I am trying to implement authenticating and identification on a Xamarin cross-platform mobile application consuming data from a WebApi service which I have.
My goal is as follows:
Have the mobile application perform authentication against various Identity Providers, get a security token, and have it passed to the WebApi Service inside the requests' headers.
The service will then implement a DelegatingHandler to validate the token, and extract a userId from it, for later identification and authorization needs.
I would like my client code to be share-able as much as possible !
My options AFAIK are as follows:
Use Azure Mobile Services to generate a federated security token on the client side, and validate the token on the WebApi service. I think it is possible, thanks to this SO answer. Code-Sharing on the client side looks promising, thanks to Xamarin Azure Mobile Services Components.
Use Azure Access Control Service(ACS) to generate a federated security token on the client side, and validate the token on the WebApi service. However, I don't think that consuming the ACS on the client can be easily code-shared. Besides, ACS is not the new guy in town...
Use Xamarin.Auth component to have client side authentication directly against the Identity Providers, generate a JWT security token, and have it validated on the WebApi service. This should give more access to users' data from the IdP. However at the moment the component currently lacks Windows Phone support, and It's not likely it will be available before late fall.
If anyone has already dealt with this scenario, please share your experience and let me know what would be the right way to go.
If my goal is wrong in the first place, don't hesitate to criticize it as well.