0

I am using OpenID Connect to connect to Azure ID, I can successfully authenticate in Azure and get the request coming back to the redirect uri specified in OpenID Azure AD Configuration.

app.UseOpenIdConnectAuthentication( new OpenIdConnectAuthenticationOptions { AuthenticationType = " TEST", Caption = "Test Azure AD", SignInAsAuthenticationType = signInAsType, ClientId = "<client ID>", Authority = "https://sts.windows.net/<tenantId>", ResponseType = OpenIdConnectResponseTypes.CodeIdToken, RedirectUri = "https://localhost:44392/External/Login", This is another webapi project, not identityserver host. AuthenticationMode = AuthenticationMode.Passive, });

After succesful authentication it is redirecting back to https://localhost:44392/External/Login with Code, IdToken.

Questions :

  1. Does it not stop at AuthenticateExternalAsync method on redirection unlike google-signin ?

  2. Do i have to decode IdToken JWT to get user claims?

  3. In the redirection method, how do i generate Access Token from IdSrv3 to authorize other webapis ?

  4. Can a user have both Local Login and Multiple External logins ( Azure AD, Google etc ). In this case how does SSO works with IDsrv3 ?

  5. Is there any IdSrv3 sample with External logins implemented ? Preferably Azure AD ?

Venkata Dorisala
  • 4,783
  • 7
  • 49
  • 90

1 Answers1

1

I've just struggled through this process, so I'll attempt to answer as best I can to help you/others. Forgive me if I misunderstand your question.

  1. AuthenticateExternalAsync should be called, but you need to have AzureAd return to the IDS (Identity Server) rather than to your App. Your flow should look something like: app -> IDS -> AzureAd -> IDS (AuthenticateExternalAsync) -> App.

  2. In AuthenticateExternalAsync you get the ExternalAuthenticationContext.ExternalIdentity, which contains the claims - no need to decode the JWT token.

  3. IDS handles this once you return a successful AuthenticatedResult in AuthenticateExternalAsync, something like context.AuthenticateResult = new AuthenticateResult("UserId", name, claims);

  4. Yes. You can force the method of logging in as described for SSO purposes, otherwise I imagine IDS would handle it post first-login.

  5. I found this helpful (runs through setup of IDS and AzureAd), but it does use the old Azure Portal rather than the new one. They don't seem to have any samples in their gallery.

Hope that helps a bit :)

Community
  • 1
  • 1
Alex
  • 1,082
  • 3
  • 12
  • 23