How should I secure a Xamarin app that calls ServiceStack service with Azure Active Directory authenticated users

We are writing a native app in Xamarin that should consume ServiceStack services from our backend. We write both the client and server.

We have this working fine, but need an extra layer of security.

The users are stored in Azure Active Directory and/or a local Active Directory.

We think that we should use ‘OAuth 2.0 - Resource Owner Password Credentials Flow’ in this situation.

The app should authenticate using ServiceStack authentication. A ServiceStack authentication provider (which one?) authenticates the username/password on Azure AD and gives back an access token and refresh token. The access and refresh token should be stored in the ServiceStack session. The refresh token is stored on the local device so the user doesn’t have to login again. The username/password are not stored locally on the devices (only the refresh token).

Any subsequent calls to the ServiceStack service are authenticated by using the refresh token. The ServiceStack validates the refresh token on Azure by getting a new access token. If this succeeds, then the user is validated and the service gives proper response to the app.

Extra dimension to the issue: the ServiceStack service is only a gateway webserver which can be reached from the Internet. The gateway server (which sits in a DMZ) calls ServiceStack services on a webserver in a local network to get the information and files it needs. The webserver in the local network must know which user queries the ServiceStack service (double-hop problem?). We think that we should solve that by passing the refresh token also to the local webserver, which again aquires an access token in Azure AD.

Aquiring access/refresh tokens is done with Azure Active Directory Authentication Libraries (ADAL).

Some questions:

  1. Is my scenario a proper approach to authenticate Azure AD users using a ServiceStack service?
  2. Is my scenario covered in any standard authproviders?
    I’ve looked at:
    ‘ServiceStack.Authentication.Aad’, but this seems only to work for web clients, because redirection is used.
    ‘ServiceStack.Authentication.OpenId’, but there is no documentation how to use it with Azure AD. It needs an OpenIdUrl, but where do I get such one and how do I configure this?
  3. It should be possible to validate an access token locally. I tried this using JwtSecurityTokenHandler but I can’t find documentation for the required parameters TokenValidationParameters object. Do you have an examples of how to use this handler?

You’ll need to contact the external project maintainer of Authentication.Aad for what capabilities it offers. ServiceStack also doesn’t include any JWT functionality in the framework, but you can find a list of 3rd party JWT solutions in this StackOverflow answer.

As for OAuth, the only auth flow supported is the normal redirect to the remote OAuth site to capture Users authorization before redirecting back to the ServiceStack Authentication Service which will either setup an Authenticated User Session if it was successful or redirect to a failed response. The way to authenticate via OAuth from a mobile is to start the authorization in a browser. We have an example showing how to do this in Xamarin.Android using their Xamarin.Auth component in the TechStacksAuth example. There’s another more recent example in AndroidXamarinChat which shows how to capture the returned ServiceStack Session Cookies which you can populate other service clients with to enable authenticated requests.

Given that Authentication.Aad enables authentication via OAuth2 this is the approach I’d go with but you’ll need to work with the project maintainer directly to work through and troubleshoot any issues. AFAIK there’s no NTLM functionality available in Xamarin clients so this is also the only option I know of to authenticate with AD from a mobile.

We eventually written our own AuthProvider wich uses Microsoft ADAL library to get acces and refresh tokens from Azure AD and validate them on the resource server.

Cool, if you’re allowed to Open Source it, there would be a number of other devs that would be interested in using it as well.

1 Like

Hi, sorry, we are not allowed to do that.