Skip to content

Instantly share code, notes, and snippets.

@danroth27

danroth27/identity-apptokens.md

Last active June 12, 2017 17:58
Show Gist options
  • Save danroth27/86219b6b64de903b5503a4035741a474 to your computer and use it in GitHub Desktop.
Save danroth27/86219b6b64de903b5503a4035741a474 to your computer and use it in GitHub Desktop.
Download ZIP
ASP.NET Core with Application Tokens
Raw
identity-apptokens.md

ASP.NET Core Identity with Application Tokens

Problem statement

Migrating ASP.NET Core apps that use ASP.NET Core Identity for authentication to Azure AD B2C is difficult:

  • The app is not setup to use OIDC for authentication
  • The identity model, views, and controllers are intermingled with the application code
  • The app data is tied up with the IdentityDbContext
  • No support for migrating users to Azure AD B2C

No support for securing Web APIs.

Goals

  • Enable ASP.NET Core apps to easily migrate from using ASP.NET Core Identity in app to Azure AD B2C
  • Provide a Web API security solution

Approach

We will add a layer to ASP.NET Core Identity that exposes user identities through standard endpoints that have the same behavior as Azure AD B2C. These endpoints implement standard protocols (a subset of OpenID Connect and OAuth 2.0). These endpoints can be used to authenticate users and to issue access tokens for accessing protected resources (secure web APIs). To migrate an app to use Azure AD B2C you reconfigure the app to use Azure AD B2C endpoints instead of the ASP.NET Core Identity endpoints and migrate the corresponding users and application data.

The same endpoints can be used to authorize client access to web APIs. Registered client applications can request access tokens from ASP.NET Core Identity using the Microsoft Authentication Library (MSAL). Access to the web API is authroized for requests that contain valid access tokens with sufficient scope.

Scenarios

Getting started

TODO: Add basic API setup and details here

Note: All getting started experiences should be possible from within VS, VS for Mac, and from the CLI.

Create a new web app that authenticates users using an in-app ASP.NET Core Identity token issuer

File->New Project->ASP.NET Core Web Application

Change Authentication->Individual User Accounts->Store user accounts in-app

Create a new secure web API with an in-app ASP.NET Core Identity token issuer

Create an ASP.NET Core Identity token issuer as a stand-alone application

Create a new web app that authenticates users using an existing ASP.NET Core Identity token issuer

Create a new secure Web API using an existing ASP.NET Core Identity token issuer

Create a new mobile app client with a secure web API backend

Create a new single-page app (SPA) with a secure web API backend

Create a new web app that calls a secure web API

Working with users

Flow user role claims from the identity provider to the app

Add user attributes and flow additional claims for those attributes to the app

Associate additional data (ex credit card number) with the signed-in user in the app

Configuring authentication

Existing ASP.NET Core Identity features should continue to work with the token issuer.

Enable social logins for the ASP.NET Core Identity token issuer

Enable two-factor authentication for the ASP.NET Core Identity token issuer

Enable account confirmation

Managing access tokens

Client app requests offline access to get a refresh token

Configure access token, refresh token, authorization code lifetimes

Configure policy for managing granted scopes

Working with scopes

Client app requests specific scopes

Restrict web API access based on granted scopes

Publishing and deployment

Publish the app to an Azure App Service from VS

Publish the app to an Azure App Service using Kudu

Application management

Register a mobile app

Register a web app

Register a protected resource (Web API)

Edit application name

Add/remove/edit the redirect URIs for a registered application

Add/remove the client secrets for a registered application

Add/remove/edit scopes for a registered protected resource (web API)

Copy relevant info for a registered application onto the clipboard (app ID, redirect URI, client secrets, scopes)

Anonymous access to application management during development

Administrator access to application management in production and ability to configure list of admin user names

Configure policy for authorizing access to application management

Migrating to Azure AD B2C

Migrate users with local username and password

Migrate users with external logins

Migrate users with two-factor authentication enabled

Migrate additional user attributes and related claims

Migrate application look and feel

Migrate application registrations

Out of scope

Establishing user consent

Seamlessly running in containers using Docker tooling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment