Requiring Authentication on the Azure Mobile Service

In the previous post I configured a Azure Active Directory and the Mobile Service with the appropriate application definitions. This in itself isn’t enough – you can prove this by making a request using Fiddler to the existing controllers eg  GET https://realestateinspector.azure-mobile.net/tables/realestateproperty (don’t forget you’ll need to specify the X-ZUMO-APPLICATION header). Mobile Services already require the use of the X-ZUMO-APPLICATION key to be specified on requests, but what we want to do is enforce a user-level authentication.Luckily it’s as simple as adding the AuthorizationLevel attribute to the controllers with the level set to AuthorizationLevel.User. In the following code I’ve applied the attribute to the base controller I created earlier.

public class RealEstatePropertyController : RealEstateBaseTableController<RealEstateProperty> { }

public class InspectionController : RealEstateBaseTableController<Inspection> { }

[AuthorizeLevel(AuthorizationLevel.User)]
public class RealEstateBaseTableController<TEntity> : TableController<TEntity>
    where TEntity : class, ITableData
{

When I publish this update and attempt to run the same Fiddler request I get a 401 unauthorized exception:

HTTP/1.1 401 Unauthorized
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 61
Content-Type: application/json; charset=utf-8
Expires: 0
Server: Microsoft-IIS/8.0
WWW-Authenticate: Basic realm=”Service”
X-Powered-By: ASP.NET
Set-Cookie: ARRAffinity=0289d9a2e779a2431db31b4a154e84828a77f89dbbe1fe391d5fe9794f54f970;Path=/;Domain=realestateinspector.azure-mobile.net
Date: Wed, 14 Jan 2015 11:14:21 GMT

{“message”:”Authorization has been denied for this request.”}

Leave a comment