Pass Azure ACS issued token to PhoneGap client

0
votes

I have a combination Web API and MVC application that is secured using Azure ACS, Windows Identity and passive redirects. This works well. Now I am adding a mobile application using PhoneGap that makes calls to the existing application's API. I having trouble figuring out how to implement authentication on the mobile client. I've got it mostly working, but I can't get the token to client due to the Return URL setting in ACS. The scenario is:

  • Mobile client sends get request to API
  • API responds with 401 if user is unauthorized
  • Client redirects to ACS login page and user authenticates
  • Token is sent to the Return URL which is the application running on a web server

For example, if I'm running the client app on localhost:63327, the token is sent to localhost:58392 because that's what is set as the return URL in the ACS configuration.

How do I get the token to my mobile client?

2
authenticationazurecordovaacs

2 Answers

2
votes

I see that people did not really understood your question.

This solution might work.

In a nutshell, is to add a new protocol to get the authentication token from the server to the app client.

  1. PG App calls a web method registering a request to Auth:

    POST BeginGethAuthToken id = pickup Guid pswd = pickup Password

    BeginGetAuthToken can be a web method in your login page.

    Server associates the pickup guid with the pickup password

  2. PG Apps start the authentication flow by opening the log-in page using the InAppBroser

    mywebapp.com/AppLogin.aspx?id={pickup guid}

    The pickup guid is set as a cookie for your webapp domain.

  3. User completes the authentication using the InAppBrowser.

  4. AppLogin.aspx on successful authentication associates the pickup guid with the authentication tokens and ask the user to close the browser to go back to the app

  5. the PG App picks up the authentication token by providing the pickup password.

note that for security the server needs to add expiration policies of pickup guids such that only one app can use a guid at a time and restart the process in case of collisions.