I'm looking into using Identity Server 4 for authentication within a C# based MVC application. I'd like to use accounts stored in Azure AD as a source of valid users but the documentation only seems to refer to Google and OpenID & only mentions Azure in passing.
Does anybody know of any good documentation and/or tutorials on how to use Azure AD in the context of using it with Identity Server 4?
You can use signin to Azure AD from IdentityServer just as you would use signin to IdentityServer from eg a Javascript or MVC app.
I have done this recently, and all you need to do is register OpenIdConnect options to Azure Ad like this:
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
});
}
More info about this here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-devquickstarts-webapp-dotnet
You should then in your Login action call the ChallengeAsync method:
var authenticationProperties = new AuthenticationProperties { RedirectUri = "your redirect uri" };
await HttpContext.Authentication.ChallengeAsync(your policy, authenticationProperties);
Then provide a callback method as a GET method then follow the External Login samples provided in IdentityServer samples: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/4_ImplicitFlowAuthenticationWithExternal/src/QuickstartIdentityServer/Quickstart/Account/AccountController.cs
There is a sample with Azure AD on github , forked from External Login sample provided in IdentityServer samples .
The sample also fixed a known issue "State parameter generated by middleware is too large for Azure AD #978"
IdentityServer4 has documentation with "Sign-in with External Identity Providers"
Unfortunately it is not complete but this is what I did:
Startup.cs
for .NET 5, Program.cs
for .NET 6:
services.AddAuthentication()
.AddOpenIdConnect("aad", "Azure AD", options =>
{
options.ClientSecret = "<ClientSecret>";
options.ResponseType = OpenIdConnectResponseType.Code;
options.ClientId ="<ClientId>";
options.Authority = "https://login.microsoftonline.com/<TenantId>/";
options.CallbackPath = "/signin-oidc";
})
.AddIdentityServerJwt();
You will then see an external login under "Use another service to log in.":
When completing login you should see this message.
Default settings got stuck after clicking on Register
. It was due to the new email not being confirmed. This could be solved with setting SignIn.RequireConfirmedAccount = false
services.AddDefaultIdentity<ApplicationUser>(options =>
options.SignIn.RequireConfirmedAccount = true)
You could also use "Resend email confirmation" or set EmailConfirmed
to true in [dbo].[AspNetUsers]
for the new user.
Azure AD settings. You will also need to add a client secret under Certificates & secrets
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.