Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using Azure Active Directory OAuth with Identity Model in ASP.NET Core 2.0

The problem statement

We are developing a new enterprise level application and want to utilize Azure Active Directory for signing into the application so that we do not have to create another set of user credentials. However, our permissions model for this application is more complex than what can be handled via groups inside of AAD.

The thought

The thought was that we could use Azure Active Directory OAuth 2.0 in addition to the ASP.NET Core Identity framework to force users to authenticate through Azure Active Directory and then use the identity framework to handle authorization/permissions.

The Issues

You can create projects out of the box using Azure OpenId authentication and then you can easily add Microsoft account authentication (Not AAD) to any project using Identity framework. But there was nothing built in to add OAuth for AAD to the identity model.

After trying to hack those methods to get them to work like I needed I finally went through trying to home-brew my own solution building off of the OAuthHandler and OAuthOptions classes.

I ran into a lot of issues going down this route but managed to work through most of them. Now I am to a point where I am getting a token back from the endpoint but my ClaimsIdentity doesn't appear to be valid. Then when redirecting to the ExternalLoginCallback my SigninManager is unable to get the external login information.

There almost certainly must be something simple that I am missing but I can't seem to determine what it is.

The Code

Startup.cs

services.AddAuthentication()
.AddAzureAd(options =>
{
    options.ClientId = Configuration["AzureAd:ClientId"];
    options.AuthorizationEndpoint = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/authorize";
    options.TokenEndpoint = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/token";
    options.UserInformationEndpoint = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/openid/userinfo";
    options.Resource = Configuration["AzureAd:ClientId"];
    options.ClientSecret = Configuration["AzureAd:ClientSecret"];
    options.CallbackPath = Configuration["AzureAd:CallbackPath"];
});

AzureADExtensions

namespace Microsoft.AspNetCore.Authentication.AzureAD
{
    public static class AzureAdExtensions
    {
        public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builder)
            => builder.AddAzureAd(_ => { });

        public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builder, Action<AzureAdOptions> configureOptions)
        {
            return builder.AddOAuth<AzureAdOptions, AzureAdHandler>(AzureAdDefaults.AuthenticationScheme, AzureAdDefaults.DisplayName, configureOptions);
        }

        public static ChallengeResult ChallengeAzureAD(this ControllerBase controllerBase, SignInManager<ApplicationUser> signInManager, string redirectUrl)
        {
            return controllerBase.Challenge(signInManager.ConfigureExternalAuthenticationProperties(AzureAdDefaults.AuthenticationScheme, redirectUrl), AzureAdDefaults.AuthenticationScheme);
        }
    }
}

AzureADOptions & Defaults

public class AzureAdOptions : OAuthOptions
{

    public string Instance { get; set; }

    public string Resource { get; set; }

    public string TenantId { get; set; }

    public AzureAdOptions()
    {
        CallbackPath = new PathString("/signin-azureAd");
        AuthorizationEndpoint = AzureAdDefaults.AuthorizationEndpoint;
        TokenEndpoint = AzureAdDefaults.TokenEndpoint;
        UserInformationEndpoint = AzureAdDefaults.UserInformationEndpoint;
        Scope.Add("https://graph.windows.net/user.read");
        ClaimActions.MapJsonKey("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "unique_name");
        ClaimActions.MapJsonKey("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "given_name");
        ClaimActions.MapJsonKey("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "family_name");
        ClaimActions.MapJsonKey("http://schemas.microsoft.com/ws/2008/06/identity/claims/groups", "groups");
        ClaimActions.MapJsonKey("http://schemas.microsoft.com/identity/claims/objectidentifier", "oid");
        ClaimActions.MapJsonKey("http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "roles");            
    }
}


public static class AzureAdDefaults
{
    public static readonly string DisplayName = "AzureAD";
    public static readonly string AuthorizationEndpoint = "https://login.microsoftonline.com/common/oauth2/authorize";
    public static readonly string TokenEndpoint = "https://login.microsoftonline.com/common/oauth2/token";
    public static readonly string UserInformationEndpoint = "https://login.microsoftonline.com/common/openid/userinfo"; // "https://graph.windows.net/v1.0/me";
    public const string AuthenticationScheme = "AzureAD";
}

AzureADHandler

internal class AzureAdHandler : OAuthHandler<AzureAdOptions>
{
    public AzureAdHandler(IOptionsMonitor<AzureAdOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
      : base(options, logger, encoder, clock)
    {
    }

    protected override async Task<AuthenticationTicket> CreateTicketAsync(ClaimsIdentity identity, AuthenticationProperties properties, OAuthTokenResponse tokens)
    {
        HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Get, Options.UserInformationEndpoint);
        httpRequestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.AccessToken);
        HttpResponseMessage httpResponseMessage = await Backchannel.SendAsync(httpRequestMessage, Context.RequestAborted);
        if (!httpResponseMessage.IsSuccessStatusCode)
            throw new HttpRequestException(message: $"Failed to retrived Azure AD user information ({httpResponseMessage.StatusCode}) Please check if the authentication information is correct and the corresponding Microsoft Account API is enabled.");
        JObject user = JObject.Parse(await httpResponseMessage.Content.ReadAsStringAsync());
        OAuthCreatingTicketContext context = new OAuthCreatingTicketContext(new ClaimsPrincipal(identity), properties, Context, Scheme, Options, Backchannel, tokens, user);
        context.RunClaimActions();
        await Events.CreatingTicket(context);
        return new AuthenticationTicket(context.Principal, context.Properties, Scheme.Name);
    }

    protected override async Task<OAuthTokenResponse> ExchangeCodeAsync(string code, string redirectUri)
    {
        Dictionary<string, string> dictionary = new Dictionary<string, string>();
        dictionary.Add("grant_type", "authorization_code");
        dictionary.Add("client_id", Options.ClientId);
        dictionary.Add("redirect_uri", redirectUri);
        dictionary.Add("client_secret", Options.ClientSecret);
        dictionary.Add(nameof(code), code);
        dictionary.Add("resource", Options.Resource);

        HttpRequestMessage httpRequestMessage = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
        httpRequestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
        httpRequestMessage.Content = new FormUrlEncodedContent(dictionary);
        HttpResponseMessage response = await Backchannel.SendAsync(httpRequestMessage, Context.RequestAborted);
        if (response.IsSuccessStatusCode)
            return OAuthTokenResponse.Success(JObject.Parse(await response.Content.ReadAsStringAsync()));
        return OAuthTokenResponse.Failed(new Exception(string.Concat("OAuth token endpoint failure: ", await Display(response))));
    }

    protected override string BuildChallengeUrl(AuthenticationProperties properties, string redirectUri)
    {
        Dictionary<string, string> dictionary = new Dictionary<string, string>();
        dictionary.Add("client_id", Options.ClientId);
        dictionary.Add("scope", FormatScope());
        dictionary.Add("response_type", "code");
        dictionary.Add("redirect_uri", redirectUri);
        dictionary.Add("state", Options.StateDataFormat.Protect(properties));
        dictionary.Add("resource", Options.Resource);
        return QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, dictionary);
    }

    private static async Task<string> Display(HttpResponseMessage response)
    {
        StringBuilder output = new StringBuilder();
        output.Append($"Status: { response.StatusCode };");
        output.Append($"Headers: { response.Headers.ToString() };");
        output.Append($"Body: { await response.Content.ReadAsStringAsync() };");
        return output.ToString();
    }
}

AccountController.cs

    [HttpGet]
    [AllowAnonymous]
    public async Task<IActionResult> SignIn()
    {
        var redirectUrl = Url.Action(nameof(ExternalLoginCallback), "Account");
        return this.ChallengeAzureAD(_signInManager, redirectUrl);
    }

    [HttpGet]
    [AllowAnonymous]
    public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null, string remoteError = null)
    {
        if (remoteError != null)
        {
            _logger.LogInformation($"Error from external provider: {remoteError}");
            return RedirectToAction(nameof(SignedOut));
        }
        var info = await _signInManager.GetExternalLoginInfoAsync();
        if (info == null) //This always ends up true!
        {
            return RedirectToAction(nameof(SignedOut));
        }
    }

There you have it!

This is the code I have, and I'm almost sure that at this point there is something simple I am missing but am unsure of what it is. I know that my CreateTicketAsync method is problematic as well since I'm not hitting the correct user information endpoint (or hitting it correctly) but that's another problem all together as from what I understand the claims I care about should come back as part of the token.

Any assistance would be greatly appreciated!

like image 707
Michael Merrell Avatar asked Nov 08 '17 19:11

Michael Merrell


People also ask

How do I use Azure AD for authentication in .NET Core?

Select ASP.NET Core Web Application>Choose Web Application (Model-View-Controller) template> Click on the "Change Authentication" button>Select "Work or School Accounts". Choose Cloud - Single Organization. Fill up the field of Domain which is the Azure Active Directory tenant name (say, softdreams.onmicrosoft.com).

Does Azure AD support oauth2?

Azure Active Directory (Azure AD) supports all OAuth 2.0 flows.


1 Answers

I ended up resolving my own problem as it ended up being several issues. I was passing the wrong value in for the resource field, hadn't set my NameIdentifer mapping correctly and then had the wrong endpoint for pulling down user information. The user information piece being the biggest as that is the token I found out that the external login piece was looking for.

Updated Code

Startup.cs

services.AddAuthentication()
.AddAzureAd(options =>
{
    options.ClientId = Configuration["AzureAd:ClientId"];
    options.AuthorizationEndpoint = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/authorize";
    options.TokenEndpoint = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/oauth2/token";
    options.ClientSecret = Configuration["AzureAd:ClientSecret"];
    options.CallbackPath = Configuration["AzureAd:CallbackPath"];
});

AzureADOptions & Defaults

public class AzureAdOptions : OAuthOptions
{

    public string Instance { get; set; }

    public string Resource { get; set; }

    public string TenantId { get; set; }

    public AzureAdOptions()
    {
        CallbackPath = new PathString("/signin-azureAd");
        AuthorizationEndpoint = AzureAdDefaults.AuthorizationEndpoint;
        TokenEndpoint = AzureAdDefaults.TokenEndpoint;
        UserInformationEndpoint = AzureAdDefaults.UserInformationEndpoint;
        Resource = AzureAdDefaults.Resource;
        Scope.Add("user.read");

        ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "id");
        ClaimActions.MapJsonKey(ClaimTypes.Name, "displayName");
        ClaimActions.MapJsonKey(ClaimTypes.GivenName, "givenName");
        ClaimActions.MapJsonKey(ClaimTypes.Surname, "surname");
        ClaimActions.MapJsonKey(ClaimTypes.MobilePhone, "mobilePhone");
        ClaimActions.MapCustomJson(ClaimTypes.Email, user => user.Value<string>("mail") ?? user.Value<string>("userPrincipalName"));       
    }
}

public static class AzureAdDefaults
{
    public static readonly string DisplayName = "AzureAD";
    public static readonly string AuthorizationEndpoint = "https://login.microsoftonline.com/common/oauth2/authorize";
    public static readonly string TokenEndpoint = "https://login.microsoftonline.com/common/oauth2/token";
    public static readonly string Resource =  "https://graph.microsoft.com";
    public static readonly string UserInformationEndpoint =  "https://graph.microsoft.com/v1.0/me";
    public const string AuthenticationScheme = "AzureAD";
}
like image 199
Michael Merrell Avatar answered Sep 24 '22 14:09

Michael Merrell