure app registrations for mobile and web service. Is there a way to accomplish this ?
My understanding is that you have created 2 Enterprise Applications in Azure.
1) An Enterprise Application for your mobile app (Type: Native)
2) An Enterprise Application for your Web API app (Type: WebAPI)
For native app, you will not need a client secret but you will need a client secret for the Web API app.
Now coming to the key configurations:
In both of these, please update the manifest file to have oauth2AllowImplicitFlow set to true
Also, in your Web API Enterprise Application, please have the app id of your native app in the known client apps
"knownClientApplications": ["
Now, when calling your Web API through an end-point from the Native application, pass your token in your request header as "Authorization": "Bearer "
Also note: if you need to retrieve group claims, please update the manifest in both your enterprise apps to have the following setting for this property
"groupMembershipClaims": "SecurityGroup"
Update:
Under permissions in the native app, please add the Web API app registration to allow access
Yes, the OAuth 2.0 on-behalf-of flow should applies to your scenario. These steps constitute the On-Behalf-Of flow.
Azure AD issues a token for certain resource (which is mapped to an Azure AD app). When we call AcquireToken(), we need to provide a resourceID, only ONE resourceID. The result would have a token that can only be used for the supplied resource (id). There are ways where you could use the same token , but it is not recommended as it complicates operations logging, authentication process tracing, etc. Therefore it is better to look at the other options provided by Azure and the ADAL library. The ADAL library supports acquiring multiple access-Tokens for multiple resources using a refresh token. This means once a user is authenticated, the ADAL’s authentication context, would be able to generate an access-token to multiple resources without authenticating the user again.
Further details here.
I am trying to use spring social for my REST services and my mobile app.
I wonder what the best approach is.
I am planning to use linkedin, google login and password authentication inside my mobile app. This social login should be connected to users in my database.
My spring application will act as an API which should be secured with a JWT token. The mobile app will afterwards use this JWT token to consume the API.
On my mobile I would like to have the possibility to sign up/sign in with linkedin, facebook or password.
As far as I understood mobile requires a different oauth flow than described in https://spring.io/guides/tutorials/spring-boot-oauth2/
Seems like it required the "Proof Key for Code Exchange" flow as stated in:
https://auth0.com/docs/api-auth/grant/authorization-code-pkce
Is this correct? I didn't find any information how to best do this with spring social and if spring social supports this use case.
Could someone point me in the right direction? I just found information how to do this with single page application and not with mobile applications. Thanks a lot in advance!
One possible way would be
The mobile app uses LinkedIn or Google's SDK to do SSO to retrieve an authN token.
The mobile app passes it to the backend service, which uses it to retrieve user details (e.g email) from the oauth service.
The backend service could do additional work about the user details (for example, link with existing users).
The backend service returns a JWT token to the mobile app, which ends the SSO.
The SSO should be able to return an email address for you to link users. Sometimes you need to apply for the permission explicitly (which Facebook requires).
The key point of this approach is that it avoids using the OAuth2 library completely in your backend services because it is now handled in the mobile app by using SSO provider's SDK.
The flow is summarized in the following drawing:
========
Edited:
We used this approach to do Facebook SSO with one mobile app and it worked very well. The mobile app was in iOS, and the backend service Spring Boot.
Discussion is welcomed.
Reviewing the new api (Admin SDK) Admin SDK. I found the following problem, none of these APIs have support 2 legged for the google apps marketplace, there is a way to integrate these new apis or if in the future the google apps marketplace will support for OAuth 2.0.
The Admin SDK APIs function with Two Legged OAuth just fine, I'm using the Directory API in my marketplace app today. You'll need to go into your Vendor Profile page on the marketplace, click "Register for additional APIs" and enable Admin SDK. You'll also need to add the needed API scopes to your manifest.
Also note that the google-api-python-client at least does not support OAuth 1.0 any longer so you'll need to either perform the authentication manually or utilize the old GData library to get the correct auth headers.
I have the task to build a new API. The API will mainly be used by tablet applications.
I'm thinking of using the new ASP WebApi.
My biggest concern however is the security part. Because the apps will be build by third-party companies, we do not want that usercredentials will be entered in their application, but redirected to our site (authenticationserver).
I have done some researching and I came accross OAuth 2.0. For working with mobile devices and tablets it's probably the best to work with the 'autohorization code flow' principle -correct me if I'm wrong-.
Am I thinking in the right direction or are their simpler authentication systems to achieve my goal?
Are their any frameworks (.NET) available (or documentation) how to create an Authentication Server and how to use it in the Asp webapi?
Is it easy these days to implement oauth2.0 in an IOS app?
Thanks for any help!
OAuth 2.0 authz code based grant is suitable when client app is a Web application. Will the apps that are going to be built by third party all be Web applications? There are HTTP redirects involved in that flow.
In OAuth 2.0, there is a client, there is a resource server (Web API in your case) and there is an authorization server. There is no such thing as Authentication server. Are you referring to some thing else?