SSO in a .NET Core web app, authenticating MS Entra users using OIDC/OAuth

Question

I need to quickly implement SSO in a .NET Core web app, authenticating MS Entra users using OIDC/OAuth.

It's something I've not done before so would ask anyone who has if I'm on the right lines, as I've seen several tutorials and each have been slightly different in approach.

What I'm thinking is to add the following or similar to appsettings.json:

{
    "AzureAd": {
        "Authority": "url-here",
        "ClientId": "Enter_the_Application_Id_Here",
        "ClientCredentials": [
            {
                "SourceType": "ClientSecret",
                "ClientSecret": "Enter_the_Client_Secret_Here"
            }
        ],
        "CallbackPath": "/signin-oidc",
        "SignedOutCallbackPath": "/signout-callback-oidc"
    },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

Install the nuget packages Microsoft.Identity.Web, Microsoft.Identity.Web.UI

add the following toProgram.cs:

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

builder.Services
    .AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration);

builder.Services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
}).AddMicrosoftIdentityUI();

Is there anything I've missed? And should I have an authorization handles?

Thank you

Answer 1

You could use the template by selecting Authentication type: "Microsoft identity platform." which uses the Microsoft.Identity.Web

This appsettings use "Instance" "Domian" "TenantId" instead of "Authority" in this package.

The default Oauth2 flow is "Authorization Code Flow with PKCE (Proof Key for Code Exchange)" which doesn't require client secrect.