Native Android / Google login with Azure AppService

0
votes

Not sure if that is possible: I would like to switch from server flow to native client flow in order to provide a better authentication experience for my users.

The problem is that Azure AppService requires a "web application" OAUTH setup (contains client ID and a secret), while the native login works with just a client ID and not secret. This means that after the login on the phone, I do have a Google token, but AppService wouldn't know what to do with it and returns me an HTTP Unauthorized.

The mobile client SDK gives me an API, but that doesn't work with such a token.

var jObject =  new JObject(
    new JProperty("access_token", auth.AccessToken),
    new JProperty("id_token", auth.IdToken));

await ServiceClient.LoginAsync(MobileServiceAuthenticationProvider.Google, jObject);

Any idea on the proper way to integrate this without having to write my own server-side token validation?

2
xamarin.androidazure-web-app-serviceazure-mobile-services

2 Answers

0
votes

You would still need to configure the web application in Google since you are attempting to access a non-Google API. The native login on its own is not enough.

That means you will still need to provide the backend with an ID and secret. The client is responsible for obtaining an id token and authorization code which get sent to the server, and the server does the actual retrieval of the access token, per the Google documentation.

So that means your call will actually look something like the following:

var jObject =  new JObject(
    new JProperty("authorization_code", auth.ServerAuthCode), // not sure what property your auth binding exposes this as
    new JProperty("id_token", auth.IdToken));

await ServiceClient.LoginAsync(MobileServiceAuthenticationProvider.Google, jObject);

There isn't documentation for the end-to-end using Xamarin.Android, but you might find it useful to glance over the App Service iOS documentation for this scenario just to see the moving parts. The general pattern you will follow is:

  • Configure everything for the server flow (as you've done before)
  • Set up the Google Sign-in SDK (seems like you've done that already, too).
  • Make the call as described above

The main issue you might run into is making sure that you have the API console registration correct. You'll want to make sure you have an Android client there connected to the web application client ID you are using. I'd recommend giving the Google Sign-in for Android setup instructions a quick look. Also note that authorization codes are one-time use, and there are some throttles that Google puts in place for a user requesting too many of them within some span of time. You might run into that during dev.

0
votes

AS far as I know, the native client flow also use the google code flow to get access token.

According to this article, the Android, iOS, or Chrome applications doesn't need the secret to get the access token.

The client secret obtained from the API Console. This value is not needed for clients registered as Android, iOS, or Chrome applications.

But the web app backend will not authorized this access token if you don't set in your backend to enable Azure App Service authentication/authorization. Because the backend will have its own logic(the mobile server library write the logic according to the access token) to return the auth token according to the access token.

Now, the most easily way to enable the client flow in your mobile app is set in your backend to enable Azure App Service google authentication/authorization with the same clientid and secret(based on my test: if you don't set the right secret, the backend will still return the auth token).

Here is the test image:

enter image description here

If you still don't want to enable the app google easy auth, I suggest you could create custom authentication which contains your own logic to check the accesstoekn and get the user information from the google.

If the checked result is success and get the enough value, you could generate the auth token and return to the client side.

More details about how to create custom authentication in the mobile app backend , you could refer to this article.