The App: Identity Set Up
I have officially lost my mind. I've never run into so many roadblocks in my life on a single concept. Everything seems to be about halfway there, nothing works completely out of the box.
And since the effort crosses so many platforms, frameworks and concepts, and since nothing holds still for even a second in this area, I just end up chasing my tail. Seriously tired of it.
So I'm going to write it all down. Maybe explaining it to myself in a series of blog posts will help. Something needs to...
Background: I'm using Azure Mobile App service and attempting to have them provide the gateway to other Identity Providers, such as Google, Facebook, etc. The reason is pretty straightforward. By using them, I avoid having to store usernames, passwords, and other identify information for some future Edward Snowden to sneak off with. I don't need someone saying that I'm the reason their identity was stolen and I really don't like courtrooms.
Each one of these Identity Providers (IdP) is different and I just would like to have one interface. Azure Mobile App service promises to make that happen.
One of the challenges is that I need information that is central to my app that isn't stored on any of those sites. So in addition to authenticating users against those IdP's, I need to add some of my own information after they've been authenticated.
Once this process is complete, the collective information is stored in the HTTP headers and submitted each time any request is my by the app. The Microsoft Mobile Client ensures that each call contains those headers and that they are secure. Therefore, on the server side, I can automate the checking of those headers, avoid looking up information on every single request and basically forget about security once it's been set up.
Authentication flow:
- Inside my client app (phone, wherever) I first call my backend service using
MobileServiceClient.LoginAsync
passing in the IdP the user select as their preferred provider. I am actually calling this against my Mobile App endpoint, which in turn redirects to the IdP. The result of the IdP is passed back to the Mobile App service, where the unique id of the user is then hashed to what MS calls a "stable id" (sid). - If they successfully authenticate, the client app (phone) gets back a token, issued by my Mobile App containing the stable id.
- Using that token, I can call a custom authentication endpoint on my backend. Since the client is authenticated, I can now create a new token that contains the additional information I need and return that to the client.