It is not exaggeration if I said, Microsoft Identity Platform is bigger than any SAS authentication provider, and if you are using Azure as your cloud provider, then the authorization benefits that will add to your application off-the-shelf, won’t be able to do it with any other platform without writing code.
Usage with .NET
.NET has a library, which is considered part of the platform. It is Microsfot.Identity.Web
.
How to use it?
1using Microsoft.Identity.Web;
2using Microsoft.Identity.Web.UI;
3using Microsoft.IdentityModel.Tokens;
4
5var builder = WebApplication.CreateBuilder(args);
6
7// Add services to the container.
8builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
9 .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
10
11builder.Services.AddControllersWithViews(options =>
12{
13 var policy = new AuthorizationPolicyBuilder()
14 .RequireAuthenticatedUser()
15 .Build();
16 options.Filters.Add(new AuthorizeFilter(policy));
17});
18builder.Services.AddRazorPages()
19 .AddMicrosoftIdentityUI();
20
21var app = builder.Build();
Explaining the code
The library Microsoft.Idenity.Web
provides lots of workflow behind the scene, and it is the latest.
More about the library later.
What the code will do for your application:
- Downloading the Microsoft Entra ID metadata, finding the signing keys, and finding the issuer name for the tenant.
- Processing OpenID Connect sign-in workflow and obtaining JWT token, extracting the user’s claims, and putting them in
ClaimsPrincipla.Current
. - Integrating with the session cookie Asp.NET core middleware to establish a session for the user.
- Build an authorization policy, where views require authentication. Every controller has the attribute
[Authorize]
will force the user to validate its authentication token. - Add UI that will be hooked to Microsoft authentication URL: https://login.microsoftonline.com/
Configure Microsoft Entra ID:
To configure Microsoft Entra ID to authenticate your application, you have to register your application.
Application Registration in Microsoft Entra ID is equivalent to create an Application in Auth0.
Configure your .NET to use Microsoft Entra ID application:
To configure the application use the following in appsettings:
1{
2 "AzureAd": {
3 "Instance": "https://login.microsoftonline.com/",
4 "TenantId": "common",
5 "ClientId": "11111111-1111-1111-11111111111111111",
6 "CallbackPath": "/signin-oidc"
7 },
8}
Where:
- Instance: is the login url where Microsoft Entra ID (single tenant or login with School or work).
- client ID: is the client ID for your App Registeration (will come to it later)
- TenatantId: cloud be one of the following:
- a real Id for tenant, for single tenant application
- organizations for multi-tenants applications that use Work/School accounts.
- common for work/school accounts or MS personal accounts.
- consumers Microsoft personal accounts