This article shows how to implement an Azure Active Directory login for an ASP.NET Core application. The Microsoft identity platform (v2.0) is now Open ID Connect certified and the Microsoft Account logins can now be replaced with this. By using OpenID Connect instead of Microsoft Accounts, it is easy to force a login, or a consent screen as well as following a standard. A full signout can also be supported if required. The AddOpenIdConnect OIDC extension method should now be used instead of the AddMicrosoftAccount method. This replaces the existing post: Adding an external Microsoft login to IdentityServer4. It is still possible to use the https://apps.dev.microsoft.com if only Microsoft accounts are required.
Code https://github.com/damienbod/AspNetCoreID4External
Updating Microsoft Account Logins in ASP.NET Core with OpenID Connect and Azure Active Directory
If you open an existing Microsoft Account App configuration on https://apps.dev.microsoft.com , it will offer you the possibility to configure this on the Azure portal as an Azure Active Directory App. You can also create a new one using the Azure Active Directory/App Registrations/New Registration button.
We want to create an Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com) type, because we would like that our AAD any other AAD or live accounts can login to our software. We also want to define the return URLs which are required. Live SDK support is also required.
Then we need to create a new secret which is required to access the login from our OIDC Authorization Code Flow client in the ASP.NET Core application. The Implicit Flow is not required. We could also define the logout URL in the Authentication blade, so that when the user logs out from his/her account, the application will also do a logout.
The application ID is required to configure the OIDC client in the ASP.NET Core application.
In the startup class of the ASP.NET Core application, the AddOpenIdConnect extension method is used to implement the Open ID Connect code flow client to access the Azure AD App. The common V2.0 endpoint is used. The SignInScheme is defined as “Identity.External”. This is because ASP.NET Core Identity is used in this application, and the identity is then stored to the Identity database, with the defined login. Cookies could also be used here if you use only Azure AD and Live accounts with the V2.0 common endpoint. The RemoteAuthenticationTimeout property is set so that the user has enough time to do the login. The response type is code as per OpenID Connect specification. The Issuer will not be validated and this is configured to false. This is because any AAD or live account can be used here, and so the Issuer will always be different. If you know or want to allow only specific AAD tenants etc, then you should validate this. The email scope is requested and this is then mapped to the name property which can be accessed easily in the HttpContext object.
The Prompt property can be used to force a login, or the consent screen. Per specification, “none”, “login”, “consent”, “select_account” values can be used here. If the login is not forced, the user will automatically be logged in, if only one account is active.
The CallbackPath path is set to match the App configuration in the Azure AD app registration.
services.AddAuthentication()
.AddOpenIdConnect("Azure AD / Microsoft", "Azure AD / Microsoft", options =>
{
// https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration
options.ClientId = _clientId;
options.ClientSecret = _clientSecret;
options.SignInScheme = "Identity.External";
options.RemoteAuthenticationTimeout = TimeSpan.FromSeconds(30);
options.Authority = "https://login.microsoftonline.com/common/v2.0/";
options.ResponseType = "code";
// new in .NET Core 3.1
options.UsePkce = false; // live does not support this yet
options.Scope.Add("profile");
options.Scope.Add("email");
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
NameClaimType = "email",
};
options.CallbackPath = "/signin-microsoft";
options.Prompt = "login"; // login, consent
});
Troubleshooting Correlation Exceptions
When the Application is deployed, sometimes you will start receiving Correlation Exceptions which are caused for a number of different reasons and can be difficult to figure out why it worked in dev, but not in the deployment.
RemoteAuthenticationTimeout
Sometimes not enough time is allowed for the user to login, maybe a 2FA login is required or something which takes time to complete. Try increasing the RemoteAuthenticationTimeout value to allow more time if this is causing the Correlation exceptions.
No Cookie exception
This is caused when the Client PC is blocking cookies or has some weird IT setup with a Firewall/ Anti-Virus which blocks this. Get the IT Admin to open up the security for your applications.
Multiple instance deployments
This can happen when multiple instances are used for the deployment, and the data protection does not store the keys to a common store. This is not required for Azure App Services deployment, but maybe you deploy with Service Fabric or docker, and a common cache, store should be coded for the data protection.
Cookie Policy overwritten
If the Cookie policy is configured to strict or non essential, then the Correlation Cookie Builder would have to be coded, and set so that these cookies are same site = none and essential.
Summary
The AddMicrosoftAccount extension method can now be replaced with the AddOpenIdConnect method, and AddMicrosoftAccount should no longer be used. The Azure V2.0 Common endpoint is now certified and this would be following a specification and best practice.
Links
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-overview
https://openid.net/specs/openid-connect-core-1_0.html
http://docs.identityserver.io/en/release/topics/signin_external_providers.html
https://docs.microsoft.com/en-us/azure/active-directory/develop/app-registrations-training-guide
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code
Software Engineering 
[…] Updating Microsoft Account Logins in ASP.NET Core with OpenID Connect and Azure Active Directory […]
> but select_account is not supported in the AAD implementation
What do you mean? I’m using it in my apps, it works fine
Hi Thomas
Thanks for the feedback, then the docs are old:
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-openid-connect-code#send-the-sign-in-request
I’ll update, thanks
Greetings Damien
[…] Updating Microsoft Account Logins in ASP.NET Core with OpenID Connect and Azure Active Directory (Damien Bowden) […]
[…] Updating Microsoft Account Logins in ASP.NET Core with OpenID Connect and Azure Active Directory – Damien Bowden […]
Reblogged this on PeopleFromBinhDuong (NguoiDenTuBinhDuong).
Evening,
Im trying to setup this in a .Net Core 3.1 environment but i seem to have problem with the CallBack URL. I get an 404 response but expected is that the Web App should handle the callback according to the schema. Any tips what might be wrong here?
I have some issues with the callback URL. I get 404 when its called and its not handled by the web app as expected. What have i missed?
The ‘options.CallbackPath = “/signin-microsoft”; ‘ needs to match what you have configured on the APP registration
Greetings Damien