1

I am trying to implement authenticating and identification on a cross-platform mobile application consuming a WebApi service.

My plan is to export the authentication to a federated cloud service, such as the new Azure Mobile Service. The Client Mobile application will consume the Mobile Service authentication flow, get a token, and will than have it sent inside the requests' headers to the WebApi, which in turn will validate it and extract the UserId from it.

Assuming I already configured the WebApi the validate JWT tokens using DelegatingHandler interceptor, is it possible to validate tokens issued by the Azure Mobile Service?

What would be the correct values for SymmetricKey, Issuer, and Audience?

Am I going in the right direction?

Liel
  • 2,407
  • 4
  • 20
  • 39

2 Answers2

2

The post at http://www.thejoyofcode.com/Generating_your_own_ZUMO_auth_token_Day_8_.aspx shows how to generate an Azure Mobile Service token, but that has the information you need to validate it as well. Basically, the key you need to use to validate it is the master key from the service (do not distribute that key to any clients, but if it's coded securely in your service, that should be fine). The audience depends on the provider which created the token (e.g., for FB, it's the string "Facebook"). The issuer is set to urn:microsoft:windows-azure:zumo.

carlosfigueira
  • 85,035
  • 14
  • 131
  • 171
  • Thanks for this! However, I am having no luck validating the JWT token received from `Azure` on the WebApi, so at the moment, I have no working solution... I asked a [separated SO question](http://stackoverflow.com/q/18273776/2126652) for more details. – Liel Aug 16 '13 at 12:54
  • 1
    There is a project called **MyVote** on GitHub that has a basic implementation of a JWT token-validator. This code was taken from an old ASP .NET sample that was removed. I have added an issue to the mobile services SDK, to give us a dedicated token validator for the JS and managed backend. Here is the link to the repo [MyVote](https://github.com/Magenic/MyVote/tree/master/src/MyVote.AppServer/Auth) – awsomedevsigner May 18 '14 at 16:39
1

What you will need to do in your WebAPI project is implement a custom message handler to intercept the token and validate it was signed using the same master key from AMS. There is a project on GitHub that shows how to do this:

JWT Validator

This was basically a derivative of another GitHub project that has the original ASP.NET sample here:

AuthenticationTokenSample

The main validation occurs when calling the ValidateSignature() method which takes the bytes of the UTF-8 representation of the JWT Claim segment and calculate an HMAC SHA-256 MAC on them using the shared key from Azure Mobile Services. If the JWT Crypto Segment and the previously calculated value then one has confirmation that the key was used to generate the HMAC on the JWT and that the contents of the JWT Claim Segment have not be tampered with.

The one main thing I found is to remove the appended "JWTSig" string from being appended to the master key in the ValidateSignature() method. It appears the tokens being signed no longer append that string to the master key anymore from AMS. I had all sorts of trouble getting the validation to pass until I removed that segment.

atconway
  • 20,624
  • 30
  • 159
  • 229