OpenId Connect Authentication .NET Core
We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?
UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?
string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";
UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.
c# asp.net-core
azure-active-directory openid-connect asked Nov 21 '18 at 21:46
RyBartRyBart
53
add a comment |
We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?
UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?
string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";
UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.
c# asp.net-core
azure-active-directory openid-connect asked Nov 21 '18 at 21:46
RyBartRyBart
53
1
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20
add a comment |
We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?
UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?
string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";
UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.
c# asp.net-core
azure-active-directory openid-connect asked Nov 21 '18 at 21:46
RyBartRyBart
53
We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?
UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?
string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";
UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.
c# asp.net-core
azure-active-directory openid-connect c# asp.net-core
azure-active-directory openid-connect asked Nov 21 '18 at 21:46
RyBartRyBart
53
asked Nov 21 '18 at 21:46
RyBartRyBart
53
edited Dec 14 '18 at 18:24
RyBart
asked Nov 21 '18 at 21:46
RyBartRyBart
53
asked Nov 21 '18 at 21:46
RyBartRyBart
53
asked Nov 21 '18 at 21:46
RyBartRyBart
53
53
1
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20
add a comment |
1
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20
1
1
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20
add a comment |
1 Answer
1
active
oldest
votes
I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2
This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420920%2fopenid-connect-authentication-net-core%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2
This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
add a comment |
I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2
This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
add a comment |
I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2
This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2
This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
answered Nov 22 '18 at 12:45
Jean-Marc PrieurJean-Marc Prieur
80537
80537
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420920%2fopenid-connect-authentication-net-core%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.
– juunas
Nov 22 '18 at 6:59
docs.microsoft.com/en-us/azure/active-directory/develop/…
– juunas
Nov 22 '18 at 7:02
Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?
– RyBart
Nov 28 '18 at 22:46
The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.
– juunas
Nov 29 '18 at 6:20