使用 Azure EasyTables 进行身份验证 - Azure ActiveDirectory

Question

I've been attempting to authenticate requests to an Azure App Service for some time now and I'm completely stumped, I just can't seem to get the Microsoft.Azure.Mobile.Client to accept and successfully authenticate against a known "good" token.

Overall, all I want is to be able to successfully pull up a web browser in Xamarin Forms, authenticate the user either with Azure, Google or other social authentication, and then use a token to authenticate against an Azure App Service (EasyTables), which I already have running but without authentication enabled. For some reason none of the resources I've found have provided an clear way of doing this, and I'd be grateful for any help.

Here's the main config of what I have so far:

1. I've got an app successfully reading and saving data tables to an Azure-hosting EasyTables implementation. Tables are read (and written) using the standard form:

var locations = (await App.MobileService.GetTable<Location>().ToListAsync());

The MobileServiceClient is instantiated in the App.xaml.cs file as follows:

public static MobileServiceClient MobileService = new MobileServiceClient("https://mywebapp.azurewebsites.net");

As I say above, this works fine when access to and saving from online services.

2. Going to the Azure Portal, I've activated "App Service Authentication" under Settings --> Authentication / Authorization, and I've also set up an Azure Active Directory Authentication Provider. Under this provider I've set up the Client ID of an Azure Active Directory instance (under Manage --> App Registrations).

3. Going back to Xamarin, I have successfully managed to authenticate against this using the approach by Steven Thewissen here . In particular, I've created an "MSAuthService" helper, which successfully pulls up a web browser, allows you to log in with Microsoft credentials, following which it's able to retrieve your account name and verious other things from Microsoft Graph - including the Access Token.

4. I'm now trying to use this access token to log into the MobileService I'm using to access EasyTables, using the following:

                JObject auth_token_jobject = new JObject();
                auth_token_jobject["authenticationToken"] = token;

                var output = await App.MobileService.LoginAsync(
                    MobileServiceAuthenticationProvider.MicrosoftAccount,
                    auth_token_jobject);

However, whenever I do this, I still get an "Unauthorized" error, produced by the last line above.

I understand that others (eg here seemed also to have the same problem, but no resolution on that post.

Other things that I've tried, but haven't managed to get working completely. As above, the closest I've got, by successfully authenticating albeit through Microsoft Graph rather than with my web service specifically, is the process above:

1. Overview of Authorization with EasyTables etc here - although this doesn't seem to provide any clear code for Xamarin to authenticate against.
2. Latest Xamarin blog and explanatory materials ( here and here , but although the process using await WebAuthenticator.AuthenticateAsync method appears to be a lot simpler than the example I was using above, there doesn't seem to be any detail provided about how you generate the URI required to call the authentication page, nor a step by step guide of how to implement it. Either way, I haven't managed to get it working...

If anyone has an easy way of getting hold of a valid token and then providing it to the MobileService client, I'd be most grateful. I suspect it's as simple of getting the token called back, for example from a Xamarin Essentials WebAuthenticator above, and then passing it with var output = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.MicrosoftAccount,auth_token_jobject) but I just can't seem to get it working so far.

Thanks a lot!

Oliver.

Answer 1

There are a couple of issues here (on re-reading it a few times)

1. You are using MobileServiceAuthenticationProvider.MicrosoftAccount - you should be using "aad" instead.
2. AAD needs an access token - see https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#validate-tokens-from-providers for the details on what needs to be provided.

If the token you get back is really an MSA token, then you still need to provide an access_token field (and not an authenticationToken field)

If you don't need anything special, you should be able to just use .login() like this:

await App.MobileService.LoginAsync("aad", "your-method");

For more details on this, see one of the authentica