ASP.Net Core external provider authentication using OpenID Connect + Cookie Auth middleware

By | May 6, 2019

OpenID Connect is an authentication protocol, built on top of OAuth 2.0, that can be used to securely sign users in to web applications.
This authentication protocol allows you to perform SSO (single sign-on). It introduces the concept of an ID token, which allows the client to verify the identity of the user and obtain basic profile information about the user. Since, it extends OAuth 2.0, it enables clients to securely retrieve access tokens.

OpenID Connect is recommended for securing browser applications. For mobile applications, OAuth authorization code flow is preferred

ASP.NET Core Identity supports adding login functionality to ASP.NET Core apps via external/social login providers like Google, Twitter, Identity Server along with typical in-house persistent stores for users accounts or cloud based Azure Active Directory

In this article, we’ll see how to add external provider based login functionality to ASP.NET Core web app by creating a simple sample app talking to generic Open ID Provider (OP) typically, an Authorization server that implements the OpenID Connect specification. To authenticate end users with OpenID Connect, we will use two middlewares in a chain: Cookie and OpenIdConnect. The former is responsible for managing encryption/decryption of the AuthenticationTicket and its storage into a cookie, whereas the latter takes care of challenging web application (client) for credentials and verification, besides parsing the requested claims. cookies makes most sense in a state less web application. When we combine the Cookie and OpenIdConnect middlewares, the user information retrieved from the ID Token becomes an AuthenticationTicket, which is encrypted and stored in a cookie.

As shown below, we created a very light weight ASP.NET Core 2.2 web app with just one controller/view to demonstrate sign-in and sign-out functionality built using Open ID provider typically used in enterprises.

This article doesn’t go into OAuth 2.0 workflows. It’s beyond the scope of this article. We’re skipping other relevant things like how to configure callbacks to your app, client registration with provider (Client ID and Client secret. This article only focuses on implementation using Open ID and Cookie Auth middle wares in .Net Core 2.0+

OpenId Connect and Cookie Auth middlware configuration in startup.cs

Home Controller

Index View

Login page for unauthenticated user

Claims page after successful authentication

You can download source code using below link
0 forks.
0 stars.
0 open issues.
Recent commits: