:::: MENU ::::

Azure AD as a Identity Provider in ASP.NET Core application

In this post, I will guide you on how to add Azure AD as a identity provider in your ASP.NET Core application. We will use OpenId Connect middleware to sign in users from a Azure Active Directory tenant.

Requirements before getting started:

  • An Azure Subscription
  • An Azure AD with a user
  • Basic knowledge of OpenId Connect and OAuth2

If you don’t know basic of OpenId Connect and OAuth2 yet, I strongly suggest you to read at least once to know how these things are working together. OpenId Connect Spec and OAuth2 Spec.

Let’s get started.

Create AspNet core MVC application without any authentication. Grab your application endpoint i.e. http://localhost:21475/ (in my case) you will need it later.

Now create an application in Azure AD. This Application will be gateway to our client application to authenticate user against your Azure AD. Go to Azure portal (I prefer new portal for this, easy and fast than old portal) and search for Azure Active Directory and click it. Navigate to App registrations tab and click add button (on top).

Here we need to add some basic information of our application. Add friendly name and sign in URL of our application. Sign in URL will be use by Azure AD to redirect user with user information and tokens once they are authenticated. You can change it anytime.

Here is an overview of an application you just created.

 

Now let’s add logout URL and get Application Id and Tenant name which will be use by our Web/Client application to talk with Azure AD.

Click properties tab and add logout URL. http://localhost:21475/Account/EndSession  is logout URL of my application in this sample. Which will be use by Azure AD when it needs to logout user from my application. Copy that Application ID and Tenant name some where. We will need it in a bit. For Tenant name, it has a format [tenant_name].onmicrosoft.com. You can check App ID URL, its hostname is your tenant name (easy way to get name).

Here we are only authenticating user so we don’t need to take care of permission of APIs for that user so let’s skip API access part for now. (May be I will write about those permissions in future). Now we are done with azure part, back to visual studio.

First let’s add required credentials/configuration in appsettings.json file. Add ClientId (Application ID) and Tenant name which you got from Azure and post logout redirect URL too, this URL will be use by AD to redirect user once logged out from Azure AD.

Now add authentication services and OpenId connect middleware in startup.cs file. Before that we need to add OpenId Connect middleware from Nuget in project.json file.

Adding authentication service:

Adding OpenId Connect middleware:

OnAuthenticationFailed method implementation,

We are initializing OpenId Connect middleware by passing authentication server details like our Application Id, URL of Azure AD tenant where application is registered. I am setting response type to “id_token” but you can use any other response type based on the authorization flow you use.

One last thing before testing our application. Create “Claims” action in a controller and decorate it by authorize attribute which returns claims of logged user. Now when you navigate to claim tab, application will send sign-in request to Azure AD and once you successfully authenticate, oidc middleware will takes care of downloading Azure AD metadata, finding the signing keys, finding the issuer name of tenant, validating signature and issuer in an incoming JWT, extracting the user’s claims, and putting them on ClaimsPrincipal.Current, Integrating with the session cookie ASP.Net Core middleware to establish a session for the user. Or you can achieve same result by manually initiating sign in request using this method (implementation available in sample).

Claims action:

Let’s test our application. I clicked claims tab then my request was redirected to Azure for authentication, after successful authentication again redirected back to our application with account details, Here is a result:

Handling sign out process. (Implementation available in sample)

Tips: If Azure AD sends a single sign-out message to the app, end the user’s session, but don’t redirect to AD for sign out. This is where logout URL we added in application will be used.

This is how you can add Azure AD as identity provider in your ASP.NET Core application.

Code sample is available in GitHub.

Happy coding. 🙂