I've setup the Azure Active Directory Auth configuration and sigining in through our Azure AD works perfectly.
I've modified the AuthenticationOptions so the External Sign in automatically links the accounts, but it seems like the Azure AD doesn't provide an e-mailaddress to link.
adOptions.SetExternalSignInAutoLinkOptions(new ExternalSignInAutoLinkOptions(
autoLinkExternalAccount:true));
It gives me the following exception
The requested provider (https://sts.windows.net/{id}) has not provided an email address, the account cannot be linked.
Is there a way to make this work? It works perfectly without the SetExternalSignInAutoLinkOptions setting.
It turned out the Name claim was also the e-mail address, so I had to intercept the Notifications to pass in the Name claim as the Email claim:
adOptions.Notifications = new OpenIdConnectAuthenticationNotifications()
{
SecurityTokenValidated = async n =>
{
var id = n.AuthenticationTicket.Identity;
var nid = new ClaimsIdentity(
id.AuthenticationType,
System.Security.Claims.ClaimTypes.GivenName,
System.Security.Claims.ClaimTypes.Role);
//Here I added the Name as E-mail claim
nid.AddClaim(new Claim(ClaimTypes.Email, id.Name));
nid.AddClaim(id.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier));
nid.AddClaim(id.FindFirst(System.Security.Claims.ClaimTypes.GivenName));
nid.AddClaim(id.FindFirst(System.Security.Claims.ClaimTypes.Name));
n.AuthenticationTicket = new AuthenticationTicket(nid, n.AuthenticationTicket.Properties);
}
};