Application identity authentication in Azure Mobile app. How?

0
votes

I'm using custom authentication with Azure Mobile App based on following this article.

Client application is Cordova App

Steps I did:

  1. Turn on App Service Authentication
  2. Add Microsoft.Azure.Mobile.Server.Login NuGet package
  3. Create custom authentication endpoint
  4. Configure service to require authentication
  5. Use token on client

And it works fine with [Authorize] attribute on action methods/controllers.

But Username/password authentication is not enough for me. What I want is make sure that only my mobile application (client) can use Mobile App hosted on Azure endpoint and no one else from the web (in addition to username/password). So some sort of app_id need to be verified on both side, probably based on some sort of hash-based message authentication.

All articles I found describes either custom authentication with username/password or via Azure AD tenant. But one breaks other, moreover I don't need Azure AD.

How I can achieve this? Is there some built-in methods?

1
cordovaazureauthenticationasp.net-web-api2azure-mobile-services

1 Answers

3
votes

App Service doesn't provide any built-in support for this when using custom authentication. The closest thing would be to use Azure Active Directory (AAD) service principal authentication. AAD supports app identities and you'd be able to check the identity of the app in the signed token at login time. However, you wouldn't be able to use custom username/password.

Otherwise, I think your best bet is to have some shared secret on both the client and the server to verify that it is only your app accessing the service. However, this is not considered a safe practice. Anyone who downloads your mobile app could theoretically extract this secret and use it from any app they want, so this is not recommended if you need to restrict access for security reasons.