How do I secure an Azure Mobile Service with Azure AD? ADAL.JS

1
votes

I have created an application in my Azure AD. I switch into the Mobile Service and go to the identity tab. For MS identity is asks for a client ID. I found the Client ID in the Azure AD configure tab.

However, I had no idea what to use for Client Secret and Package SID. It seems like it is expecting you are using a Windows Store app to access the service rather than a Javascript app which is what I am working with.

So, my question is, how do you secure an Azure Mobile Service with Azure AD when an AngularJS web application is accessing the service?

(I don't want to use google, because I want to control the users that can access this, so I will manually add the users to the Azure AD that I want to grant access to the service.)

UPDATE:

Per the answer below I have attempted to use ADAL.JS. It is "mostly working" with the following issues.

  1. Chrome locks up tight - it doesn't work.

  2. When using a Microsoft Account added to my Azure AD domain, it just goes into a loop and keeps redirecting me.

1
azureazure-mobile-servicesazure-active-directoryadal

1 Answers

3
votes

In Mobile Service Identity configuration, for Azure AD as you ask, following parameters are requested

  • App URL
  • Client ID
  • Allowed Tenants

Package SID is related to MSA account authentication. Azure AD is last at the bottom.

Refer to: Register your apps to use an Azure Active Directory Account login

In Azure AD, you need to have created an application, that matches the Client ID and App ID URI with the information in the Mobile Service side.

Other important information to fill in here:

  • Reply URL: you should have an entry with the URI of your web application (hosting Angular)
  • Allow Enable single sign-on and read users' profiles as Delegated Permission
  • Allow OAuth implicit flow by editing and updating the application manifest file

For more detailed steps to follow, especially about last item in my list, look at this sample https://github.com/AzureADSamples/SinglePageApp-AngularJS-DotNet and its README

Once you've obtained the access token via ADAL.JS libraries, then you can use it to call login method of Mobile Service just providing the right authentication provider name, and the access token retrieved with ADAL.JS

Using ADAL.JS instead of Mobile Services SDK for obtaining the access token gives you also the refresh token back, which you can cache and store for automatic access token renewal; avoiding to have the user entering credentials every time