This document discusses enabling cross-platform employee applications using Windows Azure Active Directory (WAAD), Xamarin, and OAuth2. It covers using WAAD for user authentication and authorization, securing a web API with OAuth2 tokens, and building native Android and iOS apps with Xamarin that can access the secured API. The document provides an agenda, descriptions of key concepts like portable class libraries, and code examples of implementing OAuth2 authentication in a Xamarin mobile app to retrieve user timesheets from a secured web API.

1. Employee Cross
Platform
Applications
With WAAD, Xamarin and OAuth2
27 Feb 2014

2. Page
A User Story
As Joe, the miner,
I want to submit my timesheets on my phone, in the pub,
So I can maximise my fun in my time off.
/ Copyright ©2014 by Readify Pty Ltd2

3. Page
Offline Storage
/ Copyright ©2014 by Readify Pty Ltd3

4. Page
Bring Your Own Device
/ Copyright ©2014 by Readify Pty Ltd4

5. Page
Might not be a VPN
/ Copyright ©2014 by Readify Pty Ltd5

6. Page
Logons……..
/ Copyright ©2014 by Readify Pty Ltd6

7. Page
Agenda
› Windows Azure Active Directory
› OAuth2
› Securing Web API with WAAD / OAuth2
› Xamarin.Auth (and tweaks!)
› Portable Class Libraries
› Xamarin.Android / ios
/ Copyright ©2014 by Readify Pty Ltd7

8. Page
“Our Time is short,
but our challenges
are many”
/ Copyright ©2014 by Readify Pty Ltd8
Graeme Foster, 22nd February 2014

9. Page
Credentials in the Cloud
›More User Databases
›ADFS2
›WAAD Dir Sync
/ Copyright ©2014 by Readify Pty Ltd9

10. Page
Windows Azure
Active Directory
/ Copyright ©2014 by Readify Pty Ltd10

11. Page
Recap
› Azure Active Directory Management Portal
› Users
› Groups
› Applications
› Endpoints
› Graph API
/ Copyright ©2014 by Readify Pty Ltd11

12. Page
Auth Options
›WS-Fed / SAMLP - Mobilesupport limited
›OAuth2– Widelysupported. Thefuture. Not an
authentication protocol
›Open-Id Connect- Aproper authentication
protocol built onOAuth2
/ Copyright ©2014 by Readify Pty Ltd12

13. Page
OAuth2 Code Grant Flow
/ Copyright ©2014 by Readify Pty Ltd
13
HTTP GET …/authorize?
client_id=12345&
resource=TimesheetAPI&
response_type=code&
replyurl=somewhere.com&
state=asdhj123
302 Redirect
somewehere.com?
code=4375983745989873&
state=asdhj123
HTTP GET …/timesheets/1234
Authorization:
Bearer retdbcsdurykjsdvbzj
200 OK
token=retdbcsdurykjsdvbzj
HTTP POST…/token
client_id=12345
code=4375983745989873
grant_type=authorization_code
client_secret=??????
200 OK
{timesheets: [ {… } ] }

14. Page
OAuth2 Implicit Flow
› Made for Mobile Devices
› Sends an access token straight back to the device
› Requires no client secret
› BUT
› It’s not how WAAD for Native Clients works
/ Copyright ©2014 by Readify Pty Ltd14

15. Page
OAuth2 – more details
› Bearer Tokens mandate SSL.
› WAAD token is a base-64 encoded JSON Web Token
› It is signed by the Authorisation Server
› Token’s have a limited life-span.
› Refresh token’s are used to get new token’s
/ Copyright ©2014 by Readify Pty Ltd15

16. Page
Obtaining an
OAuth2 Access
Token
/ Copyright ©2014 by Readify Pty Ltd16

17. Page
Secure Web API
using OAuth2 /
WAAD
/ Copyright ©2014 by Readify Pty Ltd17

18. Page
Recap
› We created a new Web-API project
› We added Application entries in WAAD
› Template did this automatically, but easy to do
manually
› Used an OWIN Plug-in to inject OAuth2 Bearer Token
authorisation
› ClaimsPrincipal appeared on thread
/ Copyright ©2014 by Readify Pty Ltd18

19. Page
Native App
› Pros and Cons are out-of-scope. Let’s just assume we
have to go Native!
› Try to do only UI in the Platform specific app
› Use a PCL to contain “business logic”
/ Copyright ©2014 by Readify Pty Ltd19

20. Page
Portable Class Libraries
› Simple way of saying “Lowest Common Denominator
set of frameworks for a range of devices”
› Compile to standard IL
› …please can I have “Profile 78”
› Supports Async / Await
› Runs on Xamarin Android / ios / windows phone 8
/ Copyright ©2014 by Readify Pty Ltd20

21. Page
Portable Class Libraries
› No license restrictions around Xamarin any more
› Nuget packages for things like HttpClient
› Make it easier to create “sans UI” shared libraries
/ Copyright ©2014 by Readify Pty Ltd21

22. Page
Shared PCL
ViewModel
library
/ Copyright ©2014 by Readify Pty Ltd22

23. Page
OAuth2 in Xamarin
› MS have native libraries
› Creating Xamarin bindings is an option
› Auth0 – abstracts OAuth2 implementations
› Xamarin.Auth – simple open-source library
/ Copyright ©2014 by Readify Pty Ltd23

24. Page
Xamarin.Auth
› Almost great
› Caters for Google / Facebook / Twitter (what more
could you want!)
› Azure Active Directory OAuth2 is slightly out-of-the-
ordinary
› Required tweaking to work
› Wanted to follow 302 redirects…
/ Copyright ©2014 by Readify Pty Ltd24

25. Page
WAAD OAuth2
Client in Xamarin
/ Copyright ©2014 by Readify Pty Ltd25

26. Page
Recap
› Registered a Client Application in WAAD
› Used VS / Xamarin Integration
› Get to use R#!
› Android Emulators are SLOW!
› Geny Motion Android Emulator
› Used Xamarin Build Host to debug into ios App
/ Copyright ©2014 by Readify Pty Ltd26

27. Page
Achivements Unlocked
› Corporate Credentials in the Cloud
› An API which is secured by WAAD
› A shared code library containing the guts of the Client
App
› An Android and ios native client that can access the API
/ Copyright ©2014 by Readify Pty Ltd27

28. Page
References
› http://www.cloudidentity.com/blog/2013/07/23/securing-a-web-api-with-windows-azure-ad-and-katana/
› http://xamarin.com/
› http://oauth.net/2/
› http://openid.net/connect/
› http://www.windowsazure.com/en-us/services/active-directory/
› http://www.google.com
› https://github.com/xamarin/Xamarin.Auth(forkatgraemefoster@github)
› http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
› http://www.genymotion.com/
› http://www.nuget.org/packages/Microsoft.Owin.Security.ActiveDirectory
/ Copyright ©2014 by Readify Pty Ltd28

29. Page
Contact
graeme.foster@readify.net
http://gograemefoster.blogspot.com
+61 (416) 848-234
@graefoster
/ Copyright ©2014 by Readify Pty Ltd29

30. Thank you