I am converting a website to .NET Core, and switching nuget for authorization to Microsoft.AspNetCore.Authentication.OpenIdConnect
.
We use Azure b2c to handle login for website users.
We also use the CMS Optimizely, so I have left default authentication be and added my as a secondary one to not mess up Optimizely’s admin login, but that is (probably) not relevant to this question.
I have configured my auth scheme in startup.cs
, and decorated my controllers with [Authorize]
.
This works, user are sent to azure to log in when needed, and I can access HttpContext.User.Claims
and HttpContext.User.Identity.IsAuthenticated
in the code.
Logout also works.
But I also have to implement a create account button, and change password button.
These should send the users to slightly different authority urls.
When logging in the library handles creating the authority url, with state and nonce properties and more, and if possible I would want to avoid doing that myself (I trust the library more than myself).
So how can I send the user to a authority in code (without using the [authorize]
attribute)?
Startup.cs
(relevant parts):
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
services
.AddAuthentication()
.AddCookie("oidc-cookie", options =>
{
options.LogoutPath = "/";
options.AccessDeniedPath = "/AccessDenied";
})
.AddOpenIdConnect("oidc-scheme", options =>
{
options.SignInScheme = "oidc-cookie";
options.SignOutScheme = "oidc-cookie";
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.CallbackPath = "/signin-oidc";
options.SignedOutCallbackPath = "/signout-oidc";
options.AccessDeniedPath = "/AccessDenied";
options.ClientSecret = SiteSettings.AppSettings.OAuthClientSecret;
options.UsePkce = true;
options.Authority = "https://company.b2clogin.com/company.onmicrosoft.com/B2C_1A_signin/v2.0/";
options.ClientId = SiteSettings.AppSettings.OAuthClientID;
options.Scope.Clear();
options.Scope.Add(OpenIdConnectScope.OpenId);
options.Scope.Add(OpenIdConnectScope.OfflineAccess);
options.Scope.Add(options.ClientId);
options.MapInboundClaims = false;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = ClaimTypes.Role
};
options.Events.OnRedirectToIdentityProvider = ctx =>
{
// Code to att ui_locales url parameter to identity provider call
};
});
.AddSingleton<IAuthorizationHandler, AllowEveryoneHandler>();
.AddSingleton<IAuthorizationHandler, AzureIdHandler>();
.AddAuthorization(options =>
{
options.AddPolicy("AllowEveryonePolicy", policy =>
{
policy.Requirements.Add(new AllowEveryoneRequirement());
});
options.AddPolicy("RequireAzureIdPolicy", policy =>
{
policy.Requirements.Add(new AzureIdRequirement());
});
});
Controller code:
[Authorize(AuthenticationSchemes = "oidc-scheme", Policy = "AllowEveryonePolicy")]
public class StartPageController : BasePageController<Models.StartPage>
{
// Controller code
}
Notes to code: /AccessDenied
is defined by me. /signin-oidc
and /signout-oidc
are defined by the library.
Urls for signing in, creating account and changing passwords is:
https://company.b2clogin.com/company.onmicrosoft.com/B2C_1A_signin/v2.0/authorize?client_id=...&nonce=...&state=...&...
https://company.b2clogin.com/company.onmicrosoft.com/B2C_1A_signup_signin/v2.0/authorize?client_id=...&nonce=...&state=...&...
https://company.b2clogin.com/company.onmicrosoft.com/B2C_1A_passwordchange/v2.0/authorize?client_id=...&nonce=...&state=...&...
1