This is a sample ASP.NET MVC application to illustrate integration with OpenID Connect Auhthorization Code flow.
The AspNetCoreSample project has a version for ASP.NET Core.
An OpenID Connect Client needs to be configured with information about the OpenID Connect Provider and client credentials. This sample app puts these configuration items into web.config file as AppSettings keys:
issuer
- name of OpenID Connect Providerclient_id
andclient_secret
- client credentials registered with OpenID Connect Providerredirect_uri
- this value must match deployment and is registered with OpenID Connect Provider
This is a simplified ASP.NET MVC web app. Only the minimum required files are included. Most important being
Purpose of this class is to setup authentication related middleware.
This enables generic ASP.NET MVC cookie based session tracking.
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
Next code sets up the OpenID Connect middleware. I'm reading settings from web.config
and assiging values to OpenIdConnectAuthenticationOptions properties.
ResponseType = "code"
lets me use Authorization Code FlowResponseMode = null
defaults to query, which tells provider to use HTTP GET method when redirecting backScope = "openid"
enables OpenID Connect. Add more scope values if you need access to more servicesRedeemCode = true
makes sure OpenID Connect middleware performs Authorization Code Flow
var redirectUri = new Uri(ConfigurationManager.AppSettings.Get("redirect_uri"));
var openIdConnectOptions = new OpenIdConnectAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings.Get("issuer"),
ClientId = ConfigurationManager.AppSettings.Get("client_id"),
ClientSecret = ConfigurationManager.AppSettings.Get("client_secret"),
ResponseType = "code", // authorization code flow
ResponseMode = null, // leave undefined, defaults to query
Scope = "openid", // enables openid connect
RedirectUri = redirectUri.OriginalString,
RedeemCode = true, // authorization code flow
};
The following is a workaround for aspnet/AspNetKatana#386. Please remove if your app is always deployed to encrypted https host, as this issue only occurs when running on plain http host.
The Visual Studio project of this sample app is setup to run on http://localhost:52834/ which is fine for a development experience but needs this workaround.
// the following is a workaround for https://github.com/aspnet/AspNetKatana/issues/386
// make sure to only enable when running on localhost without https
if (!"https".Equals(redirectUri.Scheme) && redirectUri.IsLoopback)
{
openIdConnectOptions.ProtocolValidator = new OpenIdConnectProtocolValidator
{
RequireStateValidation = false,
RequireNonce = false,
};
}
This final piece injects OpenID Connect middleware into the pipeline of the ASP.NET MVC app.
app.UseOpenIdConnectAuthentication(openIdConnectOptions);
HomeController
has a single operation that sets the model to current user. [Authorize]
tag tells the ASP.NET middleware that access to this controller requires authentication.
[Authorize]
public class HomeController : Controller
{
public ActionResult Index()
{
return View(User as ClaimsPrincipal);
}
}
The following generates a simple html list showing all claims received from OpenID Connect provider
@model System.Security.Claims.ClaimsPrincipal
<!DOCTYPE html>
<html>
<body>
<h1>Welcome</h1>
<dl>
@foreach (var claim in Model.Claims)
{
<dt><b>@claim.Type</b></dt>
<dd><i>@claim.Value</i></dd>
}
</dl>
</body>
</html>
Load the project into Visual Studio 2019 and run. The web.config
file is ready configured to access Ubisecure SSO at https://login.example.ubidemo.com/uas.
This app is also deployed live on https://ubi-aspnet-mvc-sample.azurewebsites.net.
Login with your Email, Google, Facebook or Microsoft account.