Azure Mobile App Service / Xamarin iOS client / Okta Identity Provider example

Question

Here's my current situation:

• Xamarin iOS mobile app (using MobileServiceClient to login)
• Azure Mobile/App Service (ASP.NET Web API) with Azure AD authentication

I would like to modify the Authentication part of this process to be handled by Okta instead of the Azure AD. How can I setup Okta or any other 3rd party Identity Provider Service similar to Okta as the ipd for both my mobile app and the api web service? Azure claims that you can use any Auth capable 3rd party provider but I don't see any way to integrate such a provider in Azure portal.

I found this url to a tutorial for custom Authentication: https://adrianhall.github.io/develop-mobile-apps-with-csharp-and-azure/chapter2/custom/

From this post: IdentityServer 4 as Identity Provider for Azure App Service

Is this really the only way to do it? I would really rather keep using the server flow through MobileServiceClient and configure Azure to use the 3rd party OAuth identity provider, does any one have an example or additional information on how to do this?

Thank you for your help, maybe someone from the Azure team can enlighten us on this topic, I have not seen any documentation or examples of how to do it in their documentation so far.

Client:

Found a working library for OAuth2 and OpenID that worked for integrating with Okta: https://github.com/openid/AppAuth-iOS
https://github.com/openid/AppAuth-iOS/tree/master/Examples

with a Xamarin wrapper: https://github.com/xamarin/XamarinComponents/tree/master/XPlat/OpenId

Tested it with Okta for client Auth with 2 factor authentication and it works well. On to figure out the App Service part.

Answer 1

After more research and trial and error, I've found the right combination that works for what I'm trying to do. Here's an outline of what it is:

Okta (identity provider)

• set up a native application with an Implicit (Hybrid) grant on it

Mobile Client

• use an OpenID Connect component for Xamarin.iOS, in my case https://github.com/openid/AppAuth-iOS

Server / Web Api

• converted my asp.net web api webservice to an asp.net core web api webservice so I can use the latest owin middleware to validate jwt bearer tokens submitted in the header of calls to the secured endpoints, here's an example of how to set that up with Okta: https://developer.okta.com/quickstart/#/ios/dotnet/aspnetcore

One thing to note that tripped me up along the way:

• in the client, after successfully authenticating with Okta through an OpenID Connect component, you will receive user information which will include an id_token and an access_token, although it might seem natural to use the access token to send with your api calls to the server, that's actually not the case, the access token is supposed to only be used to get userinfo and is not a validated token because it gets regenerated regularly, id token on the other hand contains the signature that the server needs to validate that the header and the payload of the token haven't been tampered with, this difference between these two tokens can be observed by the number of . delimited parts contained within the token, access token has only 2 . delimited parts, header and payload, id token has 3 such parts, header, payload and signature

read more information about jwt tokens here: https://auth0.com/learn/json-web-tokens/