Mobile App with Corporate Authentication (Ionic + ASP.NET Web API + OAuth 2.0 tokens + Okta)
Recently we had to build a mobile application and one of the requirements was to implement a corporate authentication for managing the user accounts. We think the approach that we used could be interesting and helpful in similar scenarios that is why we would like the share our experience.
The app that we built is simple and allows pulling and displaying some corporate information for authenticated users. Following are some details about the technologies that we used to build the app:
- Ionic – We used the Ionic framework to build the mobile app itself. Ionic is a great framework for building hybrid mobile apps. It is based on AngularJS and provides handful components and tools. The apps build with Ionic are easily distributed to iOS and Android devices.
- ASP.NET Web API – We used the ASP.NET Web API 2.2 to build the server part. It pulls the data from the database and sends it to the mobile app in JSON format by implementing a RESTFul API. It also handles the authentication part by implementing part of the OAuth 2.0 protocol.
- Okta – Okta is a third-party authentication provider and our client had already been using it for managing their Active Directory accounts.
In short, the mobile app sends the credentials to the API server which is responsible to validate them by communicating with Okta. Once the credentials are validated then it generates a token which is stored on the mobile device and used for further communication between the mobile app and the API server.
WIF SSO and Forms Authentication in ASP.NET
One of the projects on which we are working is a long-lived ASP.NET Web Forms system that is customized for a specific client. It is hosted by another company on a server which is external to the client’s environment and it does not have an access to the client’s internal network. The system is built by using the Form Authentication mechanism to authenticate and authorize the users. The list of users and their hashed passwords is stored into the database and the login functionality works in a classic manner – the credentials provided by the user on the login page are validated against the list of users in the database. If the provided credentials are valid then a new Forms Authentication session is established by calling the standard method FormsAuthentication.SetAuthCookie().
Recently, we had to extend that authentication mechanism by adding a single sign-on (SSO) capability which allows the client to integrate the ASP.NET web application with their internal Active Directory (AD) infrastructure. The requirement was to allow some internal employees to access the ASP.NET web application through SSO, but also keep the exiting database login functionality for the rest of the users who are external and they do not have internal AD accounts.
The ASP.NET web application is hosted on an external server and it does not have a direct access to the secured AD infrastructure. After doing some research, we found that in order to connect the external ASP.NET web application to the internal AD environment we can use a middle service called Security Token Service (STS).