The App: Security Compromises
After all this work, it appears that we're at a bit of an impasse with regard to MS products and identity. This is beyond frustrating.
At the heart of this is Azure B2C which must be the foundation of our identity. Nothing else is affordable or as secure.
There are only two ways to access B2C, either from a native platform (like a phone) or a browser.
That means that it supports native and server based authentication scenarios. Native is a better experience on phones, but requires an SDK to access the service. Microsoft has one, MSAL, that is still in testing. Unfortunately, it doesn't seem to want to work with Azure Mobile Apps which is the platform we've selected to host the server side of the app. As an aside, it apparently doesn't work consistently with social providers.
All the Xamarin documentation and other sample code point to using this and the respective product managers at Microsoft admit that it doesn't work.
So we could switch to using the server based authentication scenario which would be passable.
But, our web site is meant to host the API functions that our phones will use and the web pages that the web site portion would use (you know, in case you didn't have all the functions implemented on a phone). One site, one set of code, one thing to manage, one set of scalable resources, etc.
And what normally happens is that when a browser tries to access anything on the server that's protected, the server automatically reroutes the request to the B2C login page. And that's exactly what we want. But only for browsers.
And the problem is that the website wants to reroute even the API calls to the B2C login page and we don't want that.
And it turns out the reliably distinguishing which platform is making the calls is harder than it sounds. If we were using the client SDK calls to B2C, then it's straightforward. But we can't do that. Because MSAL doesn't work, and ADAL doesn't work, and Xamarin Auth doesn't work.
It turns out that this problem has been around for years as folks doing AJAX calls years ago had it. There are supposed to be workarounds for it, but I haven't had much luck getting them to work.
I've spent another week trying to get to the bottom of this.
So fuck it. We are just moving ahead with what works with mobile and bagging the website. Maybe by the time something actually gets around to working, someone will have a solution.