-
Notifications
You must be signed in to change notification settings - Fork 985
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phase 1.5 (B2C) in the tutorial #116
Merged
Merged
Changes from all commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
2a8d45c
Added B2C basic login functionality
6bc3f2b
- Added comments
08520ef
Fixed README
333db10
Addressing PR suggestion
38d0101
Minor edits and fixes
78c5bb7
Added a few missing items
ece232b
IOptions configuration missing
f58b613
Removed custom AuthController and manual B2C Auth setup.
f119107
Updated README
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,145 @@ | ||
--- | ||
services: active-directory | ||
platforms: dotnet | ||
author: TiagoBrenck | ||
level: 100 | ||
client: ASP.NET Core Web App | ||
endpoint: AAD v2.0 | ||
--- | ||
# An ASP.NET Core Web app signing-in users with the Microsoft identity platform in Azure AD B2C | ||
|
||
[![Build status](https://identitydivision.visualstudio.com/IDDP/_apis/build/status/AAD%20Samples/.NET%20client%20samples/ASP.NET%20Core%20Web%20App%20tutorial)](https://identitydivision.visualstudio.com/IDDP/_build/latest?definitionId=819) | ||
|
||
## Scenario | ||
|
||
This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users in **Azure AD B2C**. It assumes you have some familiarity with **Azure AD B2C**. If you'd like to learn all that B2C has to offer, start with our documentation at https://aka.ms/aadb2c. | ||
|
||
![Sign in with Azure AD](ReadmeFiles/sign-in.png) | ||
|
||
## How to run this sample | ||
|
||
To run this sample: | ||
|
||
> Pre-requisites: Install .NET Core 2.2 or later (for example for Windows) by following the instructions at [.NET and C# - Get Started in 10 Minutes](https://www.microsoft.com/net/core). In addition to developing on Windows, you can develop on [Linux](https://www.microsoft.com/net/core#linuxredhat), [Mac](https://www.microsoft.com/net/core#macos), or [Docker](https://www.microsoft.com/net/core#dockercmd). | ||
|
||
### Step 1: Clone or download this repository | ||
|
||
From your shell or command line: | ||
|
||
```powershell | ||
git clone https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2.git | ||
``` | ||
|
||
> Given that the name of the sample is very long, and so are the names of the referenced NuGet packages, you might want to clone it in a folder close to the root of your hard drive, to avoid file size limitations on Windows. | ||
|
||
Navigate to the `"1-5-B2C"` folder | ||
|
||
```Sh | ||
cd "1-5-B2C" | ||
``` | ||
|
||
### Step 2: Get your own Azure AD B2C tenant | ||
|
||
If you don't have an Azure AD B2C tenant yet, you'll need to create an Azure AD B2C tenant by following the [Tutorial: Create an Azure Active Directory B2C tenant](https://azure.microsoft.com/documentation/articles/active-directory-b2c-get-started). | ||
|
||
### Step 3: Create your own user flow (policy) | ||
|
||
This sample uses a unified sign-up/sign-in user flow (policy). Create this policy by following [these instructions on creating an AAD B2C tenant](https://azure.microsoft.com/documentation/articles/active-directory-b2c-reference-policies). You may choose to include as many or as few identity providers as you wish, but make sure **DisplayName** is checked in `User attributes` and `Application claims`. | ||
|
||
If you already have an existing unified sign-up/sign-in user flow (policy) in your Azure AD B2C tenant, feel free to re-use it. The is no need to create a new one just for this sample. | ||
|
||
Copy this policy name, so you can use it in step 5. | ||
|
||
### Step 4: Create your own Web app | ||
|
||
Now you need to [register your web app in your B2C tenant](https://docs.microsoft.com/azure/active-directory-b2c/active-directory-b2c-app-registration#register-a-web-application), so that it has its own Application ID. | ||
|
||
Your web application registration should include the following information: | ||
|
||
- Enable the **Web App/Web API** setting for your application. | ||
- Set the **Reply URL** to `https://localhost:44321/signin/B2C_1_sign_up_in` and `https://localhost:44321/signout/B2C_1_sign_up_in`. | ||
- Copy the Application ID generated for your application, so you can use it in the next step. | ||
|
||
### Step 5: Configure the sample with your app coordinates | ||
|
||
1. Open the solution in Visual Studio. | ||
1. Open the `appsettings.json` file. | ||
1. Find the assignment for `Instance` and replace the value with your tenant name. For example, `https://fabrikam.b2clogin.com` | ||
1. Find the assignment for `Domain` and replace the value with your Azure AD B2C domain name. For example, `https://fabrikam.onmicrosoft.com` | ||
1. Find the assignment for `ClientID` and replace the value with the Application ID from Step 4. | ||
1. Find the assignment for `SignUpSignInPolicyId` and replace with the name of the `Sign up and sign in` policy you created in Step 3. | ||
|
||
```json | ||
{ | ||
"AzureAdB2C": { | ||
"Instance": "https://<your-tenant-name>.b2clogin.com", | ||
"ClientId": "<web-app-application-id>", | ||
"Domain": "<your-b2c-domain>", | ||
"CallbackPath": "/signin/B2C_1_sign_up_in", | ||
"SignedOutCallbackPath": "/signout/B2C_1_sign_up_in", | ||
"SignUpSignInPolicyId": "<your-sign-up-in-policy>" | ||
} | ||
} | ||
``` | ||
|
||
### Step 5: Run the sample | ||
|
||
1. Build the solution and run it. | ||
1. Open your web browser and make a request to the app. Accept the IIS Express SSL certificate if needed. Click on **SignIn/Up** button. | ||
1. If you don't have an account registered on the **Azure AD B2C** used in this sample, follow the sign up process. Otherwise, input the email and password for your account and click on **Sign in**. | ||
|
||
## Troubleshooting | ||
|
||
### known issue on iOS 12 | ||
|
||
ASP.NET core applications create session cookies that represent the identity of the caller. Some Safari users using iOS 12 had issues which are described in [ASP.NET Core #4467](https://github.com/aspnet/AspNetCore/issues/4647) and the Web kit bugs database [Bug 188165 - iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication](https://bugs.webkit.org/show_bug.cgi?id=188165). | ||
|
||
If your web site needs to be accessed from users using iOS 12, you probably want to disable the SameSite protection, but also ensure that state changes are protected with CSRF anti-forgery mechanism. See the how to fix section of [Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #4647](https://github.com/aspnet/AspNetCore/issues/4647) | ||
|
||
> Did the sample not work for you as expected? Did you encounter issues trying this sample? Then please reach out to us using the [GitHub Issues](../../../../issues) page. | ||
|
||
## About The code | ||
|
||
The `AccountController.cs` used in this sample is part of the built-in .NET Core authentication controllers found in the NuGet package `Microsoft.AspNetCore.Authentication.AzureADB2C.UI`, and you can find its implementation [here](https://github.com/aspnet/AspNetCore/blob/master/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/Areas/AzureADB2C/Controllers/AccountController.cs). If you want to customize the **Sign-in**, **Sign-up** or **Sign-out** actions, you are encouraged to create your own controller. | ||
|
||
This sample shows how to use the OpenID Connect ASP.NET Core middleware to sign in users from a single Azure AD B2C tenant. The middleware is initialized in the `Startup.cs` file by passing the default authentication scheme and `AzureADB2COptions.cs` options. The options are read from the `appsettings.json` file. The middleware takes care of: | ||
|
||
- Requesting OpenID Connect sign-in using the policy from the `appsettings.json` file. | ||
- Processing OpenID Connect sign-in responses by validating the signature and issuer in an incoming JWT, extracting the user's claims, and putting the claims in `ClaimsPrincipal.Current`. | ||
- Integrating with the session cookie ASP.NET Core middleware to establish a session for the user. | ||
|
||
You can trigger the middleware to send an OpenID Connect sign-in request by decorating a class or method with the `[Authorize]` attribute or by issuing a challenge (see the [AccountController.cs](https://github.com/aspnet/AspNetCore/blob/master/src/Azure/AzureAD/Authentication.AzureADB2C.UI/src/Areas/AzureADB2C/Controllers/AccountController.cs) file which is part of ASP.NET Core). | ||
|
||
Here is the middleware example: | ||
|
||
```csharp | ||
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme) | ||
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options)); | ||
``` | ||
|
||
Important things to notice: | ||
|
||
- The method `AddAzureADB2C` will configure the authentication based on the `AzureADB2COptions.cs` options. Feel free to bind more properties on ``AzureAdB2C`` section on ``appsettings.json`` if you need to set more options. | ||
- The urls you set for `CallbackPath` and `SignedOutCallbackPath` should be registered on the **Reply Urls** of your application, in [Azure Portal](https://portal.azure.com). | ||
|
||
## Next steps | ||
|
||
Learn how to: | ||
|
||
- Enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user) | ||
|
||
## Learn more | ||
|
||
To understand more about Azure AD B2C see: | ||
|
||
- [Azure AD B2C documentation](https://docs.microsoft.com/en-us/azure/active-directory-b2c/) | ||
- [Azure AD B2C sign-in/sign-up user flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies) | ||
|
||
To understand more about token validation, see: | ||
|
||
- [Validating tokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/ValidatingTokens) | ||
|
||
To understand more about app registration, see: | ||
|
||
- [Quickstart: Register an application with the Microsoft identity platform (Preview)](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app) | ||
- [Quickstart: Configure a client application to access web APIs (Preview)](https://docs.microsoft.com/azure/active-directory/develop/quickstart-configure-app-access-web-apis) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
@using System.Security.Claims | ||
|
||
@{ | ||
ViewData["Title"] = "Claims"; | ||
} | ||
<h2>@ViewData["Title"].</h2> | ||
|
||
<table class="table-hover table-condensed table-striped"> | ||
<tr> | ||
<th>Claim Type</th> | ||
<th>Claim Value</th> | ||
</tr> | ||
|
||
@foreach (Claim claim in User.Claims) | ||
{ | ||
<tr> | ||
<td>@claim.Type</td> | ||
<td>@claim.Value</td> | ||
</tr> | ||
} | ||
</table> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,22 @@ | ||
@using System.Security.Principal | ||
@if (User.Identity.IsAuthenticated) | ||
{ | ||
<ul class="nav navbar-nav navbar-right"> | ||
<li class="navbar-text">Hello @User.Identity.Name!</li> | ||
<li><a asp-area="AzureAD" asp-controller="Account" asp-action="SignOut">Sign out</a></li> | ||
</ul> | ||
<ul class="nav navbar-nav navbar-right"> | ||
<li class="navbar-text">Hello @User.Identity.Name</li> | ||
<li class="navbar-btn"> | ||
<form method="get" asp-area="AzureADB2C" asp-controller="Account" asp-action="SignOut"> | ||
<button type="submit" class="btn btn-primary">Sign Out</button> | ||
</form> | ||
</li> | ||
</ul> | ||
} | ||
else | ||
{ | ||
<ul class="nav navbar-nav navbar-right"> | ||
<li><a asp-area="AzureAD" asp-controller="Account" asp-action="SignIn">Sign in</a></li> | ||
</ul> | ||
<ul class="nav navbar-nav navbar-right"> | ||
<li class="navbar-btn"> | ||
<form method="get" asp-area="AzureADB2C" asp-controller="Account" asp-action="SignIn"> | ||
<button type="submit" class="btn btn-primary">Sign In/Up</button> | ||
</form> | ||
</li> | ||
</ul> | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,16 @@ | ||
{ | ||
"AzureAd": { | ||
"Instance": "https://login.microsoftonline.com/", | ||
"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]", | ||
"TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]", | ||
"ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]", | ||
"CallbackPath": "/signin-oidc", | ||
"SignedOutCallbackPath ": "/signout-callback-oidc" | ||
}, | ||
"Logging": { | ||
"LogLevel": { | ||
"Default": "Warning" | ||
} | ||
}, | ||
"AllowedHosts": "*", | ||
"AzureAdB2C": { | ||
"Instance": "https://<your-tenant-name>.b2clogin.com", | ||
"ClientId": "<web-app-application-id>", | ||
"Domain": "<your-b2c-domain>", | ||
"CallbackPath": "/signin/B2C_1_sign_up_in", | ||
"SignedOutCallbackPath": "/signout/B2C_1_sign_up_in", | ||
"SignUpSignInPolicyId": "<your-sign-up-in-policy>" | ||
}, | ||
"Logging": { | ||
"LogLevel": { | ||
"Default": "Warning" | ||
} | ||
}, | ||
"AllowedHosts": "*" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs updating, should show Azure AD B2C instead of Azure AD