Forum Xamarin.Forms

Using the WebAuthenticator with the Sample.Server.WebAuthenticator?

Carl_RCarl_R SEMember ✭✭

Using the setup from the WebAuthenticator sample and guide, is it possible to use the [Authorize] attribute on a WebApi Controller to prevent anomymous access?

Guide
https://docs.microsoft.com/en-us/xamarin/essentials/web-authenticator?context=xamarin/android&tabs=android

Server sample
https://github.com/xamarin/Essentials/tree/develop/Samples/Sample.Server.WebAuthenticator

  • Would I need other configuration server side, besides adding a controller i want to acces and use the [Authorize] attribute?
  • Is the token from Web Authenticator a bearer token? Is it enough in theory to add it to the HttpClient's headers as a bearer?

Posts

  • Carl_RCarl_R SEMember ✭✭

    Anybody?

  • brugnnerbrugnner Member

    Same here

  • Carl_RCarl_R SEMember ✭✭

    I had the answer last week. The access_token is not intended for authorization on the own api server, but only for authorization to the api's logged in to. In short, if you log in to google, and add google scopes, you can use it to query google api's. It's a very weird sample since the mvc web where you would do the same thing, would be used for authentication. Thing is in that case, it gives you a cookie. And it's what it tries to do in this case too. But since native apps are stateless in their communication with server, tokens should be used.
    The correct solution for my use would be using identity server 4 as a federation gateway, issuing it's own tokens. Parts of the sample could be reused but quite differently.

  • newbiedev123newbiedev123 Member

    We have an Azure AD authenticated API and we were planning to use the Web Authenticator to authenticate the user and call the API. Do you mean this would not work? Can the Web AUthenticator not be used for calling our own API's? Will it not work like the MSAL library where we can specify the API in the scope?

Sign In or Register to comment.