3

Scenario: I already have a registered multi-tenant web application that is compatible with Azure SSO. I'm now in the process of developing an iOS application that will support SSO authentication for the app as well.

Based on the example provided in https://azure.microsoft.com/en-us/resources/samples/active-directory-ios/ I created a Native application for the iOS app with delegated permissions from my WebApp (ref: https://stackoverflow.com/a/29810124).

This works for any user that exists within the AAD that the app was created. However, as soon as I want to SSO from a different domain that has previously authorized the WebApp I get an error:

Application with identifier 'CLIENT_ID_HERE' not found in directory DOMAIN_HERE.onmicrosoft.com

This implies that the native application is not multi-tenant? This seems a bit bizarre considering it should be possible for users outside of the domain to SSO to an application.

Right now, for my browser based SPA I'm simply able to manually call the common Azure login page to consent and get an authorization code for a user. I then send this code to a backend (the WebApp) that performs the OAuth handshake and gets a valid token. This does not require a client_secret from the application because the SPA isn't actually performing token retrieval.

So when I attempted to use the WebApp's client_id instead (similar to what https://stackoverflow.com/a/27033816 is suggesting) I was met with an error with the Azure AD iOS SDK requiring that I provided a client secret as well. It seems that the SDK is abstracting a fair amount of this and grabbing a token for you rather than performing a step when I can simply get an authorization code and send it to my WebApp.

TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.

The question posed in the answer of the previous SO post somewhat explains my issue:

How can my mobile app access my multi-tenant web api on behalf of the user?

References

  1. https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-scenarios#native-application-to-web-api
  2. https://github.com/Azure-Samples/active-directory-dotnet-webapi-multitenant-windows-store
Community
  • 1
  • 1
jstruzik
  • 1,440
  • 10
  • 19

2 Answers2

1

At present the native app which register on the Azure portal doesn't support multi-tenant. You may consider using the V2.0 endpoint which also support the Microsoft accounts.

TLDR: My requirements are very similar to the ones outlined in multiple-tenant, multiple-platform, multiple-services single sign-on using Azure Active directory where I have multiple clients (browser, iOS, Android) that all need to be able to use Azure SSO. I'm assuming the mobile apps should be able to use my existing WebApp to authenticate the users.

Did you mean that have different font-end and the Multi-Tenant Web Application is the back-end? In this scenario, there is no need to register another native client application on the portal, you can refer here about add authentication for the iOS app.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • Yes, the iOS app would be acting as the front-end in this case. I'm just a little confused as to what that page is suggesting. Should I be using the `MSClient` as provided by the iOS example? https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-active-directory-authentication#optional-configure-a-native-client-application is another section that I'm not sure if it's what I want. – jstruzik Dec 09 '16 at 17:12
  • Both of the links should work for the authentication using the Azure. However there are a little different. The link you mentioned using the native app for authentication and request the web app as service. The links I mentioned that there is only one web app and we use this app for the authentication and since this app is web app so we can enable it as multi-tenant app. In this scenario, we can also call the web app as back-end service. Based on my understanding, the native app is register when you **wish to perform logins using a library such as the Active Directory Authentication Library** – Fei Xue Dec 12 '16 at 06:22
  • The library is used to help developers integrate Azure AD easily. We are able not use `MSClient`, however you may need to implement the authentication logic yourself. To understand the **Easy Auth**, you can refer the [blogs](http://cgillum.tech/2016/02/01/architecture-of-azure-app-service-authentication-authorization/) written by cgillum. – Fei Xue Dec 12 '16 at 06:32
  • I'm just trying to use the AD auth library to send the user to the Azure login page, and then redirect back to the application with an `authorization_code`. The auth code would then be sent up to my multi-tenant web application to exchange the code for an access token. This process shouldn't require a client_secret at all. So I will attempt to use the link you've provided but it seems the tutorial suggests I create a mobile app backend and use the `loginAndGetData` (which seems to get a token, not an `authorization_code`)? – jstruzik Dec 12 '16 at 16:58
  • https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-multitenant-windows-store/ still seems to be what I'm looking for but I still run into the application not found error when attempting to access the native application from a different tenant than the one that created it. – jstruzik Dec 12 '16 at 19:35
  • @jstruzik The error is expected. https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapi-multitenant-windows-store/ will not work for your scenario since the native app is not multi-tenant enable. It demonstrate to develop multi-tenant web API which users need to register their clients in their tenant separately to call this web API. Did you have any problem when follow [Add authentication to your iOS app](https://learn.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-ios-get-started-users)? – Fei Xue Dec 13 '16 at 10:01
  • I found that enabling a multi-tenant native application actually was possible here by manually editing the app's `manifest.json`. This seemed to work for any users outside of the tenant (good blog post on it here: http://nicksnettravels.builttoroam.com/post/2016/10/20/Building-a-Mulit-Tenant-Rich-Client-(UWP)-that-Connects-via-an-Azure-AD-Protected-WebAPI-Through-to-an-External-Service.aspx). However, this still isn't exactly what I was looking for. I have provided details in my answer. – jstruzik Dec 13 '16 at 18:23
1

So the majority of Microsoft's tutorials use their AAD SDK to generate OAuth access tokens whereas I needed to simply get an authorization_code to send up to a backend that's registered as an existing multi-tenant web application so it could properly generate a token using its own client_id.

This was done using the correct redirect_uri in the AD OAuth code documentation:

For native & mobile apps, you should use the default value of urn:ietf:wg:oauth:2.0:oob

Note that sending up urn:ietf:wg:oauth:2.0:oob will actually result in a schema error for the multi-tenant OAuth login page (https://login.windows.net/common/oauth2/authorize) so you must use https://login.microsoftonline.com/common/oauth2/nativeclient instead.

jstruzik
  • 1,440
  • 10
  • 19