Skip to content

Latest commit

 

History

History
194 lines (120 loc) · 10.1 KB

configure-authentication-sample-android-app.md

File metadata and controls

194 lines (120 loc) · 10.1 KB
title description services author manager ms.service ms.workload ms.topic ms.date ms.author ms.subservice ms.custom
Configure authentication in a sample Android application by using Azure Active Directory B2C
This article discusses how to use Azure Active Directory B2C to sign in and sign up users in an Android application.
active-directory-b2c
msmimart
celestedg
active-directory
identity
reference
07/05/2021
mimart
B2C
b2c-support

Configure authentication in a sample Android app by using Azure AD B2C

This article uses a sample Android application (Kotlin and Java) to illustrate how to add Azure Active Directory B2C (Azure AD B2C) authentication to your mobile apps.

Overview

OpenID Connect (OIDC) is an authentication protocol that's built on OAuth 2.0. You can use OIDC to securely sign users in to an application. This mobile app sample uses the Microsoft Authentication Library (MSAL with OIDC authorization code PKCE flow. The MSAL is a Microsoft-provided library that simplifies adding authentication and authorization support to mobile apps.

The sign-in flow involves the following steps:

  1. Users open the app and select sign-in.
  2. The app opens the mobile device's system browser and starts an authentication request to Azure AD B2C.
  3. Users sign up or sign in, reset the password, or sign in with a social account.
  4. After users sign in successfully, Azure AD B2C returns an authorization code to the app.
  5. The app takes the following actions:
    1. It exchanges the authorization code to an ID token, access token, and refresh token.
    2. It reads the ID token claims.
    3. It stores the tokens in an in-memory cache for later use.

App registration overview

To enable your app to sign in with Azure AD B2C and call a web API, register two applications in the Azure AD B2C directory.

  • The mobile application registration enables your app to sign in with Azure AD B2C. During app registration, specify the redirect URI. The redirect URI is the endpoint to which users are redirected by Azure AD B2C after they've authenticated with Azure AD B2C. The app registration process generates an Application ID, also known as the client ID, which uniquely identifies your mobile app (for example, App ID: 1).

  • The web API registration enables your app to call a protected web API. The registration exposes the web API permissions (scopes). The app registration process generates an Application ID, which uniquely identifies your web API (for example, App ID: 2). Grant your mobile app (App ID: 1) permissions to the web API scopes (App ID: 2).

The apps registration and application architecture are illustrated in the following diagrams:

Diagram of the mobile app with web API call registrations and tokens.

Call to a web API

[!INCLUDE active-directory-b2c-app-integration-call-api]

The sign-out flow

[!INCLUDE active-directory-b2c-app-integration-sign-out-flow]

Prerequisites

A computer that's running:

Step 1: Configure your user flow

[!INCLUDE active-directory-b2c-app-integration-add-user-flow]

Step 2: Register mobile applications

Create the mobile app and web API application registration, and specify the scopes of your web API.

Step 2.1: Register the web API app

[!INCLUDE active-directory-b2c-app-integration-register-api]

Step 2.2: Configure web API app scopes

[!INCLUDE active-directory-b2c-app-integration-api-scopes]

Step 2.3: Register the mobile app

To create the mobile app registration, do the following:

  1. Sign in to the Azure portal.

  2. Select App registrations, and then select New registration.

  3. Under Name, enter a name for the application (for example, android-app1).

  4. Under Supported account types, select Accounts in any identity provider or organizational directory (for authenticating users with user flows).

  5. Under Redirect URI, select Public client/native (mobile & desktop) and then, in the URL box, enter one of the following URIs:

    • For the Kotlin sample: msauth://com.azuresamples.msalandroidkotlinapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D
    • For the Java sample: msauth://com.azuresamples.msalandroidapp/1wIqXSqBj7w%2Bh11ZifsnqwgyKrY%3D

  6. Select Register.

  7. After the app registration is completed, select Overview.

  8. Record the Application (client) ID for later use, when you configure the mobile application.

    Screenshot highlighting the Android application ID

Step 2.4: Grant the mobile app permissions for the web API

[!INCLUDE active-directory-b2c-app-integration-grant-permissions]

Step 3: Get the Android mobile app sample

Do either of the following:

  • Download either of these samples:

    Extract the sample .zip file to your working folder.

  • Clone the sample Android mobile application from GitHub.

    Kotlin

    git clone https://github.com/Azure-Samples/ms-identity-android-kotlin

    Java

    git clone https://github.com/Azure-Samples/ms-identity-android-java

Step 4: Configure the sample web API

This sample acquires an access token with the relevant scopes that the mobile app can use for a web API. To call a web API from code, do the following:

  1. Use an existing web API, or create a new one. For more information, see Enable authentication in your own web API by using Azure AD B2C.
  2. Change the sample code to call a web API.

Step 5: Configure the sample mobile app

Open the sample project with Android Studio or another code editor, and then open the /app/src/main/res/raw/auth_config_b2c.json file.

The auth_config_b2c.json configuration file contains information about your Azure AD B2C identity provider. The mobile app uses this information to establish a trust relationship with Azure AD B2C, sign users in and out, acquire tokens, and validate them.

Update the following app settings properties:

Key Value
client_id The mobile application ID from step 2.3.
redirect_uri The mobile application redirect URI from step 2.3.
authorities The authority is a URL that indicates a directory that the MSAL can request tokens from. Use the following format: https://<your-tenant-name>.b2clogin.com/<your-tenant-name>.onmicrosoft.com/<your-sign-in-sign-up-policy>. Replace <your-tenant-name> with your Azure AD B2C tenant name. Then, replace <your-sign-in-sign-up-policy> with the user flows or custom policy that you created in step 1.

Open the B2CConfiguration class, and update the following class members:

Key Value
Policies The list of user flows or custom policies that you created in step 1.
azureAdB2CHostName The first part of your Azure AD B2C tenant name (for example, https://contoso.b2clogin.com).
tenantName Your Azure AD B2C tenant full tenant name (for example, contoso.onmicrosoft.com).
scopes The web API scopes that you created in step 2.4.

Step 6: Run and test the mobile app

  1. Build and run the project.

  2. At the top left, select the hamburger icon (also called the collapsed menu icon), as shown here:

    Screenshot highlighting the hamburger, or collapsed menu, icon.

  3. On the left pane, select B2C Mode.

    Screenshot highlighting the "B2C Mode" command on the left pane.

  4. Select Run User Flow.

    Screenshot highlighting the "Run User Flow" button.

  5. Sign up or sign in with your Azure AD B2C local or social account.

  6. After successful authentication, you'll see your display name on the B2C mode pane.

    Screenshot showing a successful authentication, with signed-in user and policy displayed.

Next steps

Learn how to: