Yes, works like a charm with this adaptation to the .NET-core internals. You can just bypass (or re-implement) the ANZ login view to go directly to the OpenId-Connect where the user logs in directly to AAD B2C. The REST in the background happens then as always with OpenId-Connect.
@rbohac Yes, it works via the OpenId-Connect approach, however, there is a caveat that I had to go to the .NET sources to figure out: the claims returned by AAD B2C do not have the name that is required by .NET-Core to complete the login. You must make the following change to your AuthConfigure.cs in order to map it to the actual claim required by .NET for the login (https://github.com/aspnet/Identity/blob/rel/2.0.0/src/Microsoft.AspNetCore.Identity/SignInManager.cs ). We use the AspNetZero users management after logging in since modifying that is not feasible.
`if (bool.Parse(configuration["Authentication:OpenId:IsEnabled"])) { authenticationBuilder.AddOpenIdConnect(options => { options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken;
options.MetadataAddress =
"https://xxxxx.b2clogin.com/xxxxxTest.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_xxxxSignInPolicy";
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.MapAll();
var clientSecret = configuration["Authentication:OpenId:ClientSecret"];
if (!clientSecret.IsNullOrEmpty())
{
options.ClientSecret = clientSecret;
}
options.Events = new OpenIdConnectEvents()
{
OnTokenValidated = (context) =>
{
var email = context.Principal.FindFirstValue("emails"); //initial test:emails => email first when multiple emails
ClaimsIdentity claimsId = context.Principal.Identity as ClaimsIdentity;
claimsId?.AddClaim(new Claim(ClaimTypes.NameIdentifier, $@"{email}"));
return Task.FromResult(0);
}
};
});
}`
@bbakermmc All the frameworks you mention are good, so it comes down to some smaller differences. We used and looked at them as well as others and chose the trade-off-set provided by Syncfusion to be the best for our use cases. Some specific controls and graphic features were more important to us than others, e.g. theme management. We also had soft factors to consider like user support, breadth of platform, future support for Blazor.net.
On the practical side, we first replaced the entire AspNetZero navigation and master layout UX with it and had no major problems doing that. Works fine. The rest ist just "standard" use of the Syncfusion components.
Thanks, the .NET Core 3 support is important for diverse reasons, of course. Better docker-support being one of the "killer" reasons. We use AspNetZero with .NET-Core MVC JQuery (+ Syncfusion front) and also deploy into Docker. Can't wait for this:
https://devblogs.microsoft.com/dotnet/using-net-and-docker-together-dockercon-2019-update/
Getting back to this. The reply above and the default configuration in aspnetzero -- looks like -- is for Azure AD. I'm wanting to use Azure AD B2C which is somewhat different from AAD. Any tips/pointers appreciated.
https://azure.microsoft.com/en-us/resources/samples/active-directory-b2c-dotnetcore-webapp/
https://docs.microsoft.com/en-us/azure/active-directory-b2c/b2clogin
I just want to use OpenIdConnect to Authenticate for starters.
Thanks, ok. Will take a look again with only this single change and see why it wasn't working.
Thanks. Yes, I'll put a breakpoint and debug this when I can ... this is a POC I wanted to get working, but not top prio with aspnetzero here at the moment so can't say. Thanks again.
Thanks Alper,
Yes. I have not modified that file, and the admin GUI on the mobile works fine, where I can also define a tenant and a user. But as soon as I try to login as that user, I get the error above. There is some funky manipulation of ports going on somewhere in the original source code (no mods by us), and it doesn't work :-)
Dear alper, OK, this may be another problem, but do you have any idea where these port numbers are comming from (see screen shot). I have not changed anything in the mobile app, and the user-login connections are now failing due to ports that do not exist. A search through all files did not lead to any clues.
THANKS
Thanks alper. It was not a communication error. It works fine if I use .Web.Mvc as the target instead of Web.Host. I have been using host the whole time, since that is what it says to use in the documentations. All of this above, and always using Web.Host. The APIs it was failing on are not available on Web.Hos, so the connection was made, and then the API not found which responded with internalServerError...
Thanks again for your help. Moving on.