Menu
I am using Azure AD as an external IdP with IdentityServer4. To call an API that is protected with AzureAd, I need to get access token from Azure Ad. Is it possible to get the access token as part of the login process and save it to claims?
I am using IdentityServer4 Quickstart UI. I tried to capture access token in the callback method of external token, but did not find that in the HttpContext or the claims or in the ProcessLoginCallbackForOidc method.
IdentityServer4 Azure Ad Configuration:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetUsers());
services.AddAuthentication()
.AddOpenIdConnect("oidc", "Azure AD", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
options.Authority = "https://login.microsoftonline.com/fredhutch.onmicrosoft.com/";
options.ClientId = "<client id>";
options.Resource = "app_id from azure ad";
options.ClientSecret = "secret from azure ad";
options.ResponseType = "code id_token";
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "sub",
RoleClaimType = "role"
};
});
Client configuration in IdentityServer4:
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RedirectUris = { "http://localhost:49341/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:49341/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"b03d4318-278d-40fc-b6b3-3cf47a0e6f4d"
},
AllowOfflineAccess=true
}
Client (ASP.Net Core MVC):
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "idsrv4url";
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.SaveTokens = true;
options.ResponseType = "code id_token";
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("b03d4318-278d-40fc-b6b3-3cf47a0e6f4d");
options.Scope.Add("offline_access");
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
});
735
An access token contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. When calling a resource server, an access token must be present in the HTTP request. An access token is denoted as access_token in the responses from Azure AD B2C.
About IdentityServer4IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
Your setup against Azure AD is an implicit flow, meaning you only get an authorization code and id token (based on your responsetype = "code id_token").
What you need to do is subscribe to the OnAuthorizationCodeReceived event and ask for access token here.
options.Events.OnAuthorizationCodeReceived= contex => {
var authCode = contex.ProtocolMessage.Code;
...
// Get token
...
};
You can find more info here https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#use-the-authorization-code-to-request-an-access-token
187
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
