Hi Chris, I have the feeling that your issue now lies in the claims that you are defining on the AAD B2C side: in my examples above, it looks for specific claims, e.g. email, and if it doesn't find the things it needs, then you will be redirected back to try again. You most certaintly do not have to use email as your username claim. You can use any claim if you change the line in my code to pull that one out. Do not rely on the default claims expected by .NET (see above) since these are not present in the AAD B2C claim set. You'll need to work through this with AAD B2C portal ... that takes a little time at the start to figure out initially. Note that Azure AD and Azure AAD B2C work differently. E.g. B2C does not yet have the GraphAPI, but it B2C is low-cost, AAD is not...
R
Hi,
using System; using System.Collections.Generic; using System.Linq; using System.Security.Claims; using System.Text; using System.Threading.Tasks; using Microsoft.Extensions.Configuration; using Microsoft.IdentityModel.Protocols.OpenIdConnect; using Abp.Extensions; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Builder; using Microsoft.Extensions.DependencyInjection; using Microsoft.IdentityModel.Tokens;
namespace ptw.de.AspNetZero.Web.Startup { public static class AuthConfigurer { public static void Configure(IServiceCollection services, IConfiguration configuration) { var authenticationBuilder = services.AddAuthentication();
if (bool.Parse(configuration["Authentication:OpenId:IsEnabled"]))
{
authenticationBuilder.AddOpenIdConnect(options =>
{
options.ClientId = configuration["Authentication:OpenId:ClientId"];
options.Authority = configuration["Authentication:OpenId:Authority"];
options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout";
options.ResponseType = OpenIdConnectResponseType.IdToken;
//rht:
//options.RequireHttpsMetadata = false;
//rht:++
options.MetadataAddress =
"https://xxxxxx.b2clogin.com/xxxx.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_XXXSignInPolicy";
Hi, this in appsettings.json works (in conjunction with my post above):
"OpenId": { "IsEnabled": "true", "Authority": "https://yourtenant.b2clogin.com/yourtenant.onmicrosoft.com/oauth2/v2.0/authorize", "ClientId": "xxxe511-f4b2-47sa-a3d3-79dedb4xxxx", "ValidateAudience": false }
Yes, works like a charm with this adaptation to the .NET-core internals. You can just bypass (or re-implement) the ANZ login view to go directly to the OpenId-Connect where the user logs in directly to AAD B2C. The REST in the background happens then as always with OpenId-Connect.
@rbohac Yes, it works via the OpenId-Connect approach, however, there is a caveat that I had to go to the .NET sources to figure out: the claims returned by AAD B2C do not have the name that is required by .NET-Core to complete the login. You must make the following change to your AuthConfigure.cs in order to map it to the actual claim required by .NET for the login (https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.AspNetCore.Identity/SignInManager.cs ). We use the AspNetZero users management after logging in since modifying that is not feasible.
`if (bool.Parse(configuration["Authentication:OpenId:IsEnabled"])) { authenticationBuilder.AddOpenIdConnect(options => { options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken;
options.MetadataAddress =
"https://xxxxx.b2clogin.com/xxxxxTest.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_xxxxSignInPolicy";
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapAll();
var clientSecret = configuration["Authentication:OpenId:ClientSecret"];
if (!clientSecret.IsNullOrEmpty())
{
options.ClientSecret = clientSecret;
}
options.Events = new OpenIdConnectEvents()
{
OnTokenValidated = (context) =>
{
var email = context.Principal.FindFirstValue("emails"); //initial test:emails => email first when multiple emails
ClaimsIdentity claimsId = context.Principal.Identity as ClaimsIdentity;
claimsId?.AddClaim(new Claim(ClaimTypes.NameIdentifier, $@"{email}"));
return Task.FromResult(0);
}
};
});
}`
@bbakermmc All the frameworks you mention are good, so it comes down to some smaller differences. We used and looked at them as well as others and chose the trade-off-set provided by Syncfusion to be the best for our use cases. Some specific controls and graphic features were more important to us than others, e.g. theme management. We also had soft factors to consider like user support, breadth of platform, future support for Blazor.net.
On the practical side, we first replaced the entire AspNetZero navigation and master layout UX with it and had no major problems doing that. Works fine. The rest ist just "standard" use of the Syncfusion components.
Thanks, the .NET Core 3 support is important for diverse reasons, of course. Better docker-support being one of the "killer" reasons. We use AspNetZero with .NET-Core MVC JQuery (+ Syncfusion front) and also deploy into Docker. Can't wait for this:
https://devblogs.microsoft.com/dotnet/using-net-and-docker-together-dockercon-2019-update/
Getting back to this. The reply above and the default configuration in aspnetzero -- looks like -- is for Azure AD. I'm wanting to use Azure AD B2C which is somewhat different from AAD. Any tips/pointers appreciated.
https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-dotnetcore-webapp/
https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin
I just want to use OpenIdConnect to Authenticate for starters.
Thanks, ok. Will take a look again with only this single change and see why it wasn't working.
Hi, could you provide me with an update to this:
https://forum.aspnetboilerplate.com/viewtopic.php?f=3&t=5140%20--%20https://stackoverflow.com/questions/48243612/asp-net-boilerplate-identityserver
I want to delegate the user sign-in flow to AAD B2C, i.e. to delegate identity management to Azure AD B2C by some AspNetZero-compatible means. Heres the appropriate tutorial from AAD B2C for this: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oidc
We are using the newest AppNetZero ASP.NET-Core-MVC which is considerably different than the abp forum post above. In the doc, all I see is this:
https://docs.aspnetzero.com/documents/zero/latest/Development-Guide-Core#openid-connect-login
which I have done, as also described here:
https://tahirnaushad.com/2018/05/19/azure-ad-b2c-with-asp-net-core-2-0/
What is not yet clear to me:
Since I'm looking to delegate identity management to Azure AD B2C OpenId, the External Authetication Source described here (https://aspnetboilerplate.com/Pages/Documents/Zero/User-Management) does not appear to be the proper fit. I need to go via the OpenId-connect and, perhaps, in federation with the internal IdentityServer4?...
Thanks!