Configure IdentityServer for Xamarin Forms

Authentication in Xamarin Forms with IdentityServer

In this new post, I explain how to configure IdentityServer for Xamarin Forms to integrate Web Authenticator using Xamarin Essentials.

First, I wrote a post about how to implement the authentication in Xamarin Forms with IdentityServer. So, my focus was only on the Xamarin side. Here I want to explain what the IdentityServer configuration is in order to succeed in the login.

Create a new client

Have you ever wondered how hard it would be to set up a minimal viable authentication server that uses industry standards and usable from your mobile Xamarin application? Well, I have, and I believe in having found a solution that can be a great starting point and will allow you to expand the answer should you ever need to do so.

One common industry standard is OpenID / OAuth2, which provides a standardized authentication mechanism that allows user identification securely and reliably. You can think of the identity service as a web server that identifies a user and provides the client (website/mobile app, etc.) to authenticate itself with another application server that said client uses.

The recommended flow for a mobile app - Configure IdentityServer for Xamarin Forms
The recommended flow for a mobile app

While the OAuth standard is open to anyone with a computer and an internet connection, I generally do not recommend writing your own implementation. My go-to solution for setting up an identity provider is the IdentityServer.

IdentityServer4 is built based on the OAuth spec. It is built on the trusted ASP.NET Core but requires quite some know-how to get the configurations and other settings ready for use. Luckily, there is a quickstart template that you can install via the dotnet command line and then make your server. You can find the repository here on GitHub. After following the install instructions, we can create a server with the following command:

dotnet new sts -n XamarinIdentity.Auth

The solution is pretty much ready to go but let’s look at the configuration of the IdentityServer in Config.cs and make some adjustments in the GetClients method.

Add a client

Based on the template, let’s make some changes that leave us with the following final configuration:

public static IEnumerable<Client> GetClients(IConfigurationSection stsConfig)
{
    return new List<Client>
    {
        // mobile client
        new Client
        {
            ClientName = "mobileclient-name-shown-in-logs",
            ClientId = "the-mobileclient-id-of-your-choice",
            AllowedGrantTypes = GrantTypes.Code,
            AllowOfflineAccess = true, // allow refresh tokens
            RequireClientSecret = false,
            RedirectUris = new List<string>
            {
                "oidcxamarin101:/authorized"
            },
            PostLogoutRedirectUris = new List<string>
            {
                "oidcxamarin101:/unauthorized",
            },
            AllowedScopes = new List<string>
            {
                "openid",
                "role",
                "profile",
                "email"
            }
        }
    };
}

Generally, you can set the ClientNameClientIdRedirectUris and PostLogoutRedirectUris to values of your choosing. The scopes represent the defaults. Further note that by setting AllowOfflineAccess to true, the user can request refresh tokens which means that as long as the refresh token is valid, the user will not have to log in but can use said refresh token to request a new access token. In mobile apps, this is generally the prefered behaviour since users usually have their personal device and therefore expect the app to “store” their login.

As you can see, The RedirectUris and PostLogoutRedirectUris are using a custom URL oidcxamarin101:/ that identifies my app.

IdentityServer Admin

So, very often we have to create the front-end to manage users, integrate the authentication with external services suck as Facebook and Twitter, make API calls secure. IdentityServer offers a nice UI for administration but it is quite expensive. Now, I found a very nice work on GitHub: Skoruba.IdentityServer4.Admin.

This is cool! The application is written in ASP.NET Core MVC using .NET5.

Skoruba IdentityServer4 Admin UI - Configure IdentityServer for Xamarin Forms
Skoruba IdentityServer4 Admin UI

Add a new client

So, adding a new client with this UI is quite easy. In the IdentityServer Admin website, create a new Client. Then, the important configuration are:

  • Under Basic
    • Add this RedirectUris : oidcxamarin101:/authenticated
    • Allowed Grant Types: authorization_code
  • Under Authenticaton/Logout
    • Add Post Logout Redirect Uris: oidcxamarin101:/signout-callback-oidc
Basic configuration
Basic configuration
Authentication/Logout configuration
Authentication/Logout configuration

I hope this is useful! Do you know Microsoft is releasing .NET MAUI that will replace Xamarin? Here how to test it with Visual Studio 2022.

If you have any questions, please use the Forum. Happy coding!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.