employee facing cross platform mobile apps
TRANSCRIPT
Employee Cross Platform Applications
With WAAD, Xamarin and OAuth227 Feb 2014
/ Copyright ©2014 by Readify Pty Ltd2Page
A User StoryAs Joe, the miner,
I want to submit my timesheets on my phone, in the pub,
So I can maximise my fun in my time off.
/ Copyright ©2014 by Readify Pty Ltd3Page
Offline Storage
/ Copyright ©2014 by Readify Pty Ltd4Page
Bring Your Own Device
/ Copyright ©2014 by Readify Pty Ltd5Page
Might not be a VPN
/ Copyright ©2014 by Readify Pty Ltd6Page
Logons……..
Page / Copyright ©2014 by Readify Pty Ltd7
Agenda› Windows Azure Active Directory
› OAuth2
› Securing Web API with WAAD / OAuth2
› Xamarin.Auth (and tweaks!)
› Portable Class Libraries
› Xamarin.Android / ios
/ Copyright ©2014 by Readify Pty Ltd8Page
“Our Time is short,but our challenges are many”Graeme Foster, 22nd February 2014
Page / Copyright ©2014 by Readify Pty Ltd9
Credentials in the Cloud›More User Databases›ADFS2›WAAD Dir Sync
/ Copyright ©2014 by Readify Pty Ltd10Page
Windows AzureActive Directory
Page / Copyright ©2014 by Readify Pty Ltd11
Recap
› Azure Active Directory Management Portal› Users› Groups› Applications› Endpoints› Graph API
Page / Copyright ©2014 by Readify Pty Ltd12
Auth Options›WS-Fed / SAMLP - Mobile support
limited
›OAuth2– Widely supported. The future. Not an authentication protocol
›Open-Id Connect- A proper authentication protocol built on OAuth2
Page / Copyright ©2014 by Readify Pty Ltd
OAuth2 Code Grant Flow
13
HTTP GET …/authorize?client_id=12345&resource=TimesheetAPI&response_type=code&replyurl=somewhere.com&state=asdhj123302 Redirectsomewehere.com?code=4375983745989873&state=asdhj123
HTTP GET …/timesheets/1234Authorization: Bearer retdbcsdurykjsdvbzj
200 OKtoken=retdbcsdurykjsdvbzj
HTTP POST…/tokenclient_id=12345code=4375983745989873grant_type=authorization_codeclient_secret=??????
200 OK{timesheets: [ {… } ] }
Page / Copyright ©2014 by Readify Pty Ltd14
OAuth2 Implicit Flow
› Made for Mobile Devices
› Sends an access token straight back to the device
› Requires no client secret
› BUT
› It’s not how WAAD for Native Clients works
Page / Copyright ©2014 by Readify Pty Ltd15
OAuth2 – more details
› Bearer Tokens mandate SSL.
› WAAD token is a base-64 encoded JSON Web Token
› It is signed by the Authorisation Server
› Token’s have a limited life-span.› Refresh token’s are used to get new token’s
/ Copyright ©2014 by Readify Pty Ltd16Page
Obtaining an OAuth2 Access Token
/ Copyright ©2014 by Readify Pty Ltd17Page
Secure Web API using OAuth2 / WAAD
Page / Copyright ©2014 by Readify Pty Ltd18
Recap
› We created a new Web-API project
› We added Application entries in WAAD › Template did this automatically, but easy to do manually
› Used an OWIN Plug-in to inject OAuth2 Bearer Token authorisation
› ClaimsPrincipal appeared on thread
Page / Copyright ©2014 by Readify Pty Ltd19
Native App› Pros and Cons are out-of-scope. Let’s just assume we have to go Native!
› Try to do only UI in the Platform specific app
› Use a PCL to contain “business logic”
Page / Copyright ©2014 by Readify Pty Ltd20
Portable Class Libraries› Simple way of saying “Lowest Common Denominator set of frameworks for a range of devices”
› Compile to standard IL
› …please can I have “Profile 78”› Supports Async / Await› Runs on Xamarin Android / ios / windows phone 8
Page / Copyright ©2014 by Readify Pty Ltd21
Portable Class Libraries› No license restrictions around Xamarin any more
› Nuget packages for things like HttpClient
› Make it easier to create “sans UI” shared libraries
/ Copyright ©2014 by Readify Pty Ltd22Page
Shared PCL ViewModel library
Page / Copyright ©2014 by Readify Pty Ltd23
OAuth2 in Xamarin› MS have native libraries› Creating Xamarin bindings is an option
› Auth0 – abstracts OAuth2 implementations
› Xamarin.Auth – simple open-source library
Page / Copyright ©2014 by Readify Pty Ltd24
Xamarin.Auth› Almost great› Caters for Google / Facebook / Twitter (what more could you want!)
› Azure Active Directory OAuth2 is slightly out-of-the-ordinary
› Required tweaking to work› Wanted to follow 302 redirects…
/ Copyright ©2014 by Readify Pty Ltd25Page
WAAD OAuth2 Client in Xamarin
Page / Copyright ©2014 by Readify Pty Ltd26
Recap› Registered a Client Application in WAAD
› Used VS / Xamarin Integration› Get to use R#!
› Android Emulators are SLOW!› Geny Motion Android Emulator
› Used Xamarin Build Host to debug into ios App
Page / Copyright ©2014 by Readify Pty Ltd27
Achivements Unlocked› Corporate Credentials in the Cloud
› An API which is secured by WAAD
› A shared code library containing the guts of the Client App
› An Android and ios native client that can access the API
Page / Copyright ©2014 by Readify Pty Ltd28
References› http://www.cloudidentity.com/blog/2013/07/23/securing-a-web-api-with-windows-azure-ad-and
-katana/
› http://xamarin.com/
› http://oauth.net/2/
› http://openid.net/connect/
› http://www.windowsazure.com/en-us/services/active-directory/
› http://www.google.com
› https://github.com/xamarin/Xamarin.Auth (fork at graemefoster@github)
› http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
› http://www.genymotion.com/
› http://www.nuget.org/packages/Microsoft.Owin.Security.ActiveDirectory
/ Copyright ©2014 by Readify Pty Ltd29Page
http://gograemefoster.blogspot.com
+61 (416) 848-234
@graefoster
Thank you