A .NET MVC web application that uses OpenID Connect to sign-in users from a single Azure Active Directory tenant.
There's a newer version of this sample taking advantage of the Microsoft identity platform (formerly Azure AD v2.0) Check it out: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC
If you really need to access this Azure AD v1.0, you can navigate to the master branch, but please know that it's no longer supported.
I use Azure AD, OpenID Connect and Microsoft.Owin for authorization users in my two ASP.NET MVC 4.X applications. Is it possible to use a common cookie for both sites and open the login popup once but not for each site?
This sample works after you change the ida:AADInstance value to login.windows.net{0} in the root level web.config.
Hi there.
I'm kinda new to OpenIdConnect and also Azure AD, so please bear with me.
We have Azure AD and also a bunch of home-made c# MVC applications we want to integrate with Azure SSO to enhance the user experience. I understand the way to do it is through OpenIdConnect and I'm using your example as a base, however, I'm running into an error message.
This is how to reproduce it on our side:
Error?message=IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 2, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x7BE1550560AAAB651F0ED45F1C12A34C0C26115D), Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause )', token: '{"typ":"JWT","alg":"RS256","x5t":"e-FVBWCqq2UfDtRfHBKjTAwmEV0","kid":"e-FVBWCqq2UfDtRfHBKjTAwmEV0"}.{"aud":"f777c42c-8e8e-4a2b-80be-969a5a05212b","iss":"https://sts.windows.net/640004ec-92f8-450a-a353-ffb1dda545e2/","iat":1511296909,"nbf":1511296909,"exp":1511300809,"aio":"Y2NgYKg9eGtTsa5Hyw7lwo4PBdw/Mw0sHwjYHzj36cQcRa8gteUA","amr":["pwd"],"c_hash":"8n94-pMtmEKsz3yv8S0FlA","family_name":"theLastName","given_name":"myName","ipaddr":"192.999.999.9","name":"Myname MyLastName","nonce":"636468939940873533.YTExZjkxZjItZDU0Mi00YzhlLTkyYTctMWM0MTQ4YjAyMmE3MTI1MzBmZmEtYjAwOS00ZGZlLTg0OGMtODM1NzRjMjk5MmU3","oid":"604b0c27-1ce8-443a-a4d8-754da53f18c6","onprem_sid":"S-1-5-21-4284508976-2689446834-1949955700-10982","sub":"25loIqRTBMOHezwcXONK5BuqPuSsECH5W_hSpHEgTCI","tid":"640004ec-92f8-450a-a353-ffb1dda545e2","unique_name":"myUsername@mydomain","upn":"myUsername@mydomain","uti":"AeJDeEWY20O-vzUoEGYCAA","ver":"1.0"}'.
This is all I'm modifying from your example:
<add key="ida:ClientId" value="f777c42c-8888-8888-8888-888888888888" /> <add key="ida:Tenant" value="mytenantname.onmicrosoft.com" /> <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" /> <add key="ida:PostLogoutRedirectUri" value="https://mycsharpmvcsite/rptest/" /> <add key="ida:RedirectUri" value="https://mycsharpmvcsite/rptest/Home/About" />
I obviously didn't include real names/ids in the text above, but am I missing something here?
Why is it that I can't use Windows Identity Foundation (WIF) to connect to Azure AD?
Your help is greatly appreciated!
This sample is outdated.
I published the sample to azurewebsites.net. Verified that the sign-on url and reply url point to azurewebsites. However, sign out redirects the user to https://localhost:44320/
Looking at the trace, https://login.windows.net/4230aed9-7637-438c-8bca-8ceaa93806f6/oauth2/logoutredirect?lc=1033 redirects to https://localhost:44320/
There are several approaches to this, including:
We have yet to decide on the most widely usable approach, so for now the sample logs the user out without saying anything
I am following step 4 in How to recreate this sample but couldn't find nugets Microsoft.Owin.Security.OpenIdConnect and Microsoft.IdentityModel.Protocol.Extensions
Have created the Azure stuff as outlined. Client ID and Tenant is correct in Web.config.
When I rebuild and run a clean clone, with the correct changes to Web.config I get:
[TaskCanceledException: A task was canceled.]
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +3897114
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.IdentityModel.Protocols.d__3.MoveNext() +595
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +28
Microsoft.Owin.Security.OpenIdConnect.d__c.MoveNext() +1048
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Security.Infrastructure.d__8.MoveNext() +447
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Security.Infrastructure.d__5.MoveNext() +266
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +1174
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +3897072
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Security.Infrastructure.d__0.MoveNext() +937
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +89
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__5.MoveNext() +287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +3897072
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +26
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d__2.MoveNext() +272
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +26
Microsoft.Owin.Host.SystemWeb.Infrastructure.ErrorState.Rethrow() +33
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +150
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +42
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +415
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155
Any ideas?
These need to be rinsed out. :-)
<add key="ida:ClientId" value="b075ddef-0efa-453b-997b-de1337c29185" />
<add key="ida:AADInstance" value="https://login.windows.net/{0}" />
<add key="ida:Tenant" value="developertenant.onmicrosoft.com" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />
We should update the readme to talk about using an Azure AD you might already have, e.g. associated with your Office 365 subscription. Plus the link below needs updating.
How To Run This Sample
Getting started is simple! To run this sample you will need:
Visual Studio 2013
An Internet connection
An Azure subscription (a free trial is sufficient)
Every Azure subscription has an associated Azure Active Directory tenant. If you don't already have an Azure subscription, you can get a free subscription by signing up at http://wwww.windowsazure.com. All of the Azure AD features used by this sample are available free of charge.
Error.We're having trouble signing you in.
IDX21323: RequireNonce is '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'. OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocol.ValidatedIdToken.Payload.Nonce was not null. The nonce cannot be validated. If you don't need to check the nonce, set OpenIdConnectProtocolValidator.RequireNonce to 'false'. Note if a 'nonce' is found it will be evaluated
When I login, the browser stops at https://login.microsoftonline.com/login.srf showing just a #
So when I try again, it doesn't asks for credentials, just posts back and works
I'm trying to get an integration test going for an API with authentication. Because some API functions call other API's on behalf of the user and this allows us to test everything before publishing.
The problem is I keep getting a 302 redirect even though I pass the token in the header. I'm not familiar with OpenID so perhaps I'm filling in the wrong header(s)? I've pretty much copy pasted the Startup from the sample. Can you please point me in the right direction?
FYI everything works without the AuthorizeAttribute on my controller.
public class Startup
{
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseAuthentication();
}
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddOpenIdConnect(options =>
{
options.Authority = "hidden";
options.ClientId = "hidden";
options.CallbackPath = "/signin-oidc";
options.RequireHttpsMetadata = false;
options.UseTokenLifetime = true;
})
.AddCookie();
}
}
[TestClass]
public class Tests
{
[TestMethod]
public void Test()
{
// Get access token for API.
var httpClient = new HttpClient();
var formContent = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("resource", "hidden"),
new KeyValuePair<string, string>("client_secret", "hidden"),
new KeyValuePair<string, string>("username", "hidden"),
new KeyValuePair<string, string>("password", "hidden"),
new KeyValuePair<string, string>("client_id", "hidden"),
new KeyValuePair<string, string>("grant_type", "password")
})
var result = httpClient.PostAsync(new Uri("https://login.microsoftonline.com/hidden.onmicrosoft.com/oauth2/token", formContent).Result;
var content = result.Content.ReadAsStringAsync().Result;
var accessToken = JObject.Parse(content)["access_token"].ToString();
// Create client calling the API.
var builder = new WebHostBuilder()
.UseStartup<Startup>();
var testServer = new TestServer(builder);
var client = testServer.CreateClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accToken);
var response = client.GetAsync("/hidden").Result; // Receiving a 302 redirect
var content = response.Content.ReadAsStringAsync().Result;
Console.WriteLine(content);
Assert.IsTrue(response.IsSuccessStatusCode);
}
}For user to login in , I want to show the login page in a window pop up instead of redirecting on the same page. I am hosted my website as web part in the sharepoint which does not allow page redirection.
Is it possible to launch login page in a pop up window instead of the full browser page.
When you add users in Azure AD you can fill the Work Info, but this information doesn't come along with the other claims.
I wrote it wrong place. Sorry. Carrying true way. Sorry. You can delete this post. I can not.
Can you let us know how to configure openid connect authentication to do load test
Hi,
First of all, thanks very much for the code sample.
I am studying the WebApp-OpenIDConnect-DotNet Sample, but I found out when clicking the Create a new Microsoft account, it always redirect to the redirect_uri that I set in the web.config.
Is there any way this can redirect to Microsoft User Creation page?
And btw, how can I capture the authentication token that Azure AD creates? Are there any tools that I can see the request/response detail? I have tried Fiddler but with no success.
After successfully signing in a user to the app (using this Azure AD sample), User can navigate to dashboard of "portal.azure.com"
Is there way to keep the user out of portal.azure.com?
Hi,
I tried my Hotmail/live account, not able to authenticate but organizational account works fine. Is there anything I need to do for Hotmail or live account?
Thanks.
Hi Guys,
I downloaded the sample "active-directory-dotnet-webapp-openidconnect", and completed all the configurations mentioned at https://azure.microsoft.com/en-us/documentation/articles/active-directory-devquickstarts-webapp-dotnet/, then run it in IIS 8.5, all are pretty good, no problem. Then I keep the accessed page in Chrome for one night, and try doing a refresh the next morning, however, after input the required username and password, it runs into the following exception:
Server Error in '/' Application.
IDX10223: Lifetime validation failed. The token is expired.
ValidTo: '05/19/2016 10:45:59'
Current time: '05/19/2016 21:46:31'.
Anybody experienced the same problem? How can I refresh the Token? I tried doing Signout directly and changed the public address, but all doesn't work. Please help.
Thanks,
Johnny
It would be great if the sample have the User Registration integrated.
Anyone wind up with a billr a couple of months trial version? for $1500 ? I made the mistake of signing up for a trial version and got socked with the bill from Spectrum Consultants (India). Is this a scam?
Please add at the end:
Make sure you select the display setting "All apps" (not "My apps") to be able to see the application you've just created.
I implement the entire code, but sign out is not working. After sign out i can access the Authorized resources.
Only 1st time sign in only required by this code , that is completely wrong.
I have recreated the application and it works fine when run under IIS Express. But when it is hosted in Local IIS it throws the following exception -
Please help
As of today it needs to be a preinstalled version, otherwise it's gonna have missing classes like TokenCache, TokenCacheItem, TokenCacheNotificationArgs.
Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Pre
Awesome tutorials BTW 👍
I published the sample to IIS such that the site is not deployed at the root level. e.g. https://server/sites/sample and user is redirected to the root url (https://server) instead of the site url (https://server/sites/sample)
I could be wrong but it looks like the issue occurs because of Redirect url is specified as the root url "/"
public void SignIn()
{
// Send an OpenID Connect sign-in request.
if (!Request.IsAuthenticated)
{
HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
}
This is suppose to be an example for using Microsoft.IdentityModel.Protocols.OpenIdConnect, but instead it's using OWIN. Either specify why you choose to use Owin's way or use it. Same thing with the WsFederation example. There aren't any examples of Microsoft.IdentityModel.Protocols.OpenIdConnect (or it's WsFederation equivalent) anywhere so there must be some reason you guys aren't using it. =/
Hey everyone, sorry I'm looking for this exact content and examples but that shows how to use OAuth 2.0.
Anyone able to help me out with links or something???
I added Authorize attribute to Home Controller and made no other changes.
I then deployed it to azurewebsites
I am was able to login fine for few minutes
After that if I try to login to the site InPrivate, I see an infinite loop where the app redirects to login.windows.net, receives an auth code and again redirects to login.windows.net
I am not an admin on the tenant where I created an app. I am a user in the tenant.
My tenant is a federated tenant
I configured the application following the tutorial and added a new user to the directory. If I go to the Application in the Azure portal and go to the Users section, I see the user I added to the directory and the Assigned status is set to No, but I am still able to sign in with this user and access the application. What is the purpose of the Assigned flag if it does not prevent them from accessing the app?
In this example application, what is the expected behavior when you have a view that shows the user a form and that user's auth token expires before they submit the form?
I know that the owin middleware handles refreshing the auth token in the background, but will the form still post after the auth token is refreshed or will it result in an HTTP GET on the view that has the form (thus loosing the form values and having to start over?)
Steps
I noticed in the steps you mention that "This sample will not work with a Microsoft account"
Do you know of any way to make the initial login page work for custom domain microsoft accounts such as - [email protected]? One of the option in the azure domain add user is to add an existing microsoft account.. so why dont they provide an easy way to login with such accounts??
Or maybe make it so that instead of the azure AD login page it redirects to the microsoft live login page?
In this particular sample "Web Browser to Web Application" flow, do I need to worry about - Refresh tokens, storage or persistence of tokens? If yes, can you point me to right direction.
Thanks for your advise!
Sam
Hi,
I cloned the repository and am running on Visual Studio 2017 on Mac. I did nuget restore. I changed the Tenant and ClientID to match the test tenant. I am getting the following error when running. Could I get any assistance or breadcrumbs to trace further?
System.TypeLoadException
Invalid type SMSaml2HandlerPrivate for instance field Microsoft.IdentityModel.Tokens.Saml2SecurityTokenHandler:_smSaml2HandlerPrivateNeverSetAnyProperties
Description: HTTP 500.Error processing request.
Details: Non-web exception. Exception origin (name of application or object): Microsoft.Owin.Security.OpenIdConnect.
Exception stack trace:
at Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationMiddleware..ctor (Microsoft.Owin.OwinMiddleware next, Owin.IAppBuilder app, Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions options) [0x000a9] in <9676ab1309794b2396c9d7c8ad23a538>:0
at (wrapper dynamic-method) System.Object.lambda_method(System.Runtime.CompilerServices.Closure,Microsoft.Owin.OwinMiddleware,Owin.IAppBuilder,Microsoft.Owin.Security.OpenIdConnect.OpenIdConnectAuthenticationOptions)
at (wrapper managed-to-native) System.Reflection.MonoMethod.InternalInvoke(System.Reflection.MonoMethod,object,object[],System.Exception&)
at System.Reflection.MonoMethod.Invoke (System.Object obj, System.Reflection.BindingFlags invokeAttr, System.Reflection.Binder binder, System.Object[] parameters, System.Globalization.CultureInfo culture) [0x00032] in /Users/builder/jenkins/workspace/build-package-osx-mono/2017-12/external/bockbuild/builds/mono-x64/mcs/class/corlib/System.Reflection/MonoMethod.cs:305
The Login option works fine when i launch my application. But when i clear the cookie and reload the page, the user signs out and returns to my site login page. When i try to login in, i am redirected to the office365 login page, where i login using my credentials. After successful login, the page redirects to my site home page, where i can see isauthenticated is set to false. i cant able to login after clearing the cookie. This issue reproduces only when i clear the cookie and try to login. Initial at the startup, my login works fine.
Update NuGets
I have the error AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application,
I followed the steps for setting up the wepAPI app registration setting https://localhost:44320/ as one of the reply urls and also as the home page URL
I took the appID and created a key, taking the key value and I have changed no code just updated the appsettings.json values ClientId=appId from service principle, ClientSecret=key value and RedirectUri. RedirectUri is set to https://localhost:44320/ (all as instructed). I checked the application settings in visual studio under debug, enable SSL is ticked with the same https://localhost:44320/ and the enabled anonymous authentication is also ticked. All of these steps from the readme
When i run the project in debug on IIS express, when i click the singup or signing button i get the expected browser page on https://login.microsoftonline.com/common/login, i enter my credentials and then i get Sorry, but we’re having trouble with signing you in.
AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application:
where is my correct expected alphanumeric client ID code
Any help?
Is it possible to extract the details such as email address and other information stored in Azure AD for the logged in user?
Hi,
I cloned the code, added in my variables to web.config and ran the app. When I click on Sign In it redirects me to Azure AD, I entered the credentials, it redirected me back and I got a 401 unauthorised error and I have no cookie.
Any idea what I could have done wrong?
Also, if I put [Authorize] on the controller it doesn't redirect me to Azure AD at all, it just gives me a 401.
While I have you, would it be correct to say that this is a direct replacement for WS-FAM and SAM?
Thanks
The testing has to be publish to Azure to work right? I try to just run in local, click login, then go to here https://localhost:44320/Account/SignIn with 400 Bad Request. Then I feel some confusion, do I missing something or some where is wrong.
I have followed the instruction to set up the logout url for single sign out but it is not working. I have 2 apps with logout url setup. I login to the apps in the same browser tab and logout of one app but still the other app is logged in. If call the EndSession end point manually for the 2nd app then it logged out. Seems like AZURE AD is not calling the logout url automatically. Not sure if I am missing some other settings related to single sign out.
In development time I want my application posting back to localhost on login, but it just consider the first reply-url configured at my AD App.
Is it expected? There is any workaround?
Hi, the latest version (at least commit 44ccb26) references Owin package versions 3.0.0-rc3-30804-135-rel but that cannot be found from https://www.nuget.org/packages/Microsoft.Owin/. Changing the versions to 3.0.0-rc2 seems to at least allow package restore and build of the solution.
After I forked the repro and built it, I got these compiler warnings. But ADAL is not needed in this project.
1>C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets(1697,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "Microsoft.IdentityModel.Clients.ActiveDirectory". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors.
1>C:\Program Files (x86)\MSBuild\12.0\bin\Microsoft.Common.CurrentVersion.targets(1697,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.