I have been through this link on stackoverflow OpenID Azure access token, also have gone through multiple examples on GitHub. Let me explain the scenario.
I have an ASP.NET MVC web app with a dedicated login, but client asked me to blend with Azure Active Directory, so I am able to do so, by adding the code in Start_up.cs file (where I am not validating the security_token and authorization token at all. Do I need to?)
public void ConfigureAuth(IAppBuilder app)
{
string clientId = ConfigurationManager.AppSettings["ida:ClientID"];
//string appKey = ConfigurationManager.AppSettings["ida:Password"];
string tenantid = ConfigurationManager.AppSettings["tenantid"];
//string graphResourceID = "https://graph.windows.net";
string redirectUrl = ConfigurationManager.AppSettings["redirectUrl"];
//fixed address for multitenant apps in the public cloud
string authority = String.Format(System.Globalization.CultureInfo.InvariantCulture, ConfigurationManager.AppSettings["Authority"], tenantid);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions {
CookieSecure = CookieSecureOption.Always,
});
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = redirectUrl,
PostLogoutRedirectUri = redirectUrl,
Scope = OpenIdConnectScopes.OpenIdProfile,
ResponseType = OpenIdConnectResponseType.CodeIdToken,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
ValidateIssuer = false,
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
context.OwinContext.Response.Redirect("/Home/Error");
context.HandleResponse(); // Suppress the exception
return Task.FromResult(0);
}
}
});
}
I do use
[Authorize]
in my controller to make sure, Request is authenticated and redirects to proper View.
But, my client specifically ask to enable access_token based access. I am trying to use Graph APIs tutorial for the same.
Am I going with the correct approach here to get access_token, using Graph API and adding this kind of code below (reference only)?
AuthorizationCodeReceived = async (context) =>
{
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string tenantID = context.AuthenticationTicket.Identity.FindFirst("http://schemas.microsoft.com/identity/claims/tenantid").Value;
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.microsoftonline.com/{0}", tenantID), new EFADALTokenCache(signedInUserID));
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceID);
if(result!=null)
{
Console.WriteLine("access code received");
}
},
SecurityTokenValidated = (context) =>
{
return Task.FromResult(0);
}
Do I need to use any other mean to get access_token (I see a lot of examples using grant_type etc. but it confuses me more) Does access_token really fit in this scenario at all?
Note: This may sound a stupid question, but it's high time now, and I must clear this confusion.
In OpenID Connect users are authenticated and can SSO via cookie-based authentication. After authentication is completed and the token representing the user is sent to your application, OWIN middleware creates a session cookie. The browser then uses this cookie on subsequent requests so the user doesn't need to retype the password, and no additional verification is needed.
From what you are describing it seems that you are enabling token-based authentication and should be meeting your client's requirements.
Please refer to this repository for additional documentation: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect