Azure Website Single Sign On accessing Azure Mobile Service from Azure Active Directory as User

Question

I have an ASP.NET MVC website deployed as Azure website (called website ). That website has a section that needs authorization. I already have set up Windows Azure Active Directory ( WAAD ) to protect access to that section. Once that protected section has loaded, it will load a Javascript app that allows integration with the Azure Mobile Service.

I also have a separate Azure Mobile Service that I use for data storage (called mobserv ). I want to access mobserv table and api endpoints from website. I am using the .NET backend for Azure Mobile Services. Of course, I need to protect those mobserv endpoints using [AuthorizeLevel].

Tutorials show how to do this when I want to authenticate as Application (using [AuthorizeLevel(AuthorizationLevel.Application)] ) - just add a reference to the proper Javascript Client (MobileServices.web-1.2.5.js), provide mobserv app id and token. CORS is set up to allow interaction. So far, so good.

But now, I want to protect certain endpoints using [AuthorizeLevel(AuthorizationLevel.User)] . So now, the request has to be authorized as User . Since the website already has been protected by WAAD, I do not want the client to perform a new sign in for the javascript client - I want to reuse the current WAAD authentication headers to have a Single Sign On Experience, so that mobserv will recognize the user.

I have not found any hints on how to do this. Tutorials only show application level auth against mobserv or using explicit login dialogs.

Does anybody have a clue how to do this?

Answer 1

Following up on vibronet's post, Mobile Services does support HTTP POST of an access token, but the access token must specify the audience as your mobile service. So a token issued for your website will not work on its own. You will need to transform it through one of the AAD flows.

So in AAD, you need you have two web application registrations, one for your web site and one for the mobile service. On the mobile service registration, you would need to define permissions that can be exposed to the other resource. The first section of the Mobile Services + ADAL tutorial ("Register your mobile service with the Azure Active Directory") walks you through this. Then, instead of registering a native client app which accesses that permission, you would go to your web site registration and configure the access there.

Once you have an AAD token for your website, you can leverage this permission to get a token for the mobile service. This can best be accomplished using an on-behalf-of flow in the Active Directory Authentication Library ( JS or .NET , depending on where you want to do things). The AAD team has a nice sample on how to do this , and mobile services also has a tutorial which might be helpful , although it does mobile service access to SharePoint Online as opposed to web site access to a mobile service)

Then you can send the token to your mobile service using the "client flow" method, as described in "How to: Authenticate Users" for the HTML/JS SDK . For AAD, the call will look something like:

client.login(
      "aad",
      {"access_token": "<TOKEN-FROM-AAD>"})
.done(function(results){
      alert("You are now logged in as: " + results.userId);
},
function(error){
      alert("Error: " + err);
});

The user will not see any new UI, but they will be logged in, and subsequent calls from the SDK will be authenticated.

It might also be easier to do this from your MVC backend. I believe you can get the access token from the ClaimsIdentity, and then you can just use the Mobile Services .NET client SDK to do the login action and facilitate calls from the MVC site to your mobile service:

JObject payload = new JObject();
payload["access_token"] = "<TOKEN-FROM-AAD>";
MobileServiceUser user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory, payload);

Answer 2

token reuse 'as is' cannot be achieved given that the tokens you get for website are scoped to your app and should be rejected if forwarded to any other resource. From the AAD perspective there are various flows that would allow you to trade in your original token for a new token meant to be used with a web API - all without requiring any new action from the user. However your scenario includes some Mobile Services specific moving parts, hence I am not sure how that would apply here. I am flagging this post for the Mobile Services guys, hopefully they'll be able to chime in.