How would I secure XE WebAuthenticator so only my app can call it?

Gary Coates 1 Reputation point
2022-03-01T09:27:16.003+00:00

I am building a Xamarin Forms app and its going well, I intend to only allow B2C logins initially Microsoft, Google and Apple. I have followed the steps and have a working solution. I have WebAuthenticator backend in Azure and my apps can communicate with it and at present I can get a Google login working.

The part I am having a problem with and require some help is in securing the WebAuthenticator backend. Everything I have looked at and read gets this backend created but leaves it available to anybody to use, not the end of the world but this shouldn't be the way.

What I now need to do is secure this backend so only my iOS and Android app can call it to start the login flow for a Google Sign In. I have been looking at Azure AD etc but this all seems to lead me to need a User to get access to the backend and I really don't want to be having a user for that, maybe I do need that.

So if anyone has ideas or tips on App registration and then how to authenticate my app agains the backend so I can then call WebAuthenticator.AuthenticateAsync passing the correct url and start the flow I would be totally grateful.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,852 questions
{count} votes