Based on your code, you are using Client-managed authentication with Azure Mobile Apps. For App Service Authentication / Authorization, such as mobile client type, a JSON web token (JWT) would be issued to the client and the it would be presented in the x-zumo-auth header when sending request to mobile backend. For more details, you could refer to How authentication works in App Service. Here is a JWT token when using Azure traffic manager with Mobile App, we could use jwt.io to decode the token:
For the JWT token, it would use the WEBSITE_AUTH_SIGNING_KEY environment variable to sign audience, issuer, Claims. For more details, you could refer to here about how to use custom authentication for your application.
Each Mobile App has the different WEBSITE_AUTH_SIGNING_KEY, you could use kudu and click Environment to find the it. Moreover, I tried to update my two mobile apps to use the same sign key, but failed for no permission.
Your LoginAsync would send the following request:
POST https://<yourname>.trafficmanager.net/.auth/login/facebook
Body {"access_token":"<access_token_from_facebook>"}
You could use fiddler to capture the network trace.
Can Azure Traffic Manager be used with Mobile Apps specially with social login?
For custom authentication, you could configure the sign key in your web.config file. For social login and use the authentication provided by azure, you could no share the sign key between different mobile apps. Moreover, if you set Routing method to Geographic and your mobile apps are in different Geographic locations, I assume that your scenario may work as expected.
UPDATE1:
After some trials, I found you could specific the WEBSITE_AUTH_SIGNING_KEY setting under the "SETTING > Application settings" blade of your mobile app to override the WEBSITE_AUTH_SIGNING_KEY environment variable as follows:
Note: The signing key needs to be a SHA-256 hashed string, you could sync the key between your two mobile apps or generate your custom key. After configure the setting, you could leverage kudu to check the newest WEBSITE_AUTH_SIGNING_KEY.
UPDATE2:
my problem is figuring out how to use social auth with two different mobile apps where redirection by traffic manager is happening on the basis of performance
As the official documentation mentions about the traffic routing method Performance as follows:
Performance: Select Performance when you have endpoints in different geographic locations and you want end users to use the "closest" endpoint in terms of the lowest network latency.
I did some test, you could refer to it. Here is the Endpoints under my Traffic Manager profile:
Note: My two mobile apps have configured the same Client Id for my MSA authentication and set the same WEBSITE_AUTH_SIGNING_KEY value under "SETTINGS > Application settings" for encoding / decoding the token.
For my /api/values API endpoint, I just return the WEBSITE_HOSTNAME environment variable as follows:
return Request.CreateResponse(new { WEBSITE_HOSTNAME =Environment.GetEnvironmentVariable("WEBSITE_HOSTNAME") });
For the Performance routing method, all my requests would be routed to bruce-mobile02.azurewebsites.net:
For the Weighted routing method, I configured the same WEIGHT for my two endpoints. Per my test, the requests with the same AuthenticationToken that attached as the x-zumo-auth header value for authorization would be routed to my two endpoints as follows:
