Cordova AAD server flow authentication hangs on Android and iOS

Question

I've been trying to solve this issue for over a week now with no progress whatsoever. I’m having trouble authenticating using Cordova Azure Mobile App plugin and .NET/C# back-end.

I'm following this tutorial on creating a Cordova app for Android/iOS. I added Azure Active Directory as my provider for authentication based on this tutorial. I downloaded the quickstart projects from the Azure Portal for Cordova and .NET/C# back-end.

I deployed the Azure mobile app back-end and updated the Resource Explorer to allow https://localhost:4000 and https://{myazurewebsite}.azurewebsites.net by adding the URL’s in allowedExternalRedirectUrls. I also updated CORS to allow those same URL’s. I added my Single Sign-On Reply URL to be https://{myazurewebsite}.azurewebsites.net/.auth/login/aad/callback. I ensured that my Cordova app has the InAppBrowser and Azure Mobile Apps plugin installed. I updated the Content-Security-Policy to point to https://login.windows.net and https://{myazurewebsite}.azurewebsites.net. I updated my onDeviceReady() function to be:

function onDeviceReady() {

    // Create a connection reference to our Azure Mobile Apps backend
    client = new WindowsAzure.MobileServiceClient('https://{myazurewebsite}.azurewebsites.net');

    // Login to the service
    client.login('aad')
        .then(function () {

            // BEGINNING OF ORIGINAL CODE

            // Create a table reference
            todoItemTable = client.getTable('todoitem');

            // Refresh the todoItems
            refreshDisplay();

            // Wire up the UI Event Handler for the Add Item
            $('#add-item').submit(addItemHandler);
            $('#refresh').on('click', refreshDisplay);

            // END OF ORIGINAL CODE

        }, handleError);
}

When I execute the Cordova app in Ripple while connected to my work LAN, the app loads into Ripple and then a second window opens asking me for my AAD credentials. I enter my username, tab off, and the redirect starts to happen and I am successfully authenticated and able to interact with the ToDoItems from the tutorial.

When I execute the Cordova app in Ripple while connected to a public network, the app loads into Ripple and then a second window opens asking me for my AAD credentials. I enter my username, tab off, and the redirect starts to happen and the I am presented with an additional prompt shown in the image below:

When I execute the Cordova app and send it to an Android or iOS device while connected to a public network, I receive the Cordova WebView (InAppBrowser) which asks for my credentials. I enter my username, press the password text box, and the redirect starts. It then just goes to a blank white page and hangs there.

Am I missing something? Why do I get a second prompt in Ripple when connected to a public network and why does the Cordova WebView show a blank screen after trying to authenticate the user name only?

Azure Mobile App CORS settings:

Azure Mobile App AAD Authentication settings

Azure Resource Explorer settings:

Azure Active Directory WebApp created by Express setting Active Directory Management Mode The delegate permission set is the default one: Sign in and read user profile

Answer 1

It looks like the public network is set up on a proxy. You are then proxying a proxy and the backend is not seeing the URL it expects - instead, it is seeing the URL of the proxy.

I suspect this is one of those things that will work fine in a "normal" mobile situation. Run the app on a real device instead when you are on the public network.

Answer 2

The problem was that my company was sending Azure AD authentication requests through Azure to our on-premise ADFS servers. The infrastructure group at our company needed to add a WAP (Web Application Proxy) Server in the middle to intercept communication and allow this flow to work.

Once they added the WAP server, it was no longer an issue.