2

My basic requirement is a Web Api that exposes some REST resources. Authentication is required to access any resource, and I want that to happen via Microsoft Accounts. This is to be a web api for programmatic access.

I started along this path: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins?view=aspnetcore-2.2

And have got to the end. It probably works fine except I get this:

InvalidOperationException: The default Identity UI layout requires a partial view '_LoginPartial' usually located at '/Pages/_LoginPartial' or at '/Views/Shared/_LoginPartial' to work.

But I don't want a UI with a sign in experience. I want apps (and users from clients such as browsers) to authenticate via Microsoft and then access my REST resources.

My configure services looks like this:

        services.AddIdentity<IdentityUser, IdentityRole>()
                .AddDefaultTokenProviders()
                //.AddDefaultUI(UIFramework.Bootstrap4)
                .AddEntityFrameworkStores<IdentityDbContext>();
        services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
        {
            microsoftOptions.ClientId = _config["Authentication:Microsoft:ApplicationId"];
            microsoftOptions.ClientSecret = _config["Authentication:Microsoft:Password"];
        });

And then:

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseStaticFiles();
        app.UseAuthentication();

Program just does:

    public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
        WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseUrls("http://localhost:5000", "https://localhost:5001");
UmaN
  • 905
  • 1
  • 15
  • 29
  • You need an UI; how else the user will be redirected to Microsoft Authentication provider and back to your application to receive the token? You are probably looking to use a JWT token (since rest clients calling rest api can't follow an redirect to trigger an interactive flow, where user enters his credentials), which you can pass on every Request to your API. You'll need to use AAD (from your client, Mobile App or SPA) to obtain the access token, which you can send on every request. – Tseng Jan 04 '19 at 11:31
  • The above tutorial is for MVC apps that use identity for user management and Microsoft Account for identity/authentication. It doesnt work for WebAPIs because it requires the user to log in the Microsoft Account (or grant permission to your application to retrieve the token, if already logged in and its the first sign in) – Tseng Jan 04 '19 at 11:32
  • All you need is something like [this](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-2.2&tabs=aspnetcore2x#use-multiple-authentication-schemes), the `.AddJwtBearer("AzureAD"` part. The rest is done by the client (redirecting the user to AAD, getting the token back and sending it on every request) – Tseng Jan 04 '19 at 11:39

1 Answers1

2

You have implemented the Microsoft Authentication AND the login process in the same application, this kind of solution produce a cookie for the ASP.NET.

You probably want clients to authenticate, via OAuth, passing a Bearer Token.
In this case you must use a JwtBearer token authentication.

In this scenario your application DO NOT provide a UI for the authentication (like the example), instead ONLY validate/authenticate the token received.

Here some references

jwt auth in asp.net core
jwt validation
token authenticationin Asp.NET
Authentication in ASP.NET Core JWT

Max
  • 6,821
  • 3
  • 43
  • 59
  • Thanks. Is there any way to make the actual token retrieval process happen "under the hood" or do clients need to contact the authorization server by themselves and get a token? Do you know any good .NET client library for getting tokens from Azure AD? I found some info on using services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme) – UmaN Jan 04 '19 at 13:50
  • 1
    Unfortunately no, clients need to retrieve token themselves, then add it into header or body. I suggest you to read about oAuth2 to better understand actors and the flow. – Max Jan 07 '19 at 09:36