I’m looking for feedback on the security setup, which uses .NET MAUI, ASP.NET Core, and MongoDB.
Overview of the Architecture
1. API Authentication:
To authenticate API calls from the MAUI client, I use an API key that is securely stored in Azure Key Vault and accessed by the API as needed.
2. Database Connection:
The connection string for MongoDB is also stored in Azure Key Vault, allowing the API to retrieve it securely, so no sensitive information is stored within the API itself.
3. User Registration and Authentication:
When a new user registers through the MAUI app, a document is created in MongoDB’s user collection, with the password stored as a secure hash.
On login, the API generates a JWT token, saves it in MongoDB, and sends it to the MAUI client, where it’s stored using Secure Storage. Any previously saved token is replaced with the new one in both the database and on the client.
4. Data Ownership and Access Control:
After logging in, users can create and save data, which the API stores with an owner ID field set to the user’s ID.
When data is retrieved, the owner ID is passed to the API to filter results, so users can only access records that match their own ID.
5. Sensitive Data Management:
No sensitive information, such as connection strings, API keys, or password-hashing keys, is stored directly in the API; all are injected securely from Azure Key Vault.
On the MAUI client, the API key is stored in appsettings.
Questions
1. Storing the API Key on MAUI:
Is appsettings on the client side an appropriate place for storing the API key, or is there a more secure alternative?
2. Overall Security:
Do you have any suggestions to enhance the security of this architecture?
Thanks in advance for your input!
36 Replies
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
First of all thank you for the feedback.
I used MongoDb becase my models are not relationals. So i thought if I already use i can just create another collection for the users but probably its a big mistake. (i had already this in my mind)
So from Maui side Registration and Login endpoints shall be accacable without any auth?
The other endpoints to get the documents or create only avaiable for the authenticated users?
As next step I need to add Microsoft Entry and Identity Manager to authenticate the users?
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
The user must login to use the app.
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Yes it is my first app 😅 The app itself is ready now i am dealing this security stuff.
(now i just pass the logged in user Id from maui to the api and return the result) Now i see its kinda wrong 😄
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Seems this post is about that:
https://medium.com/@ganeshonline6301/secure-your-net-maui-blazor-hybrid-app-with-azure-entra-id-authentication-0b28a127d66a
Medium
Secure Your .NET MAUI Blazor Hybrid App with Azure Entra ID Authent...
Securing applications is a top priority for everyone nowadays. In today’s fast-paced world, cloud-based identity providers offer…
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
I think it does not matter if hybrid or native
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
It is exaclty the same, only instead of XAML as WPF it uses Html for the frontend.
I have worked with Maui Hybrid and it is a native app and inside there is a WebView component
its not a native app its a webview
you do however have the ability to use bindings from c# to blazor allowing u to communicate from maui to your blazor app
the down side is ofc having the webview to render and intermediate everything compared to natively writing the ui and having full control over it.
also "XAML as WPF" is not really a thing
WPF has its own flavor of XAML
MAUI has its own
WINUI3 its own etc
Technically it is native, only it has a WebView XAML component like any other component (buttons entry etc.)
"NET MAUI Blazor Hybrid (native, cross-platform) app, a Blazor Web App, and a Razor class library (RCL) that contains the shared UI (Razor components) used by the native and web apps."
technically its not
but you're free to have your own view of it
you're running on top of a webview you have no control over maui besides having to write your own bindings to intermediate access
you have no control over the actual window other than as well intermediating access
you also have no control over the file system other than intermediating access
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
the misconception on the text "NET MAUI Blazor Hybrid (native, cross-platform) app" is not that its native in itself its just that you're using a native wrapper to display your webview.
Just to clearify and I understand correctly, Microsoft Entra will solve the issue that the api endpoints can be called only for the logged in users?
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
haha no need 😄
that link is explaining how to do it in maui but looking at the code it should be possible to use bindings to send the response to blazor, but I am sure there is a blazor version of entra you can
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
I dont think he needs to, there are blazor specifics for entra he can use
ofc he would need to go thru it and see which one fits it but would most likely be one of the listed ones here
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-microsoft-accounts?view=aspnetcore-8.0
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/additional-scenarios?view=aspnetcore-8.0#build-a-custom-version-of-the-authenticationmsal-javascript-library
I suppose... I do MAUI never done blazor for this purpose but I am fairly sure u would not need to do bindings if anything u would need to use the WebAuthenticator from MAUI at best https://learn.microsoft.com/en-us/dotnet/maui/platform-integration/communication/authentication?view=net-maui-8.0&tabs=android
Thanks for the links but my app is Maui native not Maui hybrid blazor.
if its maui without blazor sure, that would simplify things.
So I have done the followings, lucky I did not need so much modification.
I've added identity management to the system on the api, creating users in an SQL table along with access and refresh tokens that include expiration dates.
Now, all API endpoints—except for Login and Register—require a valid token to access. When an endpoint is called, the system checks the token's validity and expiration. If the token is expired, it regenerates a new one and stores it in SecureStorage. The stored token is then passed in the header for subsequent requests. This setup functions seamlessly, ensuring token validity whenever the app starts and has an internet connection.
If this seems like a solid approach, my main remaining question is about linking MongoDB documents to specific users. Passing the userId directly from the MAUI client to the API endpoint doesn't seem optimal. Instead, when accessing an endpoint like GetAllMyStudents (my documents are way more complex), should the API validate the access token and use it to determine the user's ID, then filter documents in MongoDB based on that user ID?
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Ohh super thanks, I will update to use AddMicrosoftIdentityWebApi
I used AddIdentity
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Sound like the best would be to move my database under microsoft and azure ecosystem to have the best.
Now there is an offline database on the phone and whenever there is internet it sync in the background to the remote database. (there is already a testing version running)
My local database is LiteDb it is document based therefore i thought would be better to use MongoDb.
This is the scheme of my document, you can see has many nested list therefore i thought would be better for noSQL (not a real user Id 😄 )
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
Hmm just created a simplified data structure.
So you see as a relation db SQL would be better fit for this and not document?
Unknown User•4w ago
Message Not Public
Sign In & Join Server To View
The reason I thought document would be better approcach because one workout can have many exercises and one exercise can have many sets so if i store the exercises and sets in another table the sets table will exponentialy grow large. So i thought if i encapsulate all related data to the workout would solve this issue.
Also that particlar exercise/set cannot be part of any othet workout.
Thank you so much for helping, clearing it up. I thought i have a working system but you reflected on what to improve.