Search code examples
azureauthenticationweb-applications

User Identity in Azure

I'm starting to look at Microsoft Azure, with a view to deploying future web apps there. Most of the apps will have some concept of "user identity", so one of the wins of using the cloud would be to delegate authentication.

First step was to create Visual Studio's out-of-the-box MVC application (no authentication) and deploy it, which was surprisingly straightforward. Next step was to layer authentication onto this app. I did this purely via the Azure portal, without changing any code. For now just using Azure AD. Again, fine. Third step was to write another test rig. I used a Windows Authentication, ASP.NET Core MVC Web App, and in the controller added the code:

string User = HttpContext.User.Identity.Name;
if (String.IsNullOrEmpty(User)) User = "<unknown>";

ViewBag.UserName = User;
return View();

In the view, added some noddy razor to display the name. Tested locally, fine. Uploaded to Azure, nothing. Neither as an unauthenticated app (as far as the Azure portal goes) or as an Azure AD-authenticated app.

Digging deeper, I found the Nuget packages Microsoft.Identity and Azure.Identity, which look promising but, right now, are just confusing. I started this just 2 daysago.

Any pointers?

I'm looking for a c# asp.net core web app to be deployed to Azure, and for that app to display some kind of recognition that it knows who the end user is. So, basically, some c# code to place in the controller to replace my non-working code.

Solution

  • From what you wrote, I understand this:

    • You have set up Azure App service
    • You have used "Easy Auth" to leverage Azure Active Directory authentication
    • You want to access the information about the authenticated user in your application

    You should take a look at "Work with user identities in Azure App Service authentication".

    Access user claims in app code For all language frameworks, App Service makes the claims in the incoming token (whether from an authenticated end user or a client application) available to your code by injecting them into the request headers. External requests aren't allowed to set these headers, so they are present only if set by App Service. Some example headers include:

    • X-MS-CLIENT-PRINCIPAL-NAME
    • X-MS-CLIENT-PRINCIPAL-ID

    Code that is written in any language or framework can get the information that it needs from these headers.

    Specifically for ASP.NET Core, you can indeed use Microsoft.Identity.Web, as outlined here.

    From version 1.2.0, the same code for your web app written with Microsoft.Identity.Web will work seamlessly with our without EasyAuth. Your web app can sign-in users and possibly call web APIs or Microsoft Graph. Indeed, Microsoft.Identity.Web now detects that the app is hosted in App Services, and uses that authentication.

    There is also a full example blog post, and I think the key parts for you are:

    <PackageReference Include="Microsoft.Identity.Web" Version="1.4.1" />

    In Startup.cs:

    public void ConfigureServices(IServiceCollection services) {
    //...
    services.AddMicrosoftIdentityWebAppAuthentication(Configuration);
    //...
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env) {
    //...
    app.UseAuthentication();
    app.UseAuthorization();
    //...
}