Forum General

Announcement:

The Xamarin Forums have officially moved to the new Microsoft Q&A experience. Microsoft Q&A is the home for technical questions and answers at across all products at Microsoft now including Xamarin!

To create new threads and ask questions head over to Microsoft Q&A for .NET and get involved today.

How do I secure Azure App Service end-point for MobileServiceClient([applicationURL]) ?

blmilesblmiles Member ✭✭
edited February 2020 in General

Hello,

I have an app that uses **Auth0 ** https://auth0.com/ as the login provider and can login through multiple providers - Facebook, LinkedIn, Google, MS and Apple. This all happens client-side and I get the id and access tokens from the relevant service. No errors.

My app then connects to Azure App Services using the Microsoft.WindowsAzure.MobileServices API
I use this to create the connection to the service: client = new MobileServiceClient(https://mycompany.azurewebsites.net);

The app can then sync data between the local SQLite db and my Azure SQL db.

This all WORKS, not errors.

PROBLEM - the endpoint https://mycompany.azurewebsites.net is set with anonymous access and is not secured.

I can enable App Service Authentication and implement something like this for most authentication services, passing in the already-received tokens from login:
task = Task.Run(async () => await client.LoginAsync(MobileServiceAuthenticationProvider.Facebook, AccessToken));
user = task.Result;

This is fine for MS, Facebook and Google authentication BUT there is nothing in the API for LinkedIn or Apple.
Apple certification requires and Apple login IF other provider login choices are also made available to the user.

Question:
How can I secure the Azure App Service in Node.js to accept an app ID and or password or token that I can supply from the client side as constants to simply allow generic but somewhat secure access to this URL: https://mycompany.azurewebsites.net and NOT have this set with anonymous access?

Can anyone please shed light on this?
This is a major block in final progress with the app.

Thank you

Answers

  • batmacibatmaci DEMember ✭✭✭✭✭
    edited February 2020

    it is best to use firebase as identity management in between. How it works is briefly;
    1) you make login using facebook,google,twitter etc and receive a authenticationtoken from facebook e.g.. You need to send/register this token to Firebase auth. Firebase will return you a firebase JWT token and your user is saved wit a unique userId into firebase.
    2) You make your http post request using this JWT token in the header like below as Bearer authentication
    AuthenticationHeaderValue authValue = new AuthenticationHeaderValue("Bearer", JWTToken);
    3) you must secure your web core api using firebase. see the article below. Implementation is very simple. By that you never know any password or sensitive that. So you are also PCI compliant basically.
    https://blog.markvincze.com/secure-an-asp-net-core-api-with-firebase/

    Firebase is just example. Azure and Aws has also identity management. Aws is pretty complicated but once you learn it super fluent and more security. Azure is very simple to implement. I preferred firebase because it is fully free. other 2 has some free limited usage.

  • blmilesblmiles Member ✭✭

    @batmaci thanks for the tips/advice! I will look into that asap.

Sign In or Register to comment.