How to combine Asp.Net Identity with Azure AD Authorization

Question

How to integrate Asp.Net Identity with Azure AD Authorization

Is it possible to integrate Asp.Net Identity with Azure AD Authorization by means of OpenIdConnect? I'd like to have a both authorization providers one for local authorization ( by means of standart Asp.net core Identity and second by means of Azure AD

        _services
            .AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
                options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            })
            .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.ClientId = clientId;
                options.ClientSecret = clientSecret;
                options.Authority = $"{baseAuthorityUrl}/{tenantId}/v2.0";
                options.CallbackPath = new PathString(callBackPath);
                options.Scope.Add("email");
                options.Scope.Add("profile");
                options.ResponseType = "code id_token";

                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name"
                };
            })

This works for Azure AD Authorization, but i can't change authorization method from Azure AD to ASp.Net Identity. Any help is much appreciated

Answer 1

I'd suggest using the default ASP.NET Identity template to start the project :

1. Create new application with ASP.NET Identity (Individual User Accounts template).

2. Seed the database with Migrations Add-Migration Name , Update-Database .

3. Add your OIDC provider :

   services
   .AddAuthentication(options =>
   {
       options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
       options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
   
   }).AddCookie()
   .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
   {
   
       options.SignInScheme = IdentityConstants.ExternalScheme;
   
       options.ClientId = ClientId;
       options.ClientSecret = ClientSecret;
       options.Authority = $"{baseAuthorityUrl}/{tenantId}/v2.0";
       options.CallbackPath = new PathString("/signin-oidc");
       options.Scope.Add("email");
       options.Scope.Add("profile");
       options.ResponseType = "code id_token";
   
       options.SaveTokens = true;
       options.GetClaimsFromUserInfoEndpoint = true;
   
       options.TokenValidationParameters = new TokenValidationParameters
       {
           NameClaimType = "name"
       };
   
   });
   

Make sure using IdentityConstants.ExternalScheme for SignInScheme otherwise the Identity won't accept external login information correctly .

Asp.net will create a local account that associates your external account , so that you can perform authorization with your local identity system .