Building native client and mobile apps using Azure Active Directory for sign in

Today’s Applications Web API Browser Native app Web API Web API Web application Web API Browser Native app Web API Web API Server app Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages

Standard based, HTTP based authentication protocols WS-Fed, SAML 2.0, OpenID Connect Web application Web API Browser OAuth Native app OAuth Web API OAuth Web API Server app OAuth

What is Azure Active Directory? Cloud-based identity service Authentication Directory Identity management Designed for organizations Manage access to cloud apps Can extend on-premises AD Designed for cloud and mobile HTTP/REST & industry standard protocols

Active Directory - Then vs. now

So what’s cooking How AAD represents resources Implementing OAuth2 ADAL Protecting your own API

Azure Active Directory Application Model user@domain WebApp 1 NativeApp 1 user@domain Permission 1 Permission 2 Exposes: WebApp 1 Permission 1 Requires:

Azure Active Directory

Azure Active Directory - Users

Azure Active Directory – Applications - Web

Azure Active Directory – Applications - Native

Azure Active Directory – Applications - Permissions

OAuth for native apps A T <HTML> --code-- --code-- Exchange Online Exposes: Full access to user’s mailbox Read user’s contacts Read user’s mail A <HTML> --code-- T --code-- My cool App Office 365 Read user’s mail Requires:

Auth Code Request/Response GET https://login.windows.net/contoso.com/oauth2/authorize ?response_type=code &resource=https://skwantoso.com/TodoListService &client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d &redirect_uri=http://todolistclient/ &prompt=login << Stuff happens here to sign the user in... >> 302 Found http://todolistclient/ ?code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ-_cqhsBff… I’d like a code please To access this service This is me Send the code here Here’s your code!

Token Request/Response I have a code POST https://login.windows.net/skwantoso.com/oauth2/token grant_type=authorization_code &code=AwABAAAAvPM1KaPlrEqdFSBzjqfTGCXIY6dQcQ_cqhsBffHFnGbeQHcm… &client_id=fb715b0e-3ca9-45b8-9928-2329a776b42d &redirect_uri=http://todolistclient/ &resource=https://skwantoso.com/TodoListService 200 OK {"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5…", "token_type":"Bearer", "expires_in":"3599", "expires_on":"1396472189", "resource":"https://skwantoso.com/TodoListService", "refresh_token":"AwABAAAAvPM1KaPlrEqdFSBzjqfTGAMqzyrQrqeeZzKzwN…", "scope":"user_impersonation", "id_token":eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJhdWQiOiJmY…n0."} This is me I asked you to send the code here I need to use this service Here is your bearer token When it expires It’s for this service The refresh token Your permissions Info about the user

Server-Based Sign-In User Experience Native client sign-in UI is web-based Same sign-in UI as web app sign-in Web UI allows arbitrary interaction Consent to use application Multi-factor authentication Account compromise detection … and more stuff we haven’t dreamed up yet Plan to offer non-interactive methods Name/password Kerberos These will return error if user interaction required

Active Directory Authentication Libraries (ADAL) Abstracts away most protocol considerations Handles tokens persistence & refresh automatically var ctx = new AuthenticationContext( "https://login.windows.net/u2u.onmicrosoft.com"); AuthenticationResult rez = await ctx.AcquireTokenAsync( "https://outlook.office365.com/", "5fc4a5a2-78d5-4d94-b890-a6e6b3341081");

Active Directory Authentication Libraries (ADAL) Available on multiple platforms .NET, Windows Store, iOS, Android, Node.JS, Java Open source (or in the process to be) Same primitives, native programming models Sophisticated features Works across Windows Server and Azure Active Directory Cache and automatic refresh Multi user support

Protecting Your Own API with AAD Big OAuth2 providers issue tokens for their own resources Facebook for the Facebook Graph, AAD for the Graph, Azure management, Office… Azure AD allows you to secure your own API Easy as 1-2-3 Add an entry for your API in your AAD tenant Define which permissions your app recognizes Add middleware in front of your API to validate AAD access tokens

Adding an entry for your WebAPI in AAD AAD needs to know how to identify your API You can add an entry via the portal… …or you can use VS2013

The application’s manifest AAD needs to know which permissions your API exposes You provide that info by uploading a manifest for your app JSON file holding a description of your app Download the default one, edit the AppPermissions node, upload it back Still VERY MUCH in preview Fun fact: an API can also be a client of some other API! The RequiredResourceAccess node lists the resources & permissions the API requires

TheIdentityHub Sensor Apps Facebook Android Twitter Apple iOS Google www.theidentityhub.com Apple iOS Google Windows Phone Microsoft Windows 8 Active Directory Web Legacy Legacy Apps Office 365

A big thank you to our sponsors Platinum Partners Gold Partners Silver & Track Partners