Identityserver 4 and Azure AD

Question

I'm looking into using Identity Server 4 for authentication within a C# based MVC application. I'd like to use accounts stored in Azure AD as a source of valid users but the documentation only seems to refer to Google and OpenID & only mentions Azure in passing.

Does anybody know of any good documentation and/or tutorials on how to use Azure AD in the context of using it with Identity Server 4?

score 20 · Accepted Answer · answered Feb 01 '17 at 14:08

You can use signin to Azure AD from IdentityServer just as you would use signin to IdentityServer from e.g. a Javascript or MVC app.

I have done this recently, and all you need to do is register OpenIdConnect options to Azure Ad like this:

public void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    app.UseCookieAuthentication(new CookieAuthenticationOptions());

    app.UseOpenIdConnectAuthentication(
        new OpenIdConnectAuthenticationOptions
        {
            ClientId = clientId,
            Authority = authority,
            PostLogoutRedirectUri = postLogoutRedirectUri,
        });
}

More info about this here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devquickstarts-webapp-dotnet

You should then in your Login action call the ChallengeAsync method:

var authenticationProperties = new AuthenticationProperties { RedirectUri = "your redirect uri" };
await HttpContext.Authentication.ChallengeAsync(your policy, authenticationProperties);

Then provide a callback method as a GET method then follow the External Login samples provided in IdentityServer samples: https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/4_ImplicitFlowAuthenticationWithExternal/src/QuickstartIdentityServer/Quickstart/Account/AccountController.cs

Thank you for the info. I am just starting with IS4, so I need to ask you something: I read the docs about external login, and the sample shows you a button and I suppose it redirects you to the google authentication page, therefore I also suppose your example redirects to the microsoft login page, or am I wrong? If it is true, is possible to authenticate automatically an user knowing his credentials? I mean, someone sends to my JS app the user's credentials (microsoft), then I send them to IS4 and it tries to get the token — FacundoGFlores, Feb 02 '17 at 18:59
That is really the point with OpenID Connect; you delegate the hassle of handling passwords to another system, in this case Microsoft. You will have to add the authority like login.microsoft.com or similar, then this will be used when redirecting. The OpenID Connect is not Microsoft specific; it is merely a specification to how login with a 3rd party provider is supposed to happen. — Espen Medbø, Feb 02 '17 at 19:03

Michael Freidgeim · Answer 2 · 2017-04-09T00:32:46.473

10

There is a sample with Azure AD on github , forked from External Login sample provided in IdentityServer samples.

The sample also fixed a known issue "State parameter generated by middleware is too large for Azure AD #978"

edited Apr 09 '17 at 00:32

answered Apr 09 '17 at 00:13

Michael Freidgeim

26,542
16
152
170

4

https://github.com/aspnet/Security/issues/1310 The code example given above is now obsolete, from Haok's comments "The old 1.0 Authentication stack no longer will work, and is obsolete in 2.0". This specifically concerns the way the above repo sets of the IdentityServer startup.cs's Config / cookie authentication. The migration was done around June 17, best I can tell. – JakeJ Feb 02 '18 at 15:50
1

If you put in the app.UseCookieAuthentication, then look at the comments on the constructor, it will take you to the above link. I still upvoted you for your help, would've been awesome if I could have just plugged in the code I needed from that repo alone. – JakeJ Feb 02 '18 at 15:51
@JakeJ, you can create an issue on the GitHub repository, asking to upgrade to Core 2.0 or even submit a Pull Request. – Michael Freidgeim Feb 02 '18 at 23:02

score 2 · Answer 3 · answered Feb 17 '22 at 16:09

IdentityServer4 has documentation with "Sign-in with External Identity Providers"

http://docs.identityserver.io/en/latest/topics/signin_external_providers.html#state-url-length-and-isecuredataformat

Unfortunately it is not complete but this is what I did:

Startup.cs for .NET 5, Program.cs for .NET 6:

services.AddAuthentication()
      .AddOpenIdConnect("aad", "Azure AD", options =>
            {
                options.ClientSecret = "<ClientSecret>";
                options.ResponseType = OpenIdConnectResponseType.Code;
                options.ClientId ="<ClientId>";
                options.Authority = "https://login.microsoftonline.com/<TenantId>/";
                options.CallbackPath = "/signin-oidc";
            })
        .AddIdentityServerJwt();

You will then see an external login under "Use another service to log in.":

When completing login you should see this message.

Default settings got stuck after clicking on Register. It was due to the new email not being confirmed. This could be solved with setting SignIn.RequireConfirmedAccount = false

services.AddDefaultIdentity<ApplicationUser>(options => 
    options.SignIn.RequireConfirmedAccount = true)

You could also use "Resend email confirmation" or set EmailConfirmed to true in [dbo].[AspNetUsers] for the new user.

Azure AD settings. You will also need to add a client secret under Certificates & secrets.

Which sample/version provides you a template that you've posted above? I mean the one with message "Associate your AZURE AD account" - it was created by you? I'm asking because I think I've never seen it in any official examples. Posting source would be helpful. Thanks. — rosko, Nov 25 '22 at 10:29
@rosko Create a new Blazor WebAssembly application with Individual user accounts and you will receive the template code — Ogglas, Nov 27 '22 at 13:56

Identityserver 4 and Azure AD

3 Answers3

Linked