如何保护 Xamarin Forms 中 MobileServiceClient 的 Azure App Service 端点？

Question

I have an app that uses Auth0 https://auth0.com/ as the login provider and can login through multiple providers - Facebook, LinkedIn, Google, MS and Apple. This all happens client-side and I get the id and access tokens from the relevant service. No errors.

My app then connects to Azure App Services using the Microsoft.WindowsAzure.MobileServices API I use this to create the connection to the service:

client = new MobileServiceClient(https://mycompany.azurewebsites.net);

The app can then sync data between the local SQLite db and my Azure SQL db. This all WORKS, no errors.

PROBLEM - the endpoint https://mycompany.azurewebsites.net is set with anonymous access and is not secured.

I can enable App Service Authentication and implement something like this for most authentication services, passing in the already-received tokens from login:

task = Task.Run(async () => await client.LoginAsync(MobileServiceAuthenticationProvider.Facebook, AccessToken));
user = task.Result;

This is fine for MS, Facebook and Google authentication BUT there is nothing in the API for LinkedIn or Apple.

Apple certification requires and Apple login IF other provider login choices are also made available to the user.

Question: How can I secure the Azure App Service in Node.js to accept an app ID and or password or token that I can supply from the client side as a constant to simply allow generic but somewhat secure access to this URL: https://mycompany.azurewebsites.net and NOT have this set with anonymous access? And NOT USE the limited App Service Authentication.

Can anyone please shed light on this? This is a major block in final progress with the app.

I did come across this but need something Node.js AND Azure App Service specific. Azure Mobile Services, HttpClient, Authorization

Thank you

Answer 1

This should easily be doable.

1. Update your service side so that it implements the authentication mechanism you need.
2. Create a DelegatingHandler that implements the authentication mechanism.
3. Re-do your connection creator as follows:

var client = new MobileServiceClient(url, new MyDelegatingHandler());

A delegating handler might be as simple as this:

public class MyDelegatingHandler : DelegatingHandler
{
  protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken token)
  {
    request.Headers.Add("X-Api-Key", "MyApiKey");
    return base.SendAsync(request, token);
  }
}

This just adds a header to every single request with the API key, which you would then check on the server side. For Apple / LinkedIn / others, you might want to integrate those directly using an Authorization header in this way. Basically, you store the authorization header "somewhere" in your client-side code, after having done the auth, then you use a delegating handler to add the authorization header. On the server side, you can validate that authorization header in the normal way for an ASP.NET or Express app.