Wednesday, December 16, 2015

IdentityServer : The WebApp-OpenIDConnect-DotNet Azure AD sample

I use this sample a lot - Azure-Samples/active-directory-dotnet-webapp-openidconnect.

I've also been looking at idsrv3 lately - mainly from the enterprise PoV i.e. WS-Fed and SAML

idserv3 also supports modern authentication i.e. OpenID Connect and OAuth2.

So I wondered if this sample would work on idsrv3?

As per OpenID Connect Hybrid Flow and IdentityServer v3:

"Lastly, hybrid flow is the only flow supported by the Microsoft OpenID Connect authentication middleware (in combination with a form post response mode)"

Hybrid flow is described in the article. The above tells us that idsrv3 has to be hooked up using the hybrid flow.

(BTW - the idsrv3 equivalent sample is here - Clients/MVC OWIN Client (Hybrid)).

Turns out the changes are minimal - as you would expect.

In Startup.Auth.cs:

private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

string authority = String.Format(CultureInfo.InvariantCulture, aadInstance);

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType
        (CookieAuthenticationDefaults.AuthenticationType);
    
    app.UseCookieAuthentication(new CookieAuthenticationOptions());

    app.UseOpenIdConnectAuthentication( 
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            RedirectUri = postLogoutRedirectUri,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications


The only change was to add the RedirectUri.

Note that I tried to minimise the changes so I kept the AADInstance variable even though Azure AD is not involved.

web.config:

<add key="ida:ClientId" value="katanaclientad" />
<!--<add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />-->
<add key="ida:AADInstance" value="https://localhost:44333/core" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />

On the idsrv3 side, we need a new Client:

Host-Configuration/Client.cs

new Client
{
    ClientName = "Katana Hybrid Client Demo - AAD Sample",
    Enabled = true,
    ClientId = "katanaclientad",
    ClientSecrets = new List<Secret>
    { 
        new Secret("secret".Sha256())
    },

    Flow = Flows.Hybrid,
                    
    AllowedScopes = new List<string>
    {
        Constants.StandardScopes.OpenId,
        Constants.StandardScopes.Profile,
        Constants.StandardScopes.Email,
        Constants.StandardScopes.Roles,
        Constants.StandardScopes.OfflineAccess,
        "read",
        "write"
    },
                    
    ClientUri = "https://identityserver.io",
    LogoUri = [snip]

    RequireConsent = false,
    AccessTokenType = AccessTokenType.Reference,
                    
    RedirectUris = new List<string>
    {
        //"http://localhost:2672/",
        "https://localhost:44320/",
    },

    PostLogoutRedirectUris = new List<string>
    {
        //"http://localhost:2672/"
        "https://localhost:44320/",
    }
},

The changes to display the claim are as per: IdentityServer : Identity Server 3 as a WS-Federation IDP with an ASP.NET MVC application.

 So we navigate to the sample, click the "Sign In" link. it redirects to idsrv3, we can authenticate with "alice / alice" or "bob / bob", back to the sample, click the Contact tab and the claims are displayed as below:

Claim Type Claim Value
nonce 635858209323.....Tk5YjYtNjU1NzU2ZWU4MzU5
iat 1450224140
c_hash 0ibKE6.....uZcbGR_A
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier 818727
http://schemas.microsoft.com/claims/authnmethodsreferences password
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant 1450224139
http://schemas.microsoft.com/identity/claims/identityprovider idsrv
name Alice Smith
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Alice
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Smith
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage http://alice.com
iss https://localhost:44333/core
aud katanaclientad
exp 1450224440
nbf 1450224140

Enjoy!

No comments: