Mobile applications must use an approach similar to that of regular web applications, which is called Authorization Code Flow with Proof Key for Code Exchange (PKCE). The main difference between this and the classic Authorization Code Flow is that the mobile application doesn't get a client secret, but instead exchanges a pair of codes to prove the origin of the authentication attempt. The issue is that a mobile application can't be trusted with a client secret because it's distributed directly to users and is therefore no longer under the developer's control, and the sources can be decompiled and analyzed to find secrets like this.
This section provides instructions on how to configure Azure AD for mobile apps so that your mobile users can benefit from delegated authentication to Azure AD as well.
Make sure to have a licensed copy of WorkflowGen installed and running on an IIS web server in HTTPS secure connection mode.
Make sure to have administrative access to Azure AD to be able to configure it properly.
Make sure to have provisioned an existing Azure AD user with which you can authenticate to WorkflowGen so that you can use the application afterwards.
Make sure to have successfully configured delegated authentication to Azure AD with the Microsoft Identity Platform v2.0 provider on your WorkflowGen instance following the instructions in the Azure AD Authentication section with the
WorkflowGen GraphQL API application registered as well.
This configuration is done in three steps. First, you have to register a new native application in Azure AD. Then, you have to give the application the necessary permissions to access the WorkflowGen GraphQL API. Finally, you have to register the correct callback URLs that will redirect within the native application.
In the Azure portal, click App registrations in the Azure Active Directory section.
Click New registration, and fill in the properties:
Supported account types:
Accounts in this organizational directory only (Single tenant)
✏️ Note: Depending on the context, you should choose the right option for your use case for the supported account type value.
Click Register at the bottom of the page.
You've now successfully registered your
WorkflowGen Plus native application in Azure Active Directory.
Click API permissions.
In the Configured permissions section, click Add a permission.
Click My APIs, then select the
WorkflowGen GraphQL API application in the list.
Click Delegated permissions and check
default under the Permission column.
Click Add permissions.
On the API permissions page, click Grant admin consent for <your tenant name>, then click Yes.
Take note of the information you'll need later on:
A server address: This is your WorkflowGen application URL (e.g.
A client ID: This is the application (client) ID in the Overview section of your application registration.
A tenant ID: This is the directory (tenant) ID in the Overview section of your application registration.
An audience: This is the
Application ID URI property (e.g.
https://<workflowgen url>/graphql) in the Expose an API section of the
WorkflowGen GraphQL API application registration.
You'll need to give the
tenant ID , and
audience information to the users who will be using the WorkflowGen Plus v2 mobile application. Azure AD delegated authentication won't work unless they copy this information into the mobile app.