.NET Core Web API - Authenticate Xamarin Application - Azure

0
votes

I have a .NET Core Web API hosted in Azure as an app service, I also have developed a Xamarin Forms mobile application which calls on the API to add and remove data from an Azure hosted SQL Server. This works fine, however you can also make API calls via the browser or with with a tool like Postman, although the data isn't confidential, this feels a bit unsecure.

Can anyone recommend the best way to ensure that the API can only be accessed by the mobile application? The mobile app is hosted in Azure and already authenticates with Azure Active Directory, I'm not sure if there is a setting in Azure to prevent access to everything but this app, or if I can pass the Azure AD user to the API to authenticate? I'm just not sure of the best method as I am fairly new to .NET Development.

Thanks.

1
.netazureasp.net-corexamarinazure-active-directory
Please elaborate more about the API you are trying to secure, What kind of request you are trying to restrict.Hari Krishna
Of course, ideally I'd like to restrict all requests. At the moment it is open meaning you can GET, POST, and DELETE on some of the tables from a tool like Postman. I'd like it to be restricted only to someone using the mobile application I have developed.Andrew Bruce
These tables are related to SQL database?Hari Krishna
Yes, an SQL database on an Azure hosted SQL Server.Andrew Bruce

1 Answers

1
votes

Take a look at the Protected web API documentation and sample.

Basically:

  1. your mobile app would request an access token requesting a custom scope exposed by your web api app registration and attach it in any call done to of your web api protected endpoints so the later can authorize it.
  2. By default your web api will authorize calls to its protected endpoints by validating (using the attached access token) the aud claim (which should match the web api registered app api id) and optionally validating the scopes (scp claim) and/or roles (roles claims).
  3. Optionally you can add your own validation/authorization logic like allowing only certain clients (like you mobile app) using the access token app_id claim and more.