How to authorize your users with Azure Mobile Services?

Microsoft’s Azure Mobile Services (AMS) allows application developers to register their app with one or more authentication providers like Google, Facebook, Twitter, Microsoft and Azure Active Directory. You can configure this using the guide. So, in this post, I’ll explain you how to authorize your users with Azure Mobile Services (AMS).

The topic to focus for this post is authorization i.e. whether the user who has requested for a resource on server is allowed to access it or not. There are following ways to let AMS backend know that who is making the request:

Header Field NameHeader Field ValueDescription
X-ZUMO-APPLICATION[App-key]The application key of the mobile service. You must specify a valid application key when required to access the table operation. This is the default table operation access permission.
X-ZUMO-AUTH[Auth-token]The service-generated authentication token for an authenticated user. You must specify a token for an authenticated user when required to access the table operation.
X-ZUMO-MASTER[Master-key]The service master key. You should only include this key when administrator access is required to access the table operation.

The app and machine keys mentioned in the table above can be found in azure portal. First select your mobile service and then click on Manage Keys to view both the keys. The auth key mentioned above is self explanatory.

To define the authorization level for server resources, an attribute named AuthorizeLevel needs to be used to decorate at controller level or controller’s action level. The values that we can use with this is as follows: Anonymous, Application, User and Admin which are all defined by enum AuthorizationLevel. Anonymous means the controller and action is open for everyone. Application means the request will be accepted only by the application where X-ZUMO-APPLICATION header in the request is used for authorization. Similarly, X-ZUMO-AUTH, X-ZUMO-MASTER headers in the request are used for authorization if a controller or action is decorated with User and Admin respectively.

Hope, this small post will help someone as even I was not able to find this out using official documentation.


Siddharth Pandey

Siddharth Pandey is a Software Engineer with thorough hands-on commercial experience & exposure to building enterprise applications using Agile methodologies. Siddharth specializes in building, managing on-premise, cloud based real-time standard, single page web applications (SPAs). He has successfully delivered applications in health-care, finance, insurance, e-commerce sectors for major brands in the UK. Other than programming, he also has experience of managing teams, trainer, actively contributing to the IT community by sharing his knowledge using Stack Overflow, personal website & video tutorials.

You may also like...

Advertisment ad adsense adlogger