Wednesday, December 16, 2015

IdentityServer : The WebApp-OpenIDConnect-DotNet Azure AD sample

I use this sample a lot - Azure-Samples/active-directory-dotnet-webapp-openidconnect.

I've also been looking at idsrv3 lately - mainly from the enterprise PoV i.e. WS-Fed and SAML

idserv3 also supports modern authentication i.e. OpenID Connect and OAuth2.

So I wondered if this sample would work on idsrv3?

As per OpenID Connect Hybrid Flow and IdentityServer v3:

"Lastly, hybrid flow is the only flow supported by the Microsoft OpenID Connect authentication middleware (in combination with a form post response mode)"

Hybrid flow is described in the article. The above tells us that idsrv3 has to be hooked up using the hybrid flow.

(BTW - the idsrv3 equivalent sample is here - Clients/MVC OWIN Client (Hybrid)).

Turns out the changes are minimal - as you would expect.

In Startup.Auth.cs:

private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];

string authority = String.Format(CultureInfo.InvariantCulture, aadInstance);

public void ConfigureAuth(IAppBuilder app)
    app.UseCookieAuthentication(new CookieAuthenticationOptions());

        new OpenIdConnectAuthenticationOptions
            ClientId = clientId,
            Authority = authority,
            RedirectUri = postLogoutRedirectUri,
            PostLogoutRedirectUri = postLogoutRedirectUri,
            Notifications = new OpenIdConnectAuthenticationNotifications

The only change was to add the RedirectUri.

Note that I tried to minimise the changes so I kept the AADInstance variable even though Azure AD is not involved.


<add key="ida:ClientId" value="katanaclientad" />
<!--<add key="ida:Tenant" value="[Enter tenant name, e.g.]" />-->
<add key="ida:AADInstance" value="https://localhost:44333/core" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />

On the idsrv3 side, we need a new Client:


new Client
    ClientName = "Katana Hybrid Client Demo - AAD Sample",
    Enabled = true,
    ClientId = "katanaclientad",
    ClientSecrets = new List<Secret>
        new Secret("secret".Sha256())

    Flow = Flows.Hybrid,
    AllowedScopes = new List<string>
    ClientUri = "",
    LogoUri = [snip]

    RequireConsent = false,
    AccessTokenType = AccessTokenType.Reference,
    RedirectUris = new List<string>

    PostLogoutRedirectUris = new List<string>

The changes to display the claim are as per: IdentityServer : Identity Server 3 as a WS-Federation IDP with an ASP.NET MVC application.

 So we navigate to the sample, click the "Sign In" link. it redirects to idsrv3, we can authenticate with "alice / alice" or "bob / bob", back to the sample, click the Contact tab and the claims are displayed as below:

Claim Type Claim Value
nonce 635858209323.....Tk5YjYtNjU1NzU2ZWU4MzU5
iat 1450224140
c_hash 0ibKE6.....uZcbGR_A 818727 password 1450224139 idsrv
name Alice Smith Alice Smith
iss https://localhost:44333/core
aud katanaclientad
exp 1450224440
nbf 1450224140


No comments: