Azure AD Configuration for Mobile Apps

Overview

Mobile applications must use an approach similar to that of regular web applications, which is called Authorization Code Flow with Proof Key for Code Exchange (PKCE). The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.

This section provides instructions on how to configure Azure AD for mobile apps so that your mobile users can benefit from delegated authentication as well.

For instructions on how to generate a universal link to simplify the Azure AD login process for your users, see the Generating a Universal Link for WorkflowGen Plus section.

Prerequisites

  • Make sure to have a licensed copy of WorkflowGen installed and running on a server.

  • Make sure to have administrative access to Azure AD to be able to configure it properly.

  • Make sure to have provisioned an existing Azure AD user with which you can authenticate to WorkflowGen so that you can use the application afterwards.

  • Make sure to have successfully configured delegated authentication to Azure AD on your WorkflowGen instance following the instructions in the Azure AD Authentication section.

Azure Active Directory configuration

This configuration is done in three steps. First, you have to register a new native application in Azure AD. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API. Finally, you have to register the correct callback URLs that will redirect within the native application.

Step 1: Register a new native application

  1. In the Azure portal, click App registrations in the Azure Active Directory section.

  2. Click New application registration, and fill in the properties:

    • Name: WorkflowGen Plus

    • Application type: Native

    • Redirect URI: workflowgenplus://auth.authorize/azure-v1

  3. Click Create at the bottom of the page.

You should now see the WorkflowGen Plus registered application's overview page.

Step 2: Grant access to the WorkflowGen GraphQL API

  1. Click Settings.

  2. In the API Access section, click Required permissions, then click Add.

  3. Click Select an API.

  4. Search for the WorkflowGen GraphQL API application that you registered and select it.

  5. Click Select permissions, then check Access WorkflowGen under Delegated Permissions to grant access to the API.

  6. Click Select.

You should now see the WorkflowGen GraphQL API listed in the list of required permissions alongside Windows Azure Active Directory.

Step 3: Add the necessary redirect URIs

  1. Click Settings, then click Redirect URIs.

  2. Add the workflowgenplus://auth.deauthenticate/azure-v1 URIs to the list.

  3. Click Save.

Review the registration

You've now successfully registered the WorkflowGen Plus mobile application to your Azure AD. Take note of the information you'll need later on:

  • The application's client ID, which you can find on the registration's overview page as the Application ID.

  • Your directory's tenant ID, which you can find in the Active Directory section's property sub-section as the Directory ID.

You'll need to give these IDs to the users who'll be using the mobile application. Delegated authentication won't work unless they copy the IDs into the app.