Open Closed

Update on External Identity Provider config for AAD B2C OpenID #6525


0
richardghubert created

Hi, could you provide me with an update to this:

https://forum.aspnetboilerplate.com/viewtopic.php?f=3&t=5140%20--%20https://stackoverflow.com/questions/48243612/asp-net-boilerplate-identityserver

I want to delegate the user sign-in flow to AAD B2C, i.e. to delegate identity management to Azure AD B2C by some AspNetZero-compatible means. Heres the appropriate tutorial from AAD B2C for this: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc

We are using the newest AppNetZero ASP.NET-Core-MVC which is considerably different than the abp forum post above. In the doc, all I see is this:

https://docs.aspnetzero.com/documents/zero/latest/Development-Guide-Core#openid-connect-login

which I have done, as also described here:

https://tahirnaushad.com/2018/05/19/azure-ad-b2c-with-asp-net-core-2-0/

What is not yet clear to me:

  1. Do I have to add any redirect code myself to the AccountController.cs?
  2. After enabling OpenId in appsettings.json, what changes do I need to make to the IdentityServer config in that (or other) files.
  3. The Token Reply Url required in the Azure AAD B2C config should be what? I currently have https://localhost:62114/signin-oidc

Since I'm looking to delegate identity management to Azure AD B2C OpenId, the External Authetication Source described here (https://aspnetboilerplate.com/Pages/Documents/Zero/User-Management) does not appear to be the proper fit. I need to go via the OpenId-connect and, perhaps, in federation with the internal IdentityServer4?...

Thanks!


9 Answer(s)
  • 0
    ismcagdas created

    Hi @richardghubert

    Only thing you have to do is, filling the correct values for OpenId configuration in appsettings.json. We are using Microsoft's OpenIdConnect package and it handles return urls etc...

    ClientSecret parameter is not mandatory, you can leave it empty.

    "OpenId": {
      "IsEnabled": "false",
      "Authority": "",
      "ClientId": "",
      "ClientSecret": ""
    }
    
  • 0
    richardghubert created

    Thanks, ok. Will take a look again with only this single change and see why it wasn't working.

  • 0
    richardghubert created

    Getting back to this. The reply above and the default configuration in aspnetzero -- looks like -- is for Azure AD. I'm wanting to use Azure AD B2C which is somewhat different from AAD. Any tips/pointers appreciated.

    https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-dotnetcore-webapp/

    https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin

    I just want to use OpenIdConnect to Authenticate for starters.

  • 0
    ismcagdas created

    @richardghubert

    Have you tried setting authority to your Azure AD B2C url ? I haven't treid it with Azure AD B2C but according to this doc https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc they work similar to each other.

  • 0
    rbohac created

    @richardghubert or @ismcagdas

    Quick question on this, were you able to get it to work? I think I was able to get it to work (though having issues with api management... but that is a different topic).

    I also have one additional question around this, if I were to remove the internal login completely and just use the external login with b2c... I know this likely would need some changese especially with non-tenant users... Maybe a better question, do you know of any examples where someone has done that in abp and/or anz?

  • 0
    richardghubert created

    @rbohac Yes, it works via the OpenId-Connect approach, however, there is a caveat that I had to go to the .NET sources to figure out: the claims returned by AAD B2C do not have the name that is required by .NET-Core to complete the login. You must make the following change to your AuthConfigure.cs in order to map it to the actual claim required by .NET for the login (https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.AspNetCore.Identity/SignInManager.cs ). We use the AspNetZero users management after logging in since modifying that is not feasible.

    `if (bool.Parse(configuration["Authentication:OpenId:IsEnabled"])) { authenticationBuilder.AddOpenIdConnect(options => { options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken;

                    options.MetadataAddress =
                        "https://xxxxx.b2clogin.com/xxxxxTest.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_xxxxSignInPolicy";
    
                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.ClaimActions.MapAll(); 
    
                    var clientSecret = configuration["Authentication:OpenId:ClientSecret"];
                    if (!clientSecret.IsNullOrEmpty())
                    {
                        options.ClientSecret = clientSecret;
                    }
    
                    options.Events = new OpenIdConnectEvents()
                    {
    
                        OnTokenValidated = (context) =>
                        {
    
                            var email = context.Principal.FindFirstValue("emails"); //initial test:emails => email first when multiple emails
                            ClaimsIdentity claimsId = context.Principal.Identity as ClaimsIdentity;
                            claimsId?.AddClaim(new Claim(ClaimTypes.NameIdentifier, $@"{email}"));
    
                            return Task.FromResult(0);
                        }
                    };
                });
            }`
    
  • 0
    rbohac created

    @richardghubert - Awesome, and thanks for the response. I got side tracked for another tasks, so it might be a few days before I have a chance tyo go back on this. Glad to hear you got it working and I also appreciate the info around how the claims issue, as I'm pretty sure that is the issue I'm having currently. Will let you know how it goes. One other question I do have though, are you first logging in through ANZ, and from there, choosing to go through the external open id connect? I was able to get that to work when using the ADD (issue i'm having was in b2c, but think the claim issue you specified will likely resolve that one).

    Anyways, thanks again for the info!

  • 0
    richardghubert created

    Yes, works like a charm with this adaptation to the .NET-core internals. You can just bypass (or re-implement) the ANZ login view to go directly to the OpenId-Connect where the user logs in directly to AAD B2C. The REST in the background happens then as always with OpenId-Connect.

  • 0
    rbohac created

    Finally got back to this... one quick quesiton though, were you able to get this to work if they start at the b2c end point and then redirecting it after logging in to the ANZ? Only ask this as I'm failing pretty hard on getting that part to work. That said, if I start at ANZ and then choose the external login and go to the b2c, then I can get it to work. I might be missing an obvious on this?

    ps: I apologize for having to ask this again. I spent a decent amount of time trying to get this to work... as I'd assume it shouldn't matter as it still ends up hitting the signin-oidc

    pss: I think you were able to get it to work from starting at the b2c point... but just want to make sure in case i'm wasting my time