active-directory-dotnet-webapp-openidconnect | NET MVC web application that uses OpenID Connect | Azure library
kandi X-RAY | active-directory-dotnet-webapp-openidconnect Summary
kandi X-RAY | active-directory-dotnet-webapp-openidconnect Summary
A .NET MVC web application that uses OpenID Connect to sign-in users from a single Azure Active Directory tenant.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of active-directory-dotnet-webapp-openidconnect
active-directory-dotnet-webapp-openidconnect Key Features
active-directory-dotnet-webapp-openidconnect Examples and Code Snippets
Community Discussions
Trending Discussions on active-directory-dotnet-webapp-openidconnect
QUESTION
I am trying to change the default access denied path when authorization is denied when using Azure AD.
For example, when working with Microsoft's example of "Integrating Azure AD into an ASP.NET Core web app" seen here: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
The article reference an example project on GitHub see here : https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore.
I am having difficulties configuring the options inside Startup.cs to change the default controller/method for access denied (which is "Account/AccessDenied").
Can someone please help provide the required changes to the github sample project above so that an unauthorized user is taken to a different path when they are denied authorization other than the default "Account/AccessDenied"?
UPDATE: I added what @Brad suggested in the startup prior (and again now) in my project, but it didn't change, and I'm still being directed to "Account/AccessDenied"... can you think of any other setting that might govern this?
For my project (the automatically created ASP.NET Core Web Application - Web Application (Model-View-Controller) using Work or School Accounts Authentication in Visual Studio 2017), which is different than the example project, I am referencing the NuGet package "Microsoft.AspNetCore.Authentication.AzureAD.UI" and setting up my AzureAD in the following way (please note using .AddAzureAD and not .AddAzureAd):
...ANSWER
Answered 2018-Aug-14 at 04:13This is configured in the cookie authentication options.
QUESTION
I have an ASPNET Core 2 application which I am trying to Authenticate with Azure AD using OpenId. I just have boilerplate code from selecting Single Organization Authentication in the ASPNET Core 2 templates, so no custom code. I followed the article here.
The app is not able to get metadata from the Azure AD application because of proxy. The same URL returns data if I just paste it in browser.
The error I get is:
HttpRequestException: Response status code does not indicate success: 407 (Proxy Authentication Required).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() IOException: IDX10804: Unable to retrieve document from: 'https://login.microsoftonline.com/my-tenant-id/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever+d__8.MoveNext()
I have another ASPNET 4.5.2 application where I am able to perform authentication with the same Azure AD app as above after setting proxy in code like below:
...ANSWER
Answered 2018-Apr-03 at 05:32In Full .net framework setting up a proxy is using a config setting entry but to use an HTTP proxy in .net core ,you have to implement IWebProxy interface.
Microsoft.AspNetCore.Proxy is proxy middleware which serves a different purpose (to setup reverse proxy) not as an http proxy .Refer this article for more details
To implement a webproxy in .net core,
QUESTION
I am adding Azure AD Authentication to an ASP.NET Core application. The Application is registered in Azure AD and has custom roles setup in the manifest. These roles are used for Authorization policies within the app. Everything is working when users log in, they get redirected to sign in to Azure and come back with a Cookie containing their Claims.
My issue is that unless the Cookie is deleted in the browser, these Claims persist and aren't refreshed when Roles in Azure change. For example if a User signs in, then I remove them from a Role, they will still be seen as in that Role by the application.
I tried setting a 1 minute expiration to the Cookie, but it doesn't have an impact and I still have the same issue. Here is how the auth is configured in Startup
. (AddAzureAd()
comes from this example: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/blob/master/Extensions/AzureAdAuthenticationBuilderExtensions.cs):
ANSWER
Answered 2019-Oct-04 at 08:11But why does ExpireTimeSpan not do anything and accept Cookies older than 1 minute?
An absolute expiration time can be set with ExpiresUtc
. To create a persistent cookie, IsPersistent
must also be set. Otherwise, the cookie is created with a session-based lifetime and could expire either before or after the authentication ticket that it holds. When ExpiresUtc
is set, it overrides the value of the ExpireTimeSpan
option.
QUESTION
I was able to get this example working https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
My question is how to do something additional after authentication. For example, on a typical Login page, in the POST after validating, I could set a log record for the user or set additional cookies.
With Azure AD integration I'm not sure where to put such code that should be executed only once the user has been authenticated. The reply URL (call back path) does not work for this purpose (I tried putting my custom page here and it really didn't get executed. Apparently the middle-ware creates a special route for that end point so that it can process the login token data)
Any help is appreciated!
...ANSWER
Answered 2019-Apr-12 at 03:20There are some OpenIdConnectEvents which could be used to enable developer control over the authentication process.
For example , OnAuthorizationCodeReceived
is invoked after security token validation if an authorization code is present in the protocol message. The event could be used to get access token for accessing API using authorization Code using ADAL/MSAL in Code/Hybrid Flow :
QUESTION
I have completed the guide here to add Azure AD authentication to my application:
and can log in successfully, have a service principal and everything works as expected.
I now want to make web requests as the user, but can't see how to get the authentication details to send in the request, I've tried looking through the ClaimsPrincipal.Current
object, but there is nothing i can pass to a HTTP client to make the request.
ANSWER
Answered 2019-Mar-28 at 03:41The sample web app you refered to only signs the user in, but you need to get the access token on behalf of that user to access the api.
You can refer to this sample. This sample calls another webapi, you can ignore that part, just change the resource to https://management.core.windows.net/
QUESTION
I have tried the azure ad authentication in asp.net web form application from a solution got from Microsoft docs.but is not working.The app is not redirect to Microsoft authorize login page.The error which i got is 401 unauthorized error.I don't know how it throwing.
https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-webapp-openidconnect/
this is the link which i referred.
This is my startup.cs
...ANSWER
Answered 2019-Mar-05 at 08:01You can follow the below code sample i have posted in Github
Here is something you need to setup in your Azure AD:
1) Create app registration and add a reply URL as similar to your Web APP. in this example i my reply URL is http://localhost:2997/.
2) Add a permission to use Windows Azure Active Directory.
3) Grant permission for this app to use Active directory.
Your Application is good to start using Azure AD for authentication.
Download the code and change the client ID in the web.config solution and as per your application and you can proceed with the authentication.
Here is the code for Startup.Auth
QUESTION
I am trying to find the access token from AAD after user is authenticated from OpenId Connect. It is a web application integrated with AAD OpenId Connect. I need to get the access token to call another API that uses the same AAD. Here's what I've tried:
- Clone this sample code.
In Startup.cs file, add the following block of code:
...
ANSWER
Answered 2019-Feb-21 at 07:21You need to set SaveTokens
to true in OpenID Connect configuration:
- Clone that code sample
Keep the
Startup.cs
, you don't need to add.AddOpenIdConnect
part ,AddAzureAd
extension method would help add Azure Active Directory Authentication to your application.Modify the
AzureAdAuthenticationBuilderExtensions.cs
inExtensions
folder :
QUESTION
I have registered a application using the App Registration (Preview) Blade and added the Azure Service Management API as API Permissions I downloaded the MSAL based Sample from
https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2
Now in startup.auth.cs if i change the Scope i.e keep openid and add https://management.azure.com and then run and try and Login with a Microsoft Account i get the following error
This Doesn't Look like a Work or School Email you cant Sign-in here with Personal Account use your work or School Account Instead.
if i remove the Scope for https://managment.azure.com and just keep Openid profile offline_access i get the Consent Screen and Login
new OpenIdConnectAuthenticationOptions
{
// The Authority
represents the v2.0 endpoint - https://login.microsoftonline.com/common/v2.0
// The Scope
describes the initial permissions that your app will need. See https://azure.microsoft.com/documentation/articles/active-directory-v2-scopes/
ClientId = clientId,
Authority = String.Format(CultureInfo.InvariantCulture, aadInstance, "common", "/v2.0"),
RedirectUri = redirectUri,
Scope = "openid https://management.azure.com/.default",
PostLogoutRedirectUri = redirectUri,
I am Expecting to have the user Login and Obtain a Token for management API , i am Looking for Reasons for getting the above Error is this Expected ? The Account that i am using exists in my directory as a Member . this works if i use a Managed user(user@tenant.onmicrosoft.com) to Login
...ANSWER
Answered 2019-Feb-11 at 09:12Since personal MS accounts cannot be used to manage Azure subscriptions unless they are added to an Azure AD, you should use the organizations
endpoint instead of common
.
In v1 "common" meant any AAD tenant. In v2 "common" means any AAD tenant + any personal MS account. If you wanted only personal accounts, you can use "consumers".
You can use "organizations" to allow any AAD tenant but disallow MS accounts. Of course a user can just edit the URL and login with a personal MS account anyway, so you'll want to check the tenant id of the logged in user.
The tenant id for MS accounts is always 9188040d-6c67-4c5b-b112-36a304b66dad
, per the docs: https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens#payload-claims.
So check the idp
claim.
QUESTION
I created an Azure Active Directory Application and applied the code from the following tutorial to enable login: https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/
After login the following returns my email adress:
...ANSWER
Answered 2017-May-12 at 18:37Found it:
QUESTION
I've setup a .NET Core 2.0 webapp with Azure AD using OpenIdConnect (like this one: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore, all the OpenIDConnect configuration is located here).
I have the following scenario:
- call of http://localhost/my-api-function
- redirection to microsoftonline.com
- choose a Microsoft account I haven't already logged in to this app
- enter password
- accept the requested authorizations (the API app registration grants Graph API access to user profile). See the attached screenshot.
I get redirected to http://localhost/signin-oidc with the following error:
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.
I think I may have an incorrect redirection after login. I expect to be redirected to http://localhost/my-api-function rather than http://localhost/signin-oidc
I have another working scenario:
- call of http://localhost/my-api-function
- redirection to microsoftonline.com
- choose a Microsoft account I have already logged in to this app then logged out
- enter password
- not prompted again to accept the requested authorizations (the API app registration grants Graph API access to user profile).
- I get redirected to http://localhost/my-api-function as expected and get my protected data.
In Azure AD, I've configured the following reply-url: http://localhost/signin-oidc and granted both "Windows Azure Active Directory" and "Microsoft Graph" APIs to "sign in and read user profile".
Thanks for any pointers.
Edit of 08/22: I understood that redirection seems to redirect to previous url in authentication flow so posted to MS Forums with this more specific indication to look for a solution.
...ANSWER
Answered 2018-Sep-04 at 09:06The solution was to grant permissions by clicking a button located above the permissions lists.
More details here
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install active-directory-dotnet-webapp-openidconnect
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page