OpenId Connect Authentication .NET Core












0















We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?



UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?



 string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";


UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.










share|improve this question




















  • 1





    Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

    – juunas
    Nov 22 '18 at 6:59











  • docs.microsoft.com/en-us/azure/active-directory/develop/…

    – juunas
    Nov 22 '18 at 7:02











  • Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

    – RyBart
    Nov 28 '18 at 22:46













  • The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

    – juunas
    Nov 29 '18 at 6:20
















0















We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?



UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?



 string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";


UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.










share|improve this question




















  • 1





    Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

    – juunas
    Nov 22 '18 at 6:59











  • docs.microsoft.com/en-us/azure/active-directory/develop/…

    – juunas
    Nov 22 '18 at 7:02











  • Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

    – RyBart
    Nov 28 '18 at 22:46













  • The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

    – juunas
    Nov 29 '18 at 6:20














0












0








0








We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?



UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?



 string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";


UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.










share|improve this question
















We are trying to authenticate internal users via Azure AD when they visit certain pages. Our servers are not on site, so we are looking for an API where we can just pass the username and password of the user and receive whether they are in our organization and which groups they are apart of. It was possible in framework. Does such a thing exist for .NET Core?



UPDATE:
Thanks for replying! It seems to be giving me the authorization code now and now I'm trying to use this to get a token to then use that access token to get the user's groups (please correct me if I'm going about this the wrong way). My problem is I keep getting a bad request error. I've gone over the parameters a bunch and can't find what I'm missing. Here is my current set up of the API URLS, am I missing something?



 string postData = $"{{"grant_type":"{grant_type}","client_id":"{client_id}","code":"{code}","redirect_uri":"{redirect_uri}","client_secret":"{client_secret}"}}";
string redirectUrl = $"https://login.microsoftonline.com/{tenant_id}/oauth2/authorize?client_id={client_id}&response_type={response_type}&redirect_uri={redirect_uri}&response_mode={response_mode}&resource={client_id}";
string requestUriString = $"https://login.microsoftonline.com/{tenant_id}/oauth2/token";


UPDATE 2: I figured out what was wrong, I was passing the post data as a Json String when it needed to be x-www-form-urlencoded.







c# asp.net-core azure-active-directory openid-connect






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 14 '18 at 18:24







RyBart

















asked Nov 21 '18 at 21:46









RyBartRyBart

52




52








  • 1





    Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

    – juunas
    Nov 22 '18 at 6:59











  • docs.microsoft.com/en-us/azure/active-directory/develop/…

    – juunas
    Nov 22 '18 at 7:02











  • Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

    – RyBart
    Nov 28 '18 at 22:46













  • The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

    – juunas
    Nov 29 '18 at 6:20














  • 1





    Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

    – juunas
    Nov 22 '18 at 6:59











  • docs.microsoft.com/en-us/azure/active-directory/develop/…

    – juunas
    Nov 22 '18 at 7:02











  • Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

    – RyBart
    Nov 28 '18 at 22:46













  • The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

    – juunas
    Nov 29 '18 at 6:20








1




1





Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

– juunas
Nov 22 '18 at 6:59





Azure AD does not support LDAP. To do what you want, you'll need to use OpenID Connect, authenticate the user with Azure AD, and setup your app registration such that you get their group memberships as claims in the Id token. Though all of them might not fit in the token if there are too many, in which case you'll need to query the user's group memberships from Microsoft Graph API.

– juunas
Nov 22 '18 at 6:59













docs.microsoft.com/en-us/azure/active-directory/develop/…

– juunas
Nov 22 '18 at 7:02





docs.microsoft.com/en-us/azure/active-directory/develop/…

– juunas
Nov 22 '18 at 7:02













Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

– RyBart
Nov 28 '18 at 22:46







Thanks for answering! Once a user goes to the login page and is authenticated, how do I then retrieve that form post data?

– RyBart
Nov 28 '18 at 22:46















The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

– juunas
Nov 29 '18 at 6:20





The page will send the user back to your site with an authorization code that you can then exchange in your back-end for an access token, Id token and refresh token. The access tokens allow you to call APIs, the Id token tells you who the user is and th me refresh token allows you to get new access tokens when they expire.

– juunas
Nov 29 '18 at 6:20












1 Answer
1






active

oldest

votes


















0














I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2



This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420920%2fopenid-connect-authentication-net-core%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2



    This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios






    share|improve this answer




























      0














      I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2



      This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios






      share|improve this answer


























        0












        0








        0







        I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2



        This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios






        share|improve this answer













        I'm not completely sure this will solve your problem but you might want to have a look at the following .NET Core sample (with MSAL.NET): https://github.com/Azure-Samples/active-directory-dotnetcore-console-up-v2



        This is with the usual disclaimer that we really don't recommend anybody to use username/password. There are other much better possibilities. For the full picture, see https://aka.ms/msal-net-scenarios







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 22 '18 at 12:45









        Jean-Marc PrieurJean-Marc Prieur

        73036




        73036






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420920%2fopenid-connect-authentication-net-core%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Wiesbaden

            Marschland

            Dieringhausen