Search code examples
azure-api-apps

Authorising a .net user-application through Google or Twitter

My question is [Similar to this one1, but with third party providers instead of active directory.

I have an end-user UWP app, and I want to consume my Azure API App. I am NOT Azure mobile app and it's client side SDK.

Most of documentation is of sort "copy paste this magic code" and never explains how authentication actually happens.

I was inspecting mobile app SDK because Microsoft's documentation says that it's auth. process is the same. From what I see, the mobile App SDK opens a web-view very similar to that produced by a WebAuthenticationBroker. Then every request to the server is accompanied by a header X-ZUMO-AUTH and a token. It appears that this token is issued by the azure app service, not the original provider. It is much longer than the tokens issued by Twitter or Google. At the same time when I point web-browser at the end-point and go through the log-in process, I see that the browser is using a Cookie: ARRAffinity=c4b66198677464de573103f7aa267c33ea38617020514011cea4506e0a55d9d0; AppServiceAuthSession=EIVymV

Questions:

  1. The problem is Mobile app documentation is it just provides instructions on how to use the SDK. I am unclear on how I would obtain the token issued by the app service.

  2. Everyone knows how to obtain access tokens for Google and Twitter. Can they be used to access Azure API apps?

Solution

  • You are correct that API apps use the same built-in authentication as mobile apps. The basic flow looks like this:

    1. Login to the app using provider credentials. This can be done using either a client-directed flow using your provider's SDK or can be done using a server-directed flow involving browser popups (i.e. the web view you mentioned). In the latter case, there is an endpoint at /.auth/login/ which is provided by App Service and manages the login flow for your app.
    2. App Service will respond to your client app with a session token (a JWT).
    3. You call into your APIs using the session token from #2. It is passed via the x-zumo-auth HTTP request header (it's named this way for legacy reasons).

    The AppServiceAuthSession cookie you are seeing is the session cookie for when you use a browser to do authentication. ARRAffinity is an internal routing cookie used by App Service and is not related to auth.

    If you're looking for more internal technical details on how the built-in App Service Authentication / Authorization works, check out my blog, starting with this post: http://cgillum.tech/2016/02/01/architecture-of-azure-app-service-authentication-authorization/