Search code examples
xamarin.formsazure-mobile-servicesamazon-cognitoazure-authentication

What is the Authentication flow in Azure Mobile Services? How Social tokens are handled?

Before I worked with Aws Cognito and it is straightforward how the flow works but I am not able to understand the benefit Azure mobile services authentication. I followed this documentation but it confused me even more. When I use aws with facebook Login.

  • user logs in. I fetch the token and user information I pass this token to AWS cognito.

  • Cognito stores it for me and every time I come back to the app, I ask Cognito "hey cognito is my token still alive". Cognito verifies with facbeook. if yes continue, no ask user for authentication again. as described over here

    I expect similar behavior with Azure, is it not happening? why in the link tells me that I need to deal with IsExpired myself by extracting token pattern?

And Other question, Azure is using also federated Identities If I understand, on Cognito I can see the users. where are they stored in azure, can I see them somehow or I need to store myself?

Solution

  • What is the Authentication flow in Azure Mobile Services? How Social tokens are handled?

    1. mobile client requests Azure mobile front ends (First time)

    2. It will redirect to social platform to login with user custom info.

    3. If it is vaild then identity provider token will be stored in Azure mobile platform

    4. Azure will get the userId or email info from the identity provider token then issue a token with expired time to mobile client and it will be stored in the mobile client.

    where are they stored in azure, can I see them somehow or I need to store myself?

    We could get the answer from App Service Token Store. We no need to store it ourselives.

    Internally, all these tokens are stored in your app’s local file storage under D:/home/data/.auth/tokens. The tokens themselves are all encrypted in user-specific .json files using app-specific encryption keys and cryptographically signed as per best practice. This is an internal detail that your app code does not need to worry about. Just know that they are secure.

    As you mentioned link, it is secured and it can be re-used when we can. Based on my experience, it is not security that to store the token in the client never expired.

    References:

    Architecture of Azure App Service Authentication / Authorization

    enter image description here