Implemeting Authentication using OpenId Connect implementation for Azure AD?

1
votes

I am trying to implement Authentication in our website using the Azure AD, following the below reference. Our website uses the below stack ASP.NET, MVC5 hosted on IIS. basically use OpenId Connect protocol for website authentication and use oAuth2.0 protocol for delegated access to use the token for Authorization.

https://github.com/AzureADSamples/WebApp-WebAPI-OpenIDConnect-DotNet

Getting token from the Azure AD logic is there in the Startup.Auth.cs class, which is invoked from the OwinStartup class.

When I implement this in our site, Startup.Auth.cs ConfigureAuth is executed only once during the APP start and as per the above reference.

Decorating the controller classes with the [Authorize] or adding the SignIn() with check if the request is authenticated or not and call the Authenticate code again. 

public void SignIn() 
     { 
         // Send an OpenID Connect sign-in request. 
         if (!Request.IsAuthenticated) 
         { 
             HttpContext.GetOwinContext().Authentication.Challenge(new AuthenticationProperties { RedirectUri = "/" }, OpenIdConnectAuthenticationDefaults.AuthenticationType); 
         } 
     }

The issue is that The SignIn() method is not getting in our application and also curious on what the [Authorize] attributes does?

I highly appreciate any insight on these. Thanks much in advance.

2
owinopenid-connectazure-acs

2 Answers

1
votes

ACS does not support OpenId Connect and is no longer being developed - hence the first part of the answer would be - what you are trying to do is not supported. That said, are you certain you are referring to ACS? That sample refers to Azure AD, which is a different offering. For the rest of the answer I will assume that you do refer to Azure AD. From your description I am not understand what is the problem you are experiencing. ConfigureAuth only needs to be executed once to do its job, which is adding to the request processing pipeline the modules (middleware) responsible for handling authentication. I am not sure to what code you are referring to with "Authenticate". There should be no such call here - when you request a route decorated with [authorize], ASP.NET will enforce that the caller is authenticated; if it isn't, as it is the case for the first request, this causes the opened connect middleware to generate a sign in request. The Signin() method does pretty much the same the same, but without having to attempt access to a resource marked with [authorize].

0
votes

Don't use [Authorize] attribute with the controllers if you have explicit SignIn() action.

You might be messing up with authentication cookie and Session variable. Check this link

for details.