Sign in users and call an API in a sample Android mobile app by using native authentication
This article demonstrates how to configure a sample Android mobile application to call an ASP.NET Core web API.
Prerequisites
Register a web API application
Sign in to the Microsoft Entra admin center as at least an Application Developer.
If you have access to multiple tenants, use the Settings icon in the top menu to switch to your external tenant from the Directories + subscriptions menu.
Browse to Identity > Applications > App registrations.
Select + New registration.
In the Register an application page that appears, enter your application's registration information:
In the Name section, enter a meaningful application name that will be displayed to users of the app, for example ciam-ToDoList-api.
Under Supported account types, select Accounts in this organizational directory only.
Select Register to create the application.
The application's Overview pane is displayed when registration is complete. Record the Directory (tenant) ID and the Application (client) ID to be used in your application source code.
Configure API scopes
An API needs to publish a minimum of one scope, also called Delegated Permission, for the client apps to obtain an access token for a user successfully. To publish a scope, follow these steps:
From the App registrations page, select the API application that you created (ciam-ToDoList-api) to open its Overview page.
Under Manage, select Expose an API.
At the top of the page, next to Application ID URI, select the Add link to generate a URI that is unique for this app.
Accept the proposed Application ID URI such as
api://{clientId}
, and select Save. When your web application requests an access token for the web API, it adds the URI as the prefix for each scope that you define for the API.Under Scopes defined by this API, select Add a scope.
Enter the following values that define a read access to the API, then select Add scope to save your changes:
Property Value Scope name ToDoList.Read Who can consent Admins only Admin consent display name Read users ToDo list using the 'TodoListApi' Admin consent description Allow the app to read the user's ToDo list using the 'TodoListApi'. State Enabled Select Add a scope again, and enter the following values that define a read and write access scope to the API. Select Add scope to save your changes:
Property Value Scope name ToDoList.ReadWrite Who can consent Admins only Admin consent display name Read and write users ToDo list using the 'ToDoListApi' Admin consent description Allow the app to read and write the user's ToDo list using the 'ToDoListApi' State Enabled Under Manage, select Manifest to open the API manifest editor.
Set
accessTokenAcceptedVersion
property to2
.Select Save.
Learn more about the principle of least privilege when publishing permissions for a web API.
Configure app roles
An API needs to publish a minimum of one app role for applications, also called Application Permission, for the client apps to obtain an access token as themselves. Application permissions are the type of permissions that APIs should publish when they want to enable client applications to successfully authenticate as themselves and not need to sign-in users. To publish an application permission, follow these steps:
From the App registrations page, select the application that you created (such as ciam-ToDoList-api) to open its Overview page.
Under Manage, select App roles.
Select Create app role, then enter the following values, then select Apply to save your changes:
Property Value Display name ToDoList.Read.All Allowed member types Applications Value ToDoList.Read.All Description Allow the app to read every user's ToDo list using the 'TodoListApi' Select Create app role again, then enter the following values for the second app role, then select Apply to save your changes:
Property Value Display name ToDoList.ReadWrite.All Allowed member types Applications Value ToDoList.ReadWrite.All Description Allow the app to read and write every user's ToDo list using the 'ToDoListApi'
Configure optional claims
You can idtyp optional claim to help the web API to determine if a token is an app token or an app + user token. Although you can use a combination of scp and roles claims for the same purpose, using the idtyp claim is the easiest way to tell an app token and an app + user token apart. For example, the value of this claim is app when the token is an app-only token.
Grant API permissions to the Android sample app
Once you've registered both your client app and web API and you've exposed the API by creating scopes, you can configure the client's permissions to the API by following these steps:
From the App registrations page, select the application that you created (such as ciam-client-app) to open its Overview page.
Under Manage, select API permissions.
Under Configured permissions, select Add a permission.
Select the APIs my organization uses tab.
In the list of APIs, select the API such as ciam-ToDoList-api.
Select Delegated permissions option.
From the permissions list, select ToDoList.Read, ToDoList.ReadWrite (use the search box if necessary).
Select the Add permissions button.
At this point, you've assigned the permissions correctly. However, since the tenant is a customer's tenant, the consumer users themselves can't consent to these permissions. To address this, you as the admin must consent to these permissions on behalf of all the users in the tenant:
Select Grant admin consent for <your tenant name>, then select Yes.
Select Refresh, then verify that Granted for <your tenant name> appears under Status for both permissions.
From the Configured permissions list, select the ToDoList.Read and ToDoList.ReadWrite permissions, one at a time, and then copy the permission's full URI for later use. The full permission URI looks something similar to
api://{clientId}/{ToDoList.Read}
orapi://{clientId}/{ToDoList.ReadWrite}
.
Clone or download sample web API
To obtain the sample application, you can either clone it from GitHub or download it as a .zip file.
To clone the sample, open a command prompt and navigate to where you wish to create the project, and enter the following command:
git clone https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial.git
Download the .zip file. Extract it to a file path where the length of the name is fewer than 260 characters.
Configure and run sample web API
In your code editor, open
2-Authorization/1-call-own-api-aspnet-core-mvc/ToDoListAPI/appsettings.json
file.Find the placeholder:
Enter_the_Application_Id_Here
and replace it with the Application (client) ID of the web API you copied earlier.Enter_the_Tenant_Id_Here
and replace it with the Directory (tenant) ID you copied earlier.Enter_the_Tenant_Subdomain_Here
and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain iscontoso.onmicrosoft.com
, usecontoso
. If you don't have your tenant name, learn how to read your tenant details.
You need to host your web API for the Android sample app to call it. Follow Quickstart: Deploy an ASP.NET web app to deploy your web API.
Configure sample Android mobile app to call web API
The sample allows you to configure multiple Web API URL endpoints and sets of scopes. In this case, you configure only one Web API URL endpoint and its associated scopes.
In your Android Studio, open
/app/src/main/java/com/azuresamples/msalnativeauthandroidkotlinsampleapp/AccessApiFragment.kt
file.Find property named
WEB_API_URL_1
and set the URL to your web API.private const val WEB_API_URL_1 = "" // Developers should set the respective URL of their web API here
Find property named
scopesForAPI1
and set the scopes recorded in Grant API permissions to the Android sample app.private val scopesForAPI1 = listOf<String>() // Developers should set the respective scopes of their web API here. For example, private val scopes = listOf<String>("api://{clientId}/{ToDoList.Read}", "api://{clientId}/{ToDoList.ReadWrite}")
Run Android sample app and call web API
To build and run your app, follow these steps:
In the toolbar, select your app from the run configurations menu.
In the target device menu, select the device that you want to run your app on.
If you don't have any devices configured, you need to either create an Android Virtual Device to use the Android Emulator or connect a physical device.
Select Run button. The app opens on the email and one-time passcode screen.
Select the API tab to test the API call. A successful call to the web API returns HTTP
200
, while HTTP403
signifies unauthorized access.