How would I secure XE WebAuthenticator so only my app can call it?

Gary Coates 1

I am building a Xamarin Forms app and its going well, I intend to only allow B2C logins initially Microsoft, Google and Apple. I have followed the steps and have a working solution. I have WebAuthenticator backend in Azure and my apps can communicate with it and at present I can get a Google login working.

The part I am having a problem with and require some help is in securing the WebAuthenticator backend. Everything I have looked at and read gets this backend created but leaves it available to anybody to use, not the end of the world but this shouldn't be the way.

What I now need to do is secure this backend so only my iOS and Android app can call it to start the login flow for a Google Sign In. I have been looking at Azure AD etc but this all seems to lead me to need a User to get access to the backend and I really don't want to be having a user for that, maybe I do need that.

So if anyone has ideas or tips on App registration and then how to authenticate my app agains the backend so I can then call WebAuthenticator.AuthenticateAsync passing the correct url and start the flow I would be totally grateful.

Leon Lu (Shanghai Wicresoft Co,.Ltd.) 72,336 Reputation points Microsoft Vendor

2022-03-02T02:46:43.59+00:00

I search secure XE WebAuthenticator in Xamarin.Forms side. I cannot find any way to limit it. You need to secure this Azure WebAuthenticator backend, this issue is related to the Azure-ad-authentication, so I remove the Xamarin related tags.
Gary Coates 1 Reputation point

2022-03-02T10:26:18.593+00:00

Yeah I was aware it Azure side to secure it, why I have xamarin tags is I then want a simple way to authenticate the APP not a user to use the WebAuth API. I will keep looking and trying solutions to resolve this, I am sure its just a lack of knowledge on Azure security.

Share via

How would I secure XE WebAuthenticator so only my app can call it?