Integrating Azure Authentication with Realm

Today we’re pleased to introduce a new method of client authentication with Azure Active Directory for our community of .NET developers using the Realm Mobile Platform. Now organizations can create reactive apps that work with Microsoft App Service Authentication / Authorization for simplified sign on and identity management.

Setting up Azure Active Directory

Each Azure account has a default AD instance pre-created. For the purposes of this post, we’ll use that one, but you can easily create a separate one by following a tutorial similar to this one.

Once you have the directory setup, create a new user by clicking Add a User in the Quick tasks pane:

Setting up the Application

To authenticate on the device, we’ll need to setup an Application. Go to App registrations and press Add:

Specify Name, and set Application Type to Native. The Redirect URI will be used by the client library to identify when the login flow has completed, so it has to be a valid Url, but doesn’t need to be a physical endpoint (as we’ll never load it).

Once the application is created, take a note of its Application Id, as we’ll need it later.

Authenticating on the client

For the client authentication, we’ll use the Active Directory Authentication Library (ADAL) package. It makes obtaining an access token fairly straightforward:

// Call Login() based on your business logic (e.g. when a user presses a button)

const string ApplicationId = "application-id-from-portal";
const string CommonAuthority = "https://login.windows.net/common";
const string RedirectUri = "redirect-uri-from-portal";

public async Task<User> Login()
{
  var authContext = new AuthenticationContext(CommonAuthority);
  var response = await authContext.AcquireTokenAsync("https://graph.windows.net",
                                                     ApplicationId,
                                                     RedirectUri,
                                                     new PlatformParameters(this));

  // We'll use response.AccessToken later
  return null;
}

The last argument of authContext.AcquireTokenAsync is a platform-specific implementation of IPlatformParameters, so if you’re using a shared project to perform the authentication, you could either obtain it via dependency injection, or add an #if PLATFORM directive. Once Login is called, the user will be presented with a webview where they can enter their credentials:

After successful authentication, the response object will contain some basic user information as well as an access token, that we’ll use to authenticate against the Realm Object Server.

Integrating with Realm

To authenticate against Realm Object Server, we’ll first need to enable the Azure Active Directory provider. Open up configuration.yml, uncomment the azuread section and fill in the Directory Id, that can be found in the Properties section:

# This enables authentication via an Azure Active Directory access token for a specific app.
azuread:
  # The Directory Id as retrieved from the Active Directory properties in the Azure portal.
  tenant_id: 'active-directory-id'

Now head back to the client application’s Login method to wrap it up:

const string ROSUrl = "http://127.0.0.1"; // Or the address where ROS is hosted

public async Task<User> Login()
{
  // same as above
  // var response = (...);

  var credentials = Credentials.AzureAD(response.AccessToken);
  var user = await User.LoginAsync(credentials, ROSUrl);
  return user;
}

What’s next at Realm

We’re excited to expand our support for the Microsoft ecosystem and our announcement today is one small step on that journey. This year, we’ve announced Realm Xamarin 1.0, Windows Desktop support, and easy ways to get your Realm Object Server (part of the Realm Mobile Platform) up and running on Azure. Stay tuned for more coming in 2017!