ASP.NET Core authentication using Microsoft Entra External ID for customers (CIAM)

May 30, 2023 · by · in ASP.NET Core, Azure, Entra CIAM, Microsoft Entra ID · 4 Comments

This article looks at implementing an ASP.NET Core application which authenticates using Microsoft Entra External ID for customers (CIAM). The ASP.NET Core authentication is implemented using the Microsoft.Identity.Web Nuget package. The client implements the OpenID Connect code flow with PKCE and a confidential client.

Code: https://github.com/damienbod/EntraExternalIdCiam

Posts in this series

Microsoft Entra External ID for customers (CIAM) is a new Microsoft product for customer (B2C) identity solutions. This has many changes to the existing Azure AD B2C solution and adopts many of the features from Azure AD. At present, the product is in public preview.

App registration setup

As with any Azure AD, Azure AD B2C, Azure AD CIAM application, an Azure App registration is created and used to define the authentication client. The ASP.NET core application is a confidential client and must use a secret or a certificate to authenticate the application as well as the user.

The client authenticates using an OpenID Connect (OIDC) confidential code flow with PKCE. The implicit flow does not need to be activated.

User flow setup

In Microsoft Entra External ID for customers (CIAM), the application must be connected to the user flow. In external identities, a new user flow can be created and the application (The Azure app registration) can be added to the user flow. The user flow can be used to define the specific customer authentication requirements.

ASP.NET Core application

The ASP.NET Core application is implemented using the Microsoft.Identity.Web Nuget package. The recommended flow for trusted applications is the OpenID Connect confidential code flow with PKCE. This is setup using the AddMicrosoftIdentityWebApp method and also the EnableTokenAcquisitionToCallDownstreamApi method. The CIAM client configuration is read using the json EntraExternalID section.

services.AddDistributedMemoryCache();

services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
	.AddMicrosoftIdentityWebApp(
		builder.Configuration
			.GetSection("EntraExternalID"))
	.EnableTokenAcquisitionToCallDownstreamApi()
	.AddDistributedTokenCaches();

In the appsettings.json, user secrets or the production setup, the client specific configurations are defined. The settings must match the Azure App registration. The SignUpSignInPolicyId is no longer used compared to Azure AD B2C. 

// -- using ciamlogin.com --
"EntraExternalID": {
	"Authority": "https://damienbodciam.ciamlogin.com",
	"ClientId": "0990af2f-c338-484d-b23d-dfef6c65f522",
	"CallbackPath": "/signin-oidc",
	"SignedOutCallbackPath ": "/signout-callback-oidc"
	// "ClientSecret": "--in-user-secrets--"
},

Notes

I always try to implement user flows for B2C solutions and avoid custom setups as these setups are hard to maintain, expensive to keep updated and hard to migrate when the product is end of life.

Setting up a CIAM client in ASP.NET Core works without problems. CIAM offers many more features but is still missing some essential ones. This product is starting to look really good and will be a great improvement on Azure AD B2C when it is feature complete.

Strong authentication is missing from Microsoft Entra External ID for customers (CIAM) and this makes it hard to test using my Azure AD users. Hopefully FIDO2 and passkeys will get supported soon. See the following link for the supported authentication methods:

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/customers/concept-supported-features-customers

I also require a standard OpenID Connect identity provider (Code flow confidential client with PKCE support) in most of my customer solution rollouts. This is not is supported at present.

With CIAM, new possibilities are also possible for creating single solutions to support both B2B and B2C use cases. Support for Azure security groups and Azure roles in Microsoft Entra External ID for customers (CIAM) is one of the features which makes this possible.

Links

https://learn.microsoft.com/en-us/azure/active-directory/external-identities/

https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-external-id

Microsoft Entra External ID’s (Preview)

https://developer.microsoft.com/en-us/identity/customers

https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/microsoft-entra-external-id-public-preview-developer-centric/ba-p/3823766

https://github.com/AzureAD/microsoft-identity-web

Tags: , , , ,

4 comments

  1. Dew Drop – May 30, 2023 (#3953) – Morning Dew by Alvin Ashcraft · · Reply

    […] ASP.NET Core authentication using Microsoft Entra External ID for customers (CIAM) (Damien Bowden) […]

  2. The Morning Brew - Chris Alcock » The Morning Brew #3716 · · Reply

    […] ASP.NET Core authentication using Microsoft Entra External ID for customers (CIAM) – Damien Bowden […]

  3. tyrionlannister26 · · Reply

    Thanks for the enlightening article! Microsoft Entra integration in ASP.NET Core authentication enhances customer security. Appreciate it!

  4. ASP.NET Core authorization using Entra External ID CIAM and Azure AD security groups | Software Engineering · · Reply

    […] ASP.NET Core authentication using Microsoft Entra External ID for customers (CIAM) […]

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.