-
For JS backend, create a table (TodoItem) and set the
READ
permission to"Authenticated User only"
. -
For .NET backend, set
AuthorizationLevel.User
inTodoItemController
and publish the service:
// GET tables/TodoItem
[AuthorizeLevel(AuthorizationLevel.User)]
public IQueryable<TodoItem> GetAllTodoItems()
{
return Query();
}
-
Generate JWTs for both backends using corresponding master keys | details
-
Hit the table with CURL or Fiddler:
JS backend returns HTTP 200:
curl https://auth0-tests.azure-mobile.net/tables/TodoItem -H "x-zumo-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6MH0.eyJleHAiOjE0MTkwMTczMDkuOTUyLCJpc3MiOiJ1cm46bWljcm9zb2Z0OndpbmRvd3MtYXp1cmU6enVtbyIsInZlciI6MiwiYXVkIjoiS0NVb1B5QmdnZ1ZkS1dEeWFJVUF6anBZWVlxdlFWNjEiLCJ1aWQiOiJhdXRoMHw1NDQxNTk1OTQ4NTc2OWVmYWYyNjg1NDgifQ.OvqSBhcOldxcCDna1-Vp4-1_o4ar7h0oYyfmtaDkaxU"
.NET backend returns HTTP 401 - {"message":"Authorization has been denied for this request."}
:
curl https://auth0-wams.azure-mobile.net/tables/TodoItem -H "x-zumo-auth: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6MH0.eyJleHAiOjE0MTkwMTg3ODIuODY5LCJpc3MiOiJ1cm46bWljcm9zb2Z0OndpbmRvd3MtYXp1cmU6enVtbyIsInZlciI6MiwiYXVkIjoiZmd4UWF3ZHdsQ1l1SEVkakNPVFJzRHd3cGVESGJDODgiLCJ1aWQiOiJhdXRoMHw1NDQxNTk1OTQ4NTc2OWVmYWYyNjg1NDgifQ.OADa-bDfVHBS82RGj6hv7QgWDmKTHanQvtlJY-Z1Qj0"
From Azure Portal logs:
- Message: Authentication failed due to an invalid token.
- Source: Microsoft.WindowsAzure.Mobile.Service.Security.ServiceAuthenticationMiddleware
Fixed!
Using reflector tool, I found the following in
Microsoft.WindowsAzure.Mobile.Service.Security.ServiceTokenHandler
class:aud
andiss
claims must set to"urn:microsoft:windows-azure:zumo"
for .NET Backends.aud
andiss
, so you can put any value on them."urn:microsoft:windows-azure:zumo"
only for theiss
claim, so I think it could be a breaking change in theWindowsAzure.MobileServices.Backend
nuget package.