Thanks so much for listening to these suggestions. I think some of them might be a little bit of an edge case (multiple users on a single device) but others seem to get a lot of play on various forums which suggests lots of folks are wrestling with them. Can't wait to see what your samples look like.
Our App attributes:
- Allows people to charge credit cards.
- Potential for multiple users on a single device
- Runs as UWP desktop app as well as on the three mobile platforms
- Future iPad and Mac based apps when they are supported by Xamarin
We don't want someone signed into another app on their device to automatically sign in based on cookies or shared settings belonging to an identity provider. I fully expect someone to stay logged into Facebook for a month at a time, but expect them to log in and out of our app using Facebook as an identity provider without affecting any other app using Facebook as an identity provider. Everyone is excited about SSO. But it's not for this app. Like a banking app, I expect most users to be logging in/out frequently.
We need to control our own flow. Based largely on advice culled from your tremendously helpful articles, tweets and documentation, I believe what we need to do is:
- Authenticate with the identity provider using the client SDK (not doing this at the moment, using server directed instead)
- Use that access token to authenticate with an Azure Mobile Custom Authentication controller to get an identity token, update the headers and add user claims, etc. (this is working great)
- Store the relevant tokens and/or usernames/login hints in secure device storage. (implementing now)
- Handle authentication failures and refresh requests within our own code to provide the user the ability to control their own security. (next on my list)
Users have come to expect not to have to type in their username when they re-authenticate. That's reasonable. Since this app can potentially have multiple users on the same device, we plan to allow users to optionally store a login hint (or username) that we can pass to the client SDK so they only have to supply their password. After logging out, we'll delete the tokens from the store and leave only the login hint/username. Being able to pass along a username to the client SDK will be important.