xamarin-docs icon indicating copy to clipboard operation
xamarin-docs copied to clipboard

Published 20 hours ago verified publisher icon MicrosoftDocs

Regarding Middle Tier Recommendation and Client Secrets

Open mattallscripts opened this issue 2 years ago • 1 comments

Regarding the "Why use a server back end?" section;

Microsoft Authentication Library (MSAL) provides an excellent turn-key solution to adding authentication to your app. There's even support for Xamarin apps in their client NuGet package. If you're interested in using your own web service for authentication, it's possible to use WebAuthenticator to implement the client side functionality.

Why use a server back end?

Many authentication providers have moved to only offering explicit or two-legged authentication flows to ensure better security. This means you'll need a 'client secret' from the provider to complete the authentication flow. Unfortunately, mobile apps are not a great place to store secrets and anything stored in a mobile app's code, binaries, or otherwise is generally considered to be insecure. The best practice here is to use a web backend as a middle layer between your mobile app and the authentication provider. Important We strongly recommend against using older mobile-only authentication libraries and patterns which do not leverage a web backend in the authentication flow due to their inherent lack of security for storing client secrets.

MSAL uses authorization code flow without a middle-tier, with the mobile app talking directly to the Identity Provider (Azure AD), and without using a client secret as far as I know (unless using PRT).

Can someone please clarify the difference here and why a middle-tier is being recommended in this article? Specifically, why does the diagram in this article look different than the diagram in the Azure AD Auth Code Flow documentation where the mobile app talks directly to AAD using MSAL.

Should we be using Web Authenticator for a Public Client (Native App) using the Authorization Code Flow?

Thank you!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

mattallscripts avatar Jul 14 '21 14:07 mattallscripts

MSAL is the one providing the web backend that handles all the redirects. That is why we recommend that route if using Azure AD or B2C.

If you aren't then you would want to setup a backend to handle this.

So my question to you is, what is your app trying to do and what are your goals.

jamesmontemagno avatar Jul 19 '21 21:07 jamesmontemagno