.Net Core Identity and Azure AD Authentication

Question

I have a net core web app with net core identity sign in set up and working, it creates and signs in users stored in our database. My next step was adding Azure Active Directory as an external way of login in and that works fine too, for the most part, I am able to log in.

My issue is that when I added the AAD authentication the identity way of authenticating no longer works to sign me in.

Ideally, the web app would use ADD to authenticate the user but if that fails the user would still have the option to sign in locally to be authenticated. Essentially ADD would be the default sign-in and identity would be the backup.

I've followed the following post's suggestion, since it is very similar if not the same to what I would like my web app to do, by adding AddCookie() to the Startup.cs file but when I do that ADD fails to authenticate me with the message:

"We couldn't sign you in. Please try again."

Hybrid authentication in .net core with Open Id Connect and local database

The following is what my Startup.cs file looks like, I've removed the AddCookies() call from the post above so I could get ADD to sign me in again.

public void ConfigureServices(IServiceCollection services)
{
    services.Configure<CookiePolicyOptions>(options =>
    {
        // This lambda determines whether user consent for non-essential cookies is needed for a given request.
        options.CheckConsentNeeded = context => true;
        options.MinimumSameSitePolicy = SameSiteMode.None;
    });

    services.AddDbContext<ApplicationDbContext>(options =>
    options.UseSqlServer(
        Configuration.GetConnectionString("DefaultConnection")));

    services.AddDefaultIdentity<IdentityUser>()
        .AddDefaultUI(UIFramework.Bootstrap4)
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

    services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
    {
        options.Authority = options.Authority + "/v2.0/";         // Microsoft identity platform

        options.TokenValidationParameters.ValidateIssuer = false; // accept several tenants (here simplified)


    });

    services.AddMvc(options =>
    {
        var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    })
    .SetCompatibilityVersion(CompatibilityVersion.Version_2_2);
}

I suspect it may have something to do with the following call:

    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
            .AddAzureAD(options => Configuration.Bind("AzureAd", options));

Maybe I need to add extra authentication options? I've tried the following but ADD does not authenticate me and I get the same message from ADD:

"We couldn't sign you in. Please try again."

services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    sharedOptions.DefaultChallengeScheme = AzureADDefaults.AuthenticationScheme;
})
.AddAzureAD(options => Configuration.Bind("AzureAd", options));

I am fairly new to authentication and any help is appreciated, thank you.

Answer 1

I think you just need to register both Authentication Schemes.

swap in this code:

    services.AddMvc(options =>
    {
        var policy = new AuthorizationPolicyBuilder(
                AzureADDefaults.AuthenticationScheme, 
                AzureADDefaults.OpenIdScheme)
            .RequireAuthenticatedUser()
            .Build();
        options.Filters.Add(new AuthorizeFilter(policy));
    });