.NET Core Multiple Authentication–Windows AD, Azure AD, Database
I was having a project about how to do in .NET Core multiple authentication: Windows AD, Azure AD, Database – and integrate with Roles.
It was an interesting project – and I decide to not make everything – but to construct on an existing project.
The most promising sounds IdentityServer – with the Federation Gateway. : http://docs.identityserver.io/en/latest/topics/federation_gateway.html
So I decided to give a twist , and after many readings and searching , I have found https://github.com/damienbod/AspNetCoreWindowsAuth . It was pretty amazing – however, some problems occurred.
External Integration – with local Active Directory
See in Startup.cs the following
services.Configure<IISOptions>(iis => { iis.AuthenticationDisplayName = "Windows"; iis.AutomaticAuthentication = true; });
When the user clicks the Windows authenticatio the following code is called
public class AccountController : Controller { //ommitted code [HttpGet] public async Task<IActionResult> ExternalLogin(string provider, string returnUrl) { if (AccountOptions.WindowsAuthenticationSchemeName == provider) { // windows authentication needs special handling return await ProcessWindowsLoginAsync(returnUrl); } //ommitted code } //ommitted code private async Task<IActionResult> ProcessWindowsLoginAsync(string returnUrl) { // see if windows auth has already been requested and succeeded var result = await HttpContext.AuthenticateAsync(AccountOptions.WindowsAuthenticationSchemeName); if (result?.Principal is WindowsPrincipal wp) { //ommitted code } else { // trigger windows auth // since windows auth don't support the redirect uri, // this URL is re-triggered when we call challenge return Challenge(AccountOptions.WindowsAuthenticationSchemeName); } } }
External Integration – with Azure Active Directory
This was by far the most complicated
As a pre-requisites , we need to configure the Azure Active Directory and grab the client Id for the application.
The code in the startup.cs os
services .AddAuthentication(IISDefaults.AuthenticationScheme) .AddOpenIdConnect("aad", "Sign-in with Azure AD", options => { //options.Authority = $"https://login.microsoftonline.com/common/v2.0/"; //options.Authority = $"https://ignatandreiyahoo.onmicrosoft.com"; //options.Authority = $"https://login.windows.net/{tenantId}"; options.Authority = "https://login.microsoftonline.com/common/v2.0/"; options.ClientId = $"{clientId}"; //options.RequireHttpsMetadata = true; options.RemoteAuthenticationTimeout = new System.TimeSpan(0,1,58); options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; options.SignOutScheme = IdentityServerConstants.SignoutScheme; options.ResponseType = OpenIdConnectResponseType.IdToken; //"id_token"; options.CallbackPath = "/signin-aad"; options.SignedOutCallbackPath = "/signout-callback-aad"; options.RemoteSignOutPath = "/signout-aad"; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, //ValidAudience = "f59d5739-1ec9-46fc-961d-b01ef6fb3c51", NameClaimType = "name", RoleClaimType = "role" }; options.Events.OnRemoteFailure = (context) => { string s = context.ToString(); return Task.CompletedTask; }; }) ; services.AddOidcStateDataFormatterCache("aad");
And the code that retrieves the user is:
public class AccountController : Controller { [HttpGet] public async Task<IActionResult> ExternalLoginCallback() { //ommitted code // read external identity from the temporary cookie var result = await HttpContext.AuthenticateAsync(IdentityConstants.ExternalScheme); if (result?.Succeeded != true) { result = await HttpContext.AuthenticateAsync("aad"); if (result?.Succeeded != true) throw new Exception("External authentication error"); } // lookup our user and external provider info var (user, provider, providerUserId, claims) = await FindUserFromExternalProviderAsync(result); //ommitted code } //ommitted code private async Task<(ApplicationUser user, string provider, string providerUserId, IEnumerable<Claim> claims)> FindUserFromExternalProviderAsync(AuthenticateResult result) { var externalUser = result.Principal; // try to determine the unique id of the external user (issued by the provider) // the most common claim type for that are the sub claim and the NameIdentifier // depending on the external provider, some other claim type might be used var userIdClaim = externalUser.FindFirst(JwtClaimTypes.Subject) ?? externalUser.FindFirst(ClaimTypes.NameIdentifier) ?? throw new Exception("Unknown userid"); // remove the user id claim so we don't include it as an extra claim if/when we provision the user var claims = externalUser.Claims.ToList(); claims.Remove(userIdClaim); var provider = result.Properties.Items["scheme"]; var providerUserId = userIdClaim.Value; // find external user var user = await _userManager.FindByLoginAsync(provider, providerUserId); return (user, provider, providerUserId, claims); }
Configure Azure Active Directory
This implies to go to portal.azure.com.
First you create a new application in the Azure Active Directory
Please retain the applicationId in order to put to the code
options.ClientId = $"{clientId}";
Do not forget about checking the token on authentication
because of this code
options.ResponseType = OpenIdConnectResponseType.IdToken; //"id_token"; //ommitted code options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, //ValidAudience = "f59d5739-1ec9-46fc-961d-b01ef6fb3c51", NameClaimType = "name", RoleClaimType = "role" };
Roles for Windows
In Computer Management, I define the user : testUser that belongs to MyGroup
In startup.cs I define the Policy for this:
services.AddAuthorization(options => { options.AddPolicy("MyGroupPolicy", policy => policy.RequireClaim("role",@"MyGroup")); });
I also define an Controller that require this policy
public class TestController : Controller { [Authorize(Policy="MyGroupPolicy")] public IActionResult Index() { return Content(" you can see this because you are authorized to see MyGroupPolicy"); } }
So now if you logon on Windows with testuser, it will require the policy to be satisfied
Now, to understand the code
Read
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-3.1#multiple-policy-evaluation
and
https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1
Now some more code:
Transforming Groups to role claims
string pcName = Environment.MachineName; // add the groups as claims -- be careful if the number of groups is too large if (AccountOptions.IncludeWindowsGroups) { var wi = wp.Identity as WindowsIdentity; var groups = wi.Groups.Translate(typeof(NTAccount)); var roles = groups .Select(it=>it.Value) .Select(it=> it.StartsWith(pcName +"\\",StringComparison.InvariantCultureIgnoreCase)? it.Substring(pcName.Length+1): it) .Select(x => new Claim(JwtClaimTypes.Role, x)); id.AddClaims(roles); }
And putting back to user
[HttpGet] public async Task<IActionResult> ExternalLoginCallback() { //omitted code // lookup our user and external provider info var (user, provider, providerUserId, claims) = await FindUserFromExternalProviderAsync(result); //omitted code var principal = await _signInManager.CreateUserPrincipalAsync(user); foreach (var claim in claims) { additionalLocalClaims.AddRange(claims); } //ommitted code await HttpContext.SignInAsync(user.Id, name, provider, localSignInProps, additionalLocalClaims.ToArray());
You can see the code at https://github.com/ignatandrei/identintegra and more documentation at https://ignatandrei.github.io/IdentIntegra/
Leave a Reply