Building native client and mobile apps using Azure

Building native client and mobile apps using Azure Active Directory for sign in

Today’s Applications Browser Web application Web API Native app Web API Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

Standard based, HTTP based authentication protocols Browser Native app WS-Fed, SAML 2. 0, Open. ID Connect Web application OAuth Web API Server app Web API OAuth Web API

What is Azure Active Directory? • • •

Active Directory - Then vs. now

So what’s cooking • • How AAD represents resources Implementing OAuth 2 ADAL Protecting your own API

Azure Active Directory Application Model

OAuth for native apps L> <HTM e-d o c --

Auth Code Request/Response I’d like a code please To access this service GET https: //login. windows. net/contoso. com/oauth 2/authorize ? response_type=code &resource=https: //skwantoso. com/Todo. List. Service &client_id=fb 715 b 0 e-3 ca 9 -45 b 8 -9928 -2329 a 776 b 42 d &redirect_uri=http: //todolistclient/ &prompt=login This is me Send the code here << Stuff happens here to sign the user in. . . >> 302 Found http: //todolistclient/ Here’s your code! ? code=Aw. ABAAAAv. PM 1 Ka. Plr. Eqd. FSBzjqf. TGCXIY 6 d. Qc. Q-_cqhs. Bff…

Token Request/Response I have a code POST https: //login. windows. net/skwantoso. com/oauth 2/token This is me grant_type=authorization_code &code=Aw. ABAAAAv. PM 1 Ka. Plr. Eqd. FSBzjqf. TGCXIY 6 d. Qc. Q_cqhs. Bff. HFn. Gbe. QHcm… I asked you to send the code here &client_id=fb 715 b 0 e-3 ca 9 -45 b 8 -9928 -2329 a 776 b 42 d &redirect_uri=http: //todolistclient/ I need to use this service &resource=https: //skwantoso. com/Todo. List. Service 200 OK Here is your bearer token {"access_token": "ey. J 0 e. XAi. Oi. JKV 1 Qi. LCJhb. Gci. Oi. JSUz. I 1 Ni. Is. Ing 1 d. CI 6 Ik 5…", "token_type": "Bearer", "expires_in": "3599", It’s for this service When it expires "expires_on": "1396472189", The refresh token "resource": "https: //skwantoso. com/Todo. List. Service", "refresh_token": "Aw. ABAAAAv. PM 1 Ka. Plr. Eqd. FSBzjqf. TGAMqzyr. Qrqee. Zz. Kzw. N…", "scope": "user_impersonation", Your permissions "id_token": ey. J 0 e. XAi. Oi. JKV 1 Qi. LCJhb. Gci. Oi. Jub 25 l. In 0. ey. Jhd. WQi. Oi. Jm. Y…n 0. "} Info about the user

Server-Based Sign-In User Experience • Native client sign-in UI is web-based – Same sign-in UI as web app sign-in – Web UI allows arbitrary interaction • • Consent to use application Multi-factor authentication Account compromise detection … and more stuff we haven’t dreamed up yet • Plan to offer non-interactive methods – Name/password – Kerberos – These will return error if user interaction required

Active Directory Authentication Libraries (ADAL) • Abstracts away most protocol considerations • Handles tokens persistence & refresh automatically var ctx = new Authentication. Context( "https: //login. windows. net/u 2 u. onmicrosoft. com"); Authentication. Result rez = await ctx. Acquire. Token. Async( "https: //outlook. office 365. com/", "5 fc 4 a 5 a 2 -78 d 5 -4 d 94 -b 890 -a 6 e 6 b 3341081");

Active Directory Authentication Libraries (ADAL) • Available on multiple platforms –. NET, Windows Store, i. OS, Android, Node. JS, Java • Open source (or in the process to be) • Same primitives, native programming models • Sophisticated features – Works across Windows Server and Azure Active Directory – Cache and automatic refresh – Multi user support

Protecting Your Own API with AAD • Big OAuth 2 providers issue tokens for their own resources – Facebook for the Facebook Graph, AAD for the Graph, Azure management, Office… • Azure AD allows you to secure your own API • Easy as 1 -2 -3 – Add an entry for your API in your AAD tenant – Define which permissions your app recognizes – Add middleware in front of your API to validate AAD access tokens

Adding an entry for your Web. API in AAD • AAD needs to know how to identify your API • You can add an entry via the portal… • …or you can use VS 2013

The application’s manifest • AAD needs to know which permissions your API exposes • You provide that info by uploading a manifest for your app – JSON file holding a description of your app – Download the default one, edit the App. Permissions node, upload it back – Still VERY MUCH in preview • Fun fact: an API can also be a client of some other API! – The Required. Resource. Access node lists the resources & permissions the API requires

The. Identity. Hub Sensor Apps Android Apple i. OS Facebook www. theidentityhub. com Twitter Google Windows Phone Windows 8 Active Directory Web Legacy Apps Office 365 Microsoft

A big thank you to our sponsors Platinum Partners Gold Partners Silver & Track Partners