Buffl

Kartenstapel

MG
by Martin G.

What are the app service authentication flows?

The authentication flow is the same for all providers, but differs depending on whether you want to sign in with the provider's SDK.

  • Without provider SDK: The application delegates federated sign-in to App Service. This is typically the case with browser apps, which can present the provider's login page to the user. The server code manages the sign-in process, so it's also called server-directed flow or server flow.

  • With provider SDK: The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can't present the provider's sign-in page to the user. The application code manages the sign-in process, so it's also called client-directed flow or client flow. This applies to REST APIs, Azure Functions, JavaScript browser clients, and native mobile apps that sign users in using the provider's SDK.

Step

Without provider SDK

With provider SDK

Sign user in

Redirects client to /.auth/login/<provider>.

Client code signs user in directly with provider's SDK and receives an authentication token. For information, see the provider's documentation.

Post-authentication

Provider redirects client to /.auth/login/<provider>/callback.

Client code posts token from provider to /.auth/login/<provider> for validation.

Establish authenticated session

App Service adds authenticated cookie to response.

App Service returns its own authentication token to client code.

Serve authenticated content

Client includes authentication cookie in subsequent requests (automatically handled by browser).

Client code presents authentication token in X-ZUMO-AUTH header (automatically handled by Mobile Apps client SDKs).


Author

Martin G.

Information

Last changed