ASP.Net Core Authentication using OpenID Connect Providers

Author : MD TAREQ HASSAN | Updated : 2021/04/18

See: Azure AD as OpenID Connect Provider

Dependency: Install-Package Microsoft.AspNetCore.Authentication.Google
Links:
FYI, credentials used in creating demo app (screenshots) will be deleted (don’t try to use it, LoL)

User secrets (Secret manager)

{
  "Authentication:Google": {
    "ClientId": "475096194844-l2j1b79g863nvk4584eo8nerbfh59jrs.apps.googleusercontent.com",
    "ClientSecret": "UtgK_ArtjbP8mLc8_6xKJ9Oj"
  }
}

Settings in Startup.ConfigureServices()

services.AddAuthentication().AddGoogle(options =>
{
	IConfigurationSection googleAuthNSection =
		Configuration.GetSection("Authentication:Google");

	options.ClientId = googleAuthNSection["ClientId"];
	options.ClientSecret = googleAuthNSection["ClientSecret"];
});

Create a Google API Console project and client ID

Google authentication - create client id and secret Step 1

Google authentication - create client id and secret Step 2

Google authentication - create client id and secret Step 3

Google authentication - create client id and secret Step 4

Google authentication - create client id and secret Step 5

Google authentication - create client id and secret Step 6

Google authentication - create client id and secret Step 7

Google authentication - create client id and secret Step 8

Google authentication - create client id and secret Step 9

Google authentication - create client id and secret Step 10

Google authentication - create client id and secret Step 11

Google authentication - create client id and secret Step 12

Google authentication - create client id and secret Step 13

Google authentication - adding Google login to project Step 1

Google authentication - adding Google login to project Step 2

Google authentication - adding Google login to project Step 3

Google authentication - adding Google login to project Step 4

Google authentication - adding Google login to project Step 5

Google authentication - adding Google login to project Step 6

Google authentication - adding Google login to project Step 7

Google authentication - adding Google login to project Step 8

Google authentication - adding Google login to project Step 9

Google authentication - adding Google login to project Step 10

Google authentication - adding Google login to project Step 11

Google authentication - adding Google login to project Step 12

Google authentication - adding Google login to project Step 13

Google authentication - adding Google login to project Step 14

https://jakeydocs.readthedocs.io/en/latest/security/authentication/sociallogins.html

Resources: IdentityServer4 Login in dev-handy-sites#identity-server

Online temporary IS4 for testing: https://demo.identityserver.io/

Locally running IdentityServer4 project

Prerequisite: IdentityServer4 project with in-memory store
This is for demo purpose only & we are gonna run both IdentityServer4 project and MVC Client app in same solution
- Right click on Solution > Properties > Startup Project > Multiple Start Up projects
- Change ‘None’ to ‘Start’
You might get error:
- Error loading external login information.
- System.Net.Http.HttpRequestException: No connection could be made because the target machine actively refused it
- https://stackoverflow.com/questions/50992544/identityserver4-with-asp-net-core-2-1-identity-error-loading-external-login-in

Create MVC Client App

The whole idea of relying on Azure AD for user authentication is to avoid user management in your application
Add MVC Client App to the solution
Find Port no (need to configure cleint in IdentityServer4 project)
- Open: Properties/launchSettings.json
- "sslPort": xxx => RedirectUris = http://localhost:xxx/signin-oidc
See: http://docs.identityserver.io/en/3.1.0/topics/clients.html

Configure cleint (MVC Client App) in IdentityServer4 project

Config.cs

// ... ... ...

public static IEnumerable<Client> Clients =>
	new Client[]
	{


	  new Client
		{
			ClientId = "Foo_Client",
			ClientName = "Foo Client",

			AllowedGrantTypes = GrantTypes.Code,
			RequirePkce = true,
			ClientSecrets = { new Secret("hovermind.foo".Sha256()) },

			RedirectUris = { "http://localhost:xxx/signin-oidc" },
			FrontChannelLogoutUri = "http://localhost:xxx/signout-oidc",
			PostLogoutRedirectUris = { "http://localhost:xxx/signout-callback-oidc" },

			AllowOfflineAccess = true,
			AllowedScopes = { IdentityServerConstants.StandardScopes.OpenId, IdentityServerConstants.StandardScopes.Profile },
			AlwaysIncludeUserClaimsInIdToken = true,
		},


	};
	
// ... ... ...

Notes:

End points (signin-oidc, signout-oidc, signout-callback-oidc) will be handled by OpenID Middgleware of MVC Client App

Install nuget package to MVC Client App

Package Manager Console > Select MVC Client App

Install-Package Microsoft.AspNetCore.Authentication.OpenIdConnect

Add user secrets to FooClient WebApp

Right click on FooClient WebApp > ‘Manage User Secrets’

secrets.json

{
  "IDP_IS4": {
    "ClientId": "Foo_Client",
    "ClientSecret": "hovermind.foo"
  }
}

Notes:

IDP: Identity Provider
IS4: IndentityServer4

Get client ID and Secret uing IConfiguration

public class Startup
{
    public IConfiguration Configuration { get; }

    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }


    public void ConfigureServices(IServiceCollection services)
    {
		var clientId = Configuration["IDP_IS4:ClientId"];
		var clientSecret = Configuration["IDP_IS4:ClientSecret"];
		
        // ... ... ...

    }

    public void Configure(IApplicationBuilder app)
    {
        // ... ... ...
    }
}

Use OpenIdConnect Middleware

Startup.cs

public class Startup
{

    public IConfiguration Configuration { get; }

    public Startup(IConfiguration configuration)
    {
        Configuration = configuration;
    }

	public void ConfigureServices(IServiceCollection services)
	{
		
		// get client id and secret from user secrets
		var clientId = Configuration["IDP_IS4:ClientId"];
		var clientSecret = Configuration["IDP_IS4:ClientSecret"];
	
	
		services.AddControllersWithViews();

		//JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
		//JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

		services.AddAuthentication(options =>
		{
			options.DefaultScheme = "Cookies";
			options.DefaultChallengeScheme = "oidc";
		})
			.AddCookie("Cookies")
			.AddOpenIdConnect("oidc", options =>
			{
				options.Authority = "https://localhost:5001";
				options.ClientId = clientId;
				options.ClientSecret = clientSecret;
				options.ResponseType = "code";

				options.SaveTokens = true;

				options.Scope.Add(IdentityServerConstants.StandardScopes.Profile);
				options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId);
				options.Scope.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
			});
			
            services.AddAuthorization();
			
			//... ... ...
	}

	public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
	{
		if (env.IsDevelopment())
		{
			app.UseDeveloperExceptionPage();
		}
		else
		{
			app.UseExceptionHandler("/Home/Error");
		}

		app.UseStaticFiles();

		app.UseRouting();
		
		app.UseAuthentication();
		app.UseAuthorization();

		app.UseEndpoints(endpoints =>
		{
			endpoints.MapDefaultControllerRoute().RequireAuthorization();
		});
	}
}

Now, Start Multiple projects

More Demos:

More OpenID Connect Providers

Others (list of providers: Github, Amazon, Apple, LinkedIn, ….): https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
Okta: https://developer.okta.com/blog/2019/11/15/aspnet-core-3-mvc-secure-authentication

Author : MD TAREQ HASSAN | Updated : 2021/04/18

Login with Azure AD

Login With Google