Using Azure AD with ASP.NET Core Identity
I am trying to crack the code to use an Azure AD multi-tenant app to sign in to a ASP.NET Core app that uses ASP.NET Core Identity. It's a pretty standard setup but it doesn't seem to accept Microsoft identity. Nothing breaks or no errors, but the Authorize attribute indicates the current user isn't authenticated.
void configureCookieAuthOptions(CookieAuthenticationOptions options)
{
options.Cookie.IsEssential = true;
options.ExpireTimeSpan = TimeSpan.FromDays(1);
options.SlidingExpiration = true;
options.LoginPath = "/Account/Login";
}
void configureJwtBearerOptions(JwtBearerOptions options)
{
options.TokenValidationParameters = new TokenValidationParameters
{
// snip
};
}
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationIdentityDbContext>()
.AddClaimsPrincipalFactory<ApplicationUserClaimsPrincipalFactory>()
.AddUserManager<ApplicationUserManager>()
.AddUserStore<ApplicationUserStore>()
.AddDefaultTokenProviders();
services
.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(configureCookieAuthOptions)
.AddJwtBearer(configureJwtBearerOptions);
services.AddAuthorization();
When I add AddMicrosoftIdentityWebApp to the mix, it all works great, except that the Authorize attribute returns false when I attempt to access a protected resource. In fact, it looks like there is no identity in the context:
void configureMicrosoftIdentityOptions(MicrosoftIdentityOptions microsoftOptions)
{
microsoftOptions.TenantId = "common";
microsoftOptions.Instance = "https://login.microsoftonline.com/";
microsoftOptions.Domain = config["Authentication:Microsoft:Domain"];
microsoftOptions.ClientId = config["Authentication:Microsoft:ClientId"];
microsoftOptions.ClientSecret = config["Authentication:Microsoft:ClientSecret"];
//microsoftOptions.SignInScheme = IdentityConstants.ExternalScheme;
microsoftOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
microsoftOptions.Events = new OpenIdConnectEvents
{
OnTokenValidated = async context =>
{
var _userManager = context.HttpContext.RequestServices.GetRequiredService<UserManager<ApplicationUser>>();
var _claimsIdentityFactory = context.HttpContext.RequestServices.GetRequiredService<IUserClaimsPrincipalFactory<ApplicationUser>>();
ClaimsIdentity claimsIdentity = (ClaimsIdentity)context.Principal.Identity;
ApplicationUser user = await _userManager.FindByEmailAsync(claimsIdentity.Name);
if (user == null)
{
context.Fail("Not authorized.");
return;
}
var id = await _claimsIdentityFactory.CreateAsync(user);
context.Principal.AddIdentity(id.Identity as ClaimsIdentity);
claimsIdentity.AddClaims(id.Claims);
context.Success();
}
};
};
services
.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(configureCookieAuthOptions)
.AddJwtBearer(configureJwtBearerOptions)
.AddMicrosoftIdentityWebApp(configureMicrosoftIdentityOptions, cookieScheme: null); // <-- Added this line
I've tried all sorts of combinations and variations, like changing the default schemes, using different schemes, configure the scheme to external, etc. to no avail.
For the sake of completeness, here's the code that is invoked when I call the external login button:
[AllowAnonymous]
public IActionResult SignInExternal([FromRoute] string scheme, [FromQuery] string redirectUri)
{
scheme ??= OpenIdConnectDefaults.AuthenticationScheme;
string redirect = !string.IsNullOrEmpty(redirectUri) && Url.IsLocalUrl(redirectUri) ? redirectUri : Url.Content("Account/SignInSuccess");
return Challenge(new AuthenticationProperties { RedirectUri = redirect }, scheme);
}
As far as I can see, it's exactly the same story when I swap out AddMicrosoftIdentityWebApp for AddOpenIdConnect. It's a similar story when I use .AddGitHub("Github", options => {}), so there's certainly something missing in my setup.
I am over my head here, so I was wondering what I am missing or understanding incorrectly here.
Not completely sure about the legitimacy of the fix, but I was able to get authenticated with Azure AD, GitHub, and others by setting the OpenIdConnectOptions' SignInScheme to IdentityConstants.ApplicationScheme.
internal static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder authenticationBuilder, IConfiguration config)
{
void configureMicrosoftIdentityOptions(OpenIdConnectOptions options)
{
// ...
options.SignInScheme = IdentityConstants.ApplicationScheme;
// ...
return authenticationBuilder.AddOpenIdConnect("AzureAD", configureMicrosoftIdentityOptions);
}
- Why does my CORS configuration still block datatables from consuming an API?
- .NET 8 & SQL Server 2016 - Contains() throws error
- Multiple many-to-many and multiple one-to-one relationships in the same entities
- Unable to Select Custom User Class in Identity Scaffolding
- How to redirect to an ASP.NET Core Razor Page without using routes
- Username is already taken when actually it is not ASP.NET Core
- Cancellation Token Injection
- How to log using serilog to elasticsearch with Elastic.Serilog.Sinks in .net application
- Invoking SignalR from Postman
- How does the Form Tag Helper determine the rendered form action?
- How can I get a list of registered middleware in ASP.NET Core?
- Why does my ASP.NET Core 5 Razor Page return a 404 on IIS, but not in Visual Studio?
- Add Username into Serilog
- Serilog logging to different tables
- VS 2022 ASP.Net Core MVC Simple Bootstrap Menu Not Working
- SignalR does not send anything to clients in BackgroundService/StopAsync
- ASP.NET Core website visitor statistics counter
- Return url functionality
- Get application virtual base path in aspnet core
- I have an issue passing the correct data to my SQL database through my ASP.NET Core 9 Web API
- How to mock dependencies for IValueResolver from Automapper in unit tests
- Authorize attribute works in client but not in controller
- Why does .NET 5 ASP.NET Core catch-all route supersede a defined route, when in .NET Core 3 it did not?
- How can a Blazor server side app redirect from http://hostname to http://hostname/route1 on load?
- NavigationError on NavigateTo
- How to resolve an Invalid ModelState when uploading an image in Razor Pages?
- Can't find the "ASP.NET Core Hosted" checkbox when creating a Blazor project
- Method userManager.FindByEmailAsync() returns object with empty UserName and Email
- Can't connect SignalR client in Angular 19 to SignalR server in .NET 9
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9