Introducing Visual Studio App Center Auth
For the past few months, the team has been working to develop a seamless identity management service to easily manage user identities at scale in Visual Studio App Center. Today, we’re really excited to launch App Center Auth in early preview! 🚀
App Center Auth is a cloud-based identity management service that enables developers to authenticate users and manage user identities. Our preview will support native iOS, Android and Xamarin, with additional platforms planned in the future. App Center Auth is powered by Azure Active Directory B2C (Azure AD B2C). We chose Azure AD B2C because it is a highly-available and secure global service that scales to and handles billions of authentications per day. Using Azure AD B2C, you can easily customize and control how users securely interact with your mobile applications at scale. Setting up the Auth preview requires an existing Azure subscription and Azure AD B2C tenant.
Why We Built App Center Auth
Having a view of the user and their behavior across your app empowers developers to better engage users by creating tailored experiences for them. Whether you are an app developer building a collaboration app for users inside your organization or the next social network platform, you will need a way to authenticate users and manage user identities. Having an identity management service is one of the most important features of a mobile backend service. App Center Auth not only enables developers to authenticate users, but also provides more value by integrating with other parts of App Center, enabling developers to leverage the user identity to view user data in other services and even send push notifications to users instead of individual devices.
With our early preview launch, App Center Auth allows you to connect an existing Azure AD B2C tenant, and integrate this user identity with other App Center services. App Center identifies the signed-in user using a GUID (`account_id`), and you can then view the user data or send push notifications to the user based on this GUID.
App Center Auth Token Exchange Service
App Center Auth SDK wraps around Microsoft Authentication Library (MSAL), which is a platform that gives your application the ability to target the identities in Azure AD B2C. Azure AD B2C implements a form of the OpenID Connect and OAuth 2.0 protocols. With the implementation of these protocols, we ensure that the security tokens and their claims enable the resource owner (end user) to provide access to resources.
This section details how your mobile application can sign in social and local (email/password) accounts, get an access token and identify the signed-in user. To get this working, you need to integrate the App Center Auth SDK and have set up App Center Auth in the portal.
As you go through the set up wizard in the App Center portal, we collect details of your Azure AD B2C tenant, your Application ID (the unique identifier that Azure AD B2C uses for your app), the Redirect URI (the unique identifier that redirects the OAuth 2.0 responses back to your app) and other additional information about your tenant.
After you have integrated the App Center Auth SDK in your mobile application, you start the Auth module by calling the signIn() method. This signIn() method is typically called at the sign-in button in the UI or on a splash screen.
When the app user signs in to the application, the application issues authentication requests to Azure AD B2C. Azure AD B2C passes the Application ID (unique application identifier) and Redirect URI to the third-party identity provider (e.g. Microsoft). Once the user grants the mobile application permission to access the resource in the third-party identity provider, the result of this authentication request is JSON Web Token (JWT) that contains information about the signed-in user. Azure AD B2C then verifies the JWT and creates claims that can be used to validate an identity and allow access to secure resources. These claims include properties such as the:
- ID that we use to identify the signed-in user
- This is the `account_id` we use to identify the signed-in user across App Center.
- scopes or permissions granted to the resource for the JWT
- Scopes, such as `read`, `write` and `delete`, are a way to manage permissions to protected resources.
Here is the user’s sign-in experience:
- User signs in,
- App redirects to the sign-in page (this can be a custom page by the developer or the default page provided by Azure AD B2C),
- User clicks on the third-party identity provider to sign in to
- User is redirected to the third-party identity provider sign in page to enter their credentials
- User is signed in successfully
Using the App Center Auth in the Portal
Configuring App Center Auth requires an existing Azure subscription and Azure AD B2C tenant. App Center Auth currently supports sign in user journeys or policies from Azure AD B2C.
To get started, sign in to App Center. Go to the app that you’d like to configure Auth for, click on Auth on the right-hand panel, and click Connect your Azure subscription.
You’ll be taken through a five-step setup wizard to select the:
- Azure subscription
- Azure AD B2C tenant under the subscription
- Registered application
- Scope for the application
- Sign-in policy
- You can input your user flow if you do not see your custom policy displayed
Once that is done, you will see a Getting Started page to configure the SDK. After you have configured the SDK, you will be taken to the Auth Overview page with details about your Azure AD B2C tenant, the options to edit the scope and policy, and disconnect the tenant from the app. For further configuration, you can click on the Edit in Azure button to take you to the Azure AD B2C tenant in the Azure portal.
Congratulations, you have successfully configured App Center Auth!
Post Microsoft Build, we will be focusing on serving a larger pool of developers with the following features:
- Bring Your Own Identity: We expect our developers to use other popular identity and access management providers such as Auth0. We will add support for developers to bring their own identity management providers with support for our MBaaS services.
- Create your own Azure AD B2C tenant in App Center: We will simplify the experience further so that you can create a new Azure AD B2C tenant, manage your identity providers, custom policies and users in App Center.
- Enterprise Support: We’ll enable you to incorporate Azure AD business scenarios within App Center, such as the ability to connect existing AAD tenants to enable authenticating against a corporate domain and managing access to sensitive data.
- User profile: Developers will be able to view their app user profile with user analytics, diagnostics, data, push, and distribution statistics.
Share your Feedback
This is an early preview and the beginning of App Center Auth. We are always looking to iterate with you and deliver a streamlined developer experience that you will love. Get started with App Center Auth, and comment on what you’d like to see in our GitHub repo here.
Happy building! 🎉