1 Authentication and Authorization
Authentication is the process of proving you are who you say you are. The common used protocol is OpenID Connect. While Authorization is the act of granting an authenticated party permission to do something, which is implemented by OAuth 2.0 protocol.
Before exploring these two protocol flows, let’s have a quick look of parties involved in.
- The Authorization Server is the identity provider (aka: Azure AD) which is responsible for ensuring the user’s identity, granting and revoking access to the resources, and issuing tokens.
- The Resource Owner is typically the end user.
- The OAuth Client is your app, identified by its application ID.
- The Resource Server is where resource or data resides.
It has multiple type of security tokens among the authentication flows, including access token, refresh token and ID token. What’s the difference are they?
- An access token is security token that is issued by an authorization server as part of an OAuth 2.0 flow. It contains information about the user and the app for which the token is intended. Which resource can be accessed.
- The refresh token is used to re-fetch the access token when it has been expired. the client application exchanges the access token with authorization server.
- ID tokens are sent to the client application as part of an OpenID connect flow.
Azure AD chooses JWT (JSON Web Token) as token format. It contains main three parts
2 Azure AD
Azure Active Directory is one components of Microsoft identity platform.
Let’s have a quick review of Azure AD portal.
Select Azure Active Directory service in Azure portal with your own account.
- Directory: Your tenant Id and all your register applications are under this tenant.
- Domain: Your tenant domain with the format:
3. App registrations & New registration: Register your application in Azure AD.
- Enter the name for you application, it doesn’t need to be global unique.
- Choose supported account types
- Accounts in this organization directory only: An application only by users in your tenant.
- Accounts in any organization directory: Users in any azure AD tenant can be able use your application.
- Accounts in any organizational directory and personal Microsoft accounts: It has widest set of customers. It’s a multi-tenant application that can also support users with personal Microsoft accounts.
- Personal Microsoft accounts: Only users with personal Microsoft account can use this application.
- Redirect URI: The location where the authorization server sends the user once the app has been successfully authorized and granted an authorization code or access token.
3 Sign In
Sign-in is the most used scenario in the Azure AD. Any user who is opening your web application is required to login. It tells the application who you are which is based on OpenID Connect protocol.
The protocol diagram is as following.
- Azure portal -> Azure Active Directory ->App registrations -> New registration
- Name: SignInApplication
- Supported Account types: Accounts in any organizational directory
- Redirect URI: Web (https://localhost:44321/signin-oidc, https://localhost:44321/)
After finishing, the application overview should like this.
Take note of the Application Id (aka Client Id) and Directory Id (aka Tenant Id). That will be reused in the web application.
In Authentication panel in the left, enter Logout URL with https://localhost:44321/signout-oidc and check ID tokens in Implicit grant.
- Create AspNet Core web application by using Visual Studio form template (Empty MVC).
- Install packages.
- Add AzureAd section in appsetting.json
You can restrict the audience for your application by changing TenantId in this this setting file.
Option 1: Only Work and School accounts.
"TenantId" : "organizations"
Option 2: Only Microsoft personal accounts
"TenantId" : "consumers"
Options 3: Only single organization
"TenantId": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com or the Tenant Id]"
- Add _LoginPartial.cshtml file in Views/Shared folder
- Modify _Loyout.cshtml file in View.Shared folder
- Make sure the applicationUrl in Properties/launchSettings.json is https://localhost:4432/ which is same with configuration in Azure AD.
- Configuration in Startup.cs
Hit the run in devbox. When you browser open the localhost:4431, it redirect the to microsoft login page immediately.
Input correct Microsoft account, you’re asking to grant consent for SignInApplication.
Click Yes and the browser will direct back the web home page with displaying the account name.
It has no secret in this configuration in AzureAd section. The TenantId could has multiple options.
- Directory ID (A guid) or tenant name (smartianist.onmicrosoft.com): if this application supports Accounts in this organizational directory only.
- organizations: if this application supports Accounts in any organizational directory.
- common: if this application support All Microsoft account user.
- Line #5 to line #6 tells which section should be used for Azure AD.
- Line #7 to line #13 shows that each controller should be authenticated before invoking.
- Line #23 indicates that it is going to use Authenticate middleware.
For SignIn and SignOut options, it invokes the areas in Microsoft.Identity library.