How do I secure Azure App Service end-point for MobileServiceClient in Xamarin Forms?

Hello,

Not entirely an Auth0 issue but hoping someone can help!

I have an app that uses Auth0 as the login provider and can login through multiple providers - Facebook, LinkedIn, Google, MS and Apple. This all happens client-side and I get the id and access tokens from the relevant service. No errors.

My app then connects to Azure App Services using the Microsoft.WindowsAzure.MobileServices API
I use this to create the connection to the service:
client = new MobileServiceClient(https://mycompany.azurewebsites.net);

The app can then sync data between the local SQLite db and my Azure SQL db.
This all WORKS, no errors.

PROBLEM - the endpoint https://mycompany.azurewebsites.net is set with anonymous access and is not secured.

I can enable App Service Authentication and implement something like this for most authentication services, passing in the already-received tokens from login:
task = Task.Run(async () => await client.LoginAsync(MobileServiceAuthenticationProvider.Facebook, AccessToken));
user = task.Result;

This is fine for MS, Facebook and Google authentication BUT there is nothing in the API for LinkedIn or Apple.
Apple certification requires and Apple login IF other provider login choices are also made available to the user.

Question:
How can I secure the Azure App Service in Node.js to accept an app ID and or password or token that I can supply from the client side as constants to simply allow generic but somewhat secure access to this URL: https://mycompany.azurewebsites.net and NOT have this set with anonymous access?

Can anyone please shed light on this?
This is a major block in final progress with the app.

Thank you

Hi @lindsaymiles, there seems to be a doc (link) about the best practices on how to secure an app using Azure App service. They provide different strategies for securing your app.

I hope it can help.
Cheers.

1 Like

Thanks for sharing that link @wassimchegham!

1 Like

Yep, already looked at all that. The sync service seems restrictive in how much it can be extended, especially after authorizing through Auth0 in the client-side app THEN needing to authenticate tokens from the various providers, when accessing the service… kinda stuck right now. Even trying to find ways to pass in an app secret (and handle it) into the sync service isn’t clear.

Any other info, tips, guidance would be most useful.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.