Azure API apps and Azure mobile apps have the same Auth. The azure back-end normally keeps provider's token, for instance, access token to twitter, and issues a different access token for the client to access azure service. This question talks about the process.
There is an alternative method for signing in, a client can obtain the provider's token on it's own accord. Then it can use that token with Azure Api App or Azure Mobile App. When you are using the Azure Mobile App client SDK there is an overload on the .Login() function you can use.
I would like to know how I can use Twitter's, or any other provider's, token to sign into my Azure-Api-App without the Mobile App SDK.
There seems to be no documentation on the matter. Where do I send the HTTP request and what headers should it have?
You can log in with Twitter credentials without using the Mobile Client SDK by issuing the following HTTP requests to your app:
POST /.auth/login/twitter
Content-Type: application/json
Content-Length: XXX
{"access_token":YYY, "access_token_secret":ZZZ}
App Service will validate the credentials, store your tokens in its token store, and then return a JSON payload back to your HTTP client which contains the authentication token. The success response will look something like this:
{
"user": {
"userId" : "<userId>"
},
"authenticationToken" : "<jwt_token>"
}
You can then set an x-zumo-auth request header with the jwt_token value to make authenticated calls to your REST APIs. For example:
POST /api/doSomethingThatRequiresAuth
Content-Length: 0
X-ZUMO-AUTH: <jwt_token>
The process is the same for other providers, except the payload of the /.auth/login/provider might be different. The design is derived from the old Mobile Services Client-Directed Login design, so for the most part you can infer what the payload looks like from that documentation.