Tuesday, January 14, 2014

Azure Active Directory, Xamarin and OAuth2

This is one of those posts where I’m brain dumping my findings.
In a nutshell, I wanted to write a Xamarin App which authenticates against a Windows Azure Active Directory (WAAD) and then access a Web Api which is secured using WAAD.
There are quite a lot of tutorials out there but most use ADAL (Active Directory Authentication Library) to handle the OAuth2 which isn’t a Portable Class Library. I grabbed the Xamarin.Auth library which abstracts the OAuth2 protocol framework away from me a bit.
So I followed the instructions here (http://www.cloudidentity.com/blog/2013/07/23/securing-a-web-api-with-windows-azure-ad-and-katana/), plumbed in the values to the OAuth2Authenticator class,
image 





and… Nothing.. Failure..


So, here’s what I’ve learnt about OAuth2 in Azure Active Directory (as of 10/Jan/2014).


When we are a Native Client with no client secret, Azure AD does not use OAuth2’s implicit flow where we get a token immediately. It uses the code grant flow where after authenticating we are given a code which we swap for a token.


When we initially get the code we need to pass another querystring parameter called “resource” which identifies the Application in Azure Active Directory that we want to call. This resource is the App Id Uri on Azure’s portal. And from what I can see, we don’t need to pass a scope.


image


And when we’ve finally got the token it needs to go as a Bearer token in the headers of subsequent requests. This is written in the spec, but for whatever reasons the Xamarin.Auth component seems to put it on the querystring.


So the main difference from most of the OAuth2 implementations seems to be getting that initial code. The Uri you need is:


https://login.windows.net/<tenant>/oauth2/authorize?client_id=<client>&resource=<app_id_uri_from_waad>&redirect_uri=<redirect_uri_from_waad>&state=<random>&response_type=code