Authenticate with Azure Mobile Service from UWP client

Question

I'm struggling with authenticating towards an Azure Mobile Service (.NET backend) via Azure AD.
I've been following this tutorial: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
The authentication to Azure AD itself is successful (result.Status == AuthenticationStatus.Success), but I get HTTP 401 at MobileService.LoginAsync.

Mobile Service Azure AD app config
Sign-on URL: https://contososervice.azurewebsites.net
Client ID: c710fe9b-4dd2-406b-ae68-ea5825c2c103
App ID URI: https://contososervice.azurewebsites.net
Reply URL: https://contososervice.azurewebsites.net/.auth/login/aad/callback

Native client Azure AD app config
Client ID: d79fea3f-2357-4797-9be8-48d630f6e1a3
Redirect URIs:
- https://contososervice.azurewebsites.net/.auth/login/done
- ms-app://S-1-15-2-4177921760-2458829842-3328621796-4043898254-238447652-453539330-2174227773
Permission delegated to ContosoService

Azure mobile service authentication config: advanced mode
Client ID: c710fe9b-4dd2-406b-ae68-ea5825c2c103
Issuer URL: https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47

Mobile service web.config
<add key="ida:Tenant" value="contoso.onmicrosoft.com" /> <add key="ida:Audience" value="https://contososervice.azurewebsites.net" />

Mobile service authentication setup

    public void ConfigureAuth(IAppBuilder app)
    {
        app.UseWindowsAzureActiveDirectoryBearerAuthentication(
            new WindowsAzureActiveDirectoryBearerAuthenticationOptions
            {
                Tenant = ConfigurationManager.AppSettings["ida:Tenant"],
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidAudience = ConfigurationManager.AppSettings["ida:Audience"]
                },

            });
    }

UWP client

        string appIDUri = "https://contososervice.azurewebsites.net";
        string clientID = "d79fea3f-2357-4797-9be8-48d630f6e1a3";

        AuthenticationResult result = await _authContext.AcquireTokenAsync(
            appIDUri,
            clientID,
            WebAuthenticationBroker.GetCurrentApplicationCallbackUri());

        if (result.Status == AuthenticationStatus.Success)
        {
            IsUserAuthenticated = true;
            UserData = result.UserInfo;
            success = true;

            JObject payload = new JObject();
            payload.Add("access_token", result.AccessToken);

            var user = await ServiceClient.ServiceClient.MobileService.LoginAsync(
                MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory,
                payload);
        }

White hawk White hawk · Accepted Answer · 2016-04-08T13:48:01

I actually managed to solve this. Remote debugging the Mobile Service via Visual Studio has helped, because Microsoft.Azure.AppService.Authentication tracing showed that:

A browser request posted the token to https://contososervice.azurewebsites.net/.auth/login/aad/callback, which was successfully processed
My client app posted the token to https://contososervice.azurewebsites.net/login/aad, which didn't work.

It took me a while to understand that the URL the tokens are posted to is actually identical to the appIDUri in the code, and because that identifies the resource, too, I had to change the corresponding App ID URI setting in Mobile Service Azure AD app config.
Thus I had to change both appIDUri and App ID URI in Azure AD to
https://contososervice.azurewebsites.net/.auth/login/aad/callback
and it works now.

Authenticate with Azure Mobile Service from UWP client

1 Answers