We are writing a native app in Xamarin that should consume ServiceStack services from our backend. We write both the client and server.
We have this working fine, but need an extra layer of security.
The users are stored in Azure Active Directory and/or a local Active Directory.
We think that we should use ‘OAuth 2.0 - Resource Owner Password Credentials Flow’ in this situation.
The app should authenticate using ServiceStack authentication. A ServiceStack authentication provider (which one?) authenticates the username/password on Azure AD and gives back an access token and refresh token. The access and refresh token should be stored in the ServiceStack session. The refresh token is stored on the local device so the user doesn’t have to login again. The username/password are not stored locally on the devices (only the refresh token).
Any subsequent calls to the ServiceStack service are authenticated by using the refresh token. The ServiceStack validates the refresh token on Azure by getting a new access token. If this succeeds, then the user is validated and the service gives proper response to the app.
Extra dimension to the issue: the ServiceStack service is only a gateway webserver which can be reached from the Internet. The gateway server (which sits in a DMZ) calls ServiceStack services on a webserver in a local network to get the information and files it needs. The webserver in the local network must know which user queries the ServiceStack service (double-hop problem?). We think that we should solve that by passing the refresh token also to the local webserver, which again aquires an access token in Azure AD.
Aquiring access/refresh tokens is done with Azure Active Directory Authentication Libraries (ADAL).
- Is my scenario a proper approach to authenticate Azure AD users using a ServiceStack service?
- Is my scenario covered in any standard authproviders?
I’ve looked at:
‘ServiceStack.Authentication.Aad’, but this seems only to work for web clients, because redirection is used.
‘ServiceStack.Authentication.OpenId’, but there is no documentation how to use it with Azure AD. It needs an OpenIdUrl, but where do I get such one and how do I configure this?
- It should be possible to validate an access token locally. I tried this using JwtSecurityTokenHandler but I can’t find documentation for the required parameters TokenValidationParameters object. Do you have an examples of how to use this handler?