Authenticating Users with Azure Mobile Apps

Using an identity provider for authentication

PDF for offline use
Sample Code:
Related Articles:
Related APIs:
Related SDKs:

Let us know how you feel about this

Translation Quality


0/250

last updated: 2016-06

Azure Mobile Apps use a variety of external identity providers to support authenticating and authorizing application users, including Facebook, Google, Microsoft, Twitter, and Azure Active Directory. Permissions can be set on tables to restrict access to authenticated users only. This article explains how to use Azure Mobile Apps to manage the authentication process in a Xamarin.Forms application.

To have Azure Mobile Apps manage the authentication process in a Xamarin.Forms application, the Azure Mobile Apps instance must first be registered with an identity provider. For information on how to do this, see Add authentication to your Xamarin.Forms app. The sample application uses Google as the identity provider, which allows users with Google accounts to login to the Xamarin.Forms application. While Google is used as the identity provider in this topic, the approach is equally applicable to other identity providers.

Using an Azure Mobile Apps Instance

The Azure Mobile Client SDK provides the MobileServiceClient class, which is used by a Xamarin.Forms application to access the Azure Mobile Apps instance.

In iOS 9 and greater, App Transport Security (ATS) enforces secure connections between internet resources (such as the app's back-end server) and the app, thereby preventing accidental disclosure of sensitive information. Since ATS is enabled by default in apps built for iOS 9, all connections will be subject to ATS security requirements. If connections do not meet these requirements, they will fail with an exception.

ATS can be opted out of if it is not possible to use the HTTPS protocol and secure communication for internet resources. This can be achieved by updating the app's Info.plist file. For more information see App Transport Security.

Logging in Users

The login screen in the sample application is shown in the following screenshots:

While Google is used as the identity provider, a variety of other identity providers can be used, including Facebook, Microsoft, Twitter, and Azure Active Directory.

The following code example shows how the login process is invoked:

async void OnLoginButtonClicked (object sender, EventArgs e)
{
  ...
  if (App.Authenticator != null) {
    authenticated = await App.Authenticator.AuthenticateAsync ();
  }
  ...
}

The App.Authenticator property is an IAuthenticate instance that's set by each platform-specific project. The IAuthenticate interface specifies an AuthenticateAsync operation that must be provided by each platform-specific project. Therefore, invoking the App.Authenticator.AuthenticateAsync method executes the IAuthenticate.AuthenticateAsync method in a platform-specific project.

All of the platform-specific IAuthenticate.AuthenticateAsync methods use the MobileServiceClient.LoginAsync method in order to display a login interface and cache data. The following code example shows the LoginAsync method for the iOS platform:

public async Task<bool> AuthenticateAsync ()
{
  ...
  // The authentication provider could also be Facebook, Twitter, or Microsoft
  user = await TodoItemManager.DefaultManager.CurrentClient.LoginAsync (
    UIApplication.SharedApplication.KeyWindow.RootViewController,
    MobileServiceAuthenticationProvider.Google);
  ...
}

The following code example shows the LoginAsync method for the Android platform:

public async Task<bool> AuthenticateAsync ()
{
  ...
  // The authentication provider could also be Facebook, Twitter, or Microsoft
  user = await TodoItemManager.DefaultManager.CurrentClient.LoginAsync (
    this,
    MobileServiceAuthenticationProvider.Google);
  ...
}

The following code example shows the LoginAsync method for the Universal Windows Platform:

public async Task<bool> AuthenticateAsync()
{
  ...
  // The authentication provider could also be Facebook, Twitter, or Microsoft
  user = await TodoItemManager.DefaultManager.CurrentClient.LoginAsync(
    MobileServiceAuthenticationProvider.Google);
  ...
}

On all platforms, the MobileServiceAuthenticationProvider enumeration is used to specify the identity provider that will be used in the authentication process. When the MobileServiceClient.LoginAsync method is invoked, Azure Mobile Apps initiates an OAuth 2.0 authentication flow by displaying the login page of the selected provider, and by generating an authentication token after successful login with the identity provider. The MobileServiceClient.LoginAsync method returns a MobileServiceUser instance that will be stored in the MobileServiceClient.CurrentUser property. This property provides UserId and MobileServiceAuthenticationToken properties. These represent the authenticated user and an authentication token for the user. The authentication token will be included in all requests made to the Azure Mobile Apps instance, allowing the Xamarin.Forms application to perform actions on the Azure Mobile App instance that require authenticated user permissions.

Logging Out Users

The following code example shows how the logout process is invoked:

async void OnLogoutButtonClicked (object sender, EventArgs e)
{
  bool loggedOut = false;

  if (App.Authenticator != null) {
    loggedOut = await App.Authenticator.LogoutAsync ();
  }
  ...
}

The App.Authenticator property is an IAuthenticate instance that's set by each platform-specific project. The IAuthenticate interface specifies an LogoutAsync operation that must be provided by each platform-specific project. Therefore, invoking the App.Authenticator.LogoutAsync method executes the IAuthenticate.LogoutAsync method in a platform-specific project.

All of the platform-specific IAuthenticate.LogoutAsync methods use the MobileServiceClient.LogoutAsync method in order to de-authenticate the logged-in user with the identity provider. The following code example shows the LogoutAsync method for the iOS platform:

public async Task<bool> LogoutAsync ()
{
  ...
  foreach (var cookie in NSHttpCookieStorage.SharedStorage.Cookies) {
    NSHttpCookieStorage.SharedStorage.DeleteCookie (cookie);
  }
  await TodoItemManager.DefaultManager.CurrentClient.LogoutAsync ();
  ...
}

The following code example shows the LogoutAsync method for the Android platform:

public async Task<bool> LogoutAsync ()
{
  ...
  CookieManager.Instance.RemoveAllCookie ();
  await TodoItemManager.DefaultManager.CurrentClient.LogoutAsync ();
  ...
}

The following code example shows the LogoutAsync method for the Universal Windows Platform:

public async Task<bool> LogoutAsync()
{
  ...
  await TodoItemManager.DefaultManager.CurrentClient.LogoutAsync();
  ...
}

When the IAuthenticate.LogoutAsync method is invoked, any cookies set by the identity provider are cleared, before the MobileServiceClient.LogoutAsync method is invoked to de-authenticate the logged-in user with the identity provider.

Summary

This article explained how to use Azure Mobile Apps to manage the authentication process in a Xamarin.Forms application. Azure Mobile Apps use a variety of external identity providers to support authenticating and authorizing application users, including Facebook, Google, Microsoft, Twitter, and Azure Active Directory. The MobileServiceClient class is used by the Xamarin.Forms application to control access to the Azure Mobile Apps instance.

Xamarin Workbook

If it's not already installed, install the Xamarin Workbooks app first. The workbook file should download automatically, but if it doesn't, just click to start the workbook download manually.