Search code examples
model-view-controllerowinopenid-connect

Can I change Identity Providers with OWIN and OpenID at run time?

I am using OWIN middleware to configure OpenID Authentication. This configuration is called at StartUp.cs points to a B2C IDP.

public void ConfigureAuth(IAppBuilder app)
{
    // Required for Azure webapps, as by default they force TLS 1.2 and this project attempts 1.0
    ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        // ASP.NET web host compatible cookie manager
        CookieManager = new SystemWebChunkingCookieManager()
    });

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            // Generate the metadata address using the tenant and policy information
            MetadataAddress = String.Format(Globals.WellKnownMetadata, Globals.Tenant, Globals.DefaultPolicy),

            // These are standard OpenID Connect parameters, with values pulled from web.config
            ClientId = Globals.ClientId,
            RedirectUri = Globals.RedirectUri,
            PostLogoutRedirectUri = Globals.RedirectUri,

            // Specify the callbacks for each type of notifications
            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                RedirectToIdentityProvider = OnRedirectToIdentityProvider,
                AuthorizationCodeReceived = OnAuthorizationCodeReceived,
                AuthenticationFailed = OnAuthenticationFailed,
            },

            // Specify the claim type that specifies the Name property.
            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
                ValidateIssuer = false
            },

            // Specify the scope by appending all of the scopes requested into one string (separated by a blank space)
            Scope = $"openid profile offline_access {Globals.ReadTasksScope} {Globals.WriteTasksScope}",

            // ASP.NET web host compatible cookie manager
            CookieManager = new SystemWebCookieManager()
        }
    );
}

How can I get the middleware to use different configurations, specifically for the object OpenIdConnectAuthenticationOptions, in order to point to a different IDP at runtime?

Solution

  • You can register multiple named openIDCConnect handler like

    .AddOpenIdConnect("Auth0", options =>
{  Options...
}
.AddOpenIdConnect("google", options =>
{  Options...
}
.AddOpenIdConnect("facebook", options =>
{  Options...
}

    Then the user can choose how he wants to authenticate, using one of :

    HttpContext.SignInAsync("Auth0",....);
HttpContext.SignInAsync("google",....);
HttpContext.SignInAsync("facebook",....);

    When you add multiple handlers, you need to make sure the local callback path in the client is different for each handler, like

    CallbackPath = new PathString("/signin-auth0");
CallbackPath = new PathString("/signin-google");
CallbackPath = new PathString("/signin-facebook");

    (You set this in the options)