Create users in ASP.NET Core web app using Active Directory authentication

0
votes

How can I Create/Edit users in an ASP.NET Core web app that use OAuth or OpenID Connect to authentication?

All the documentation and examples I have found allow the users to sign-up. e.g.(active-directory-dotnet-webapp-openidconnect-aspnetcore)

The requirements I have are the ability to create/edit users and assign roles in our database AND then allow those users to login to the web app using Azure AD.

1
c#asp.netazureasp.net-coreazure-active-directory
First: Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it. Second: AD isn't supported out of the box in ASP.NET Core due to security issues (i.e. there is no throttling or lockout of the login process so an attacker could "bruteforce" passwords and implementing a lockout could be used by malicious user to lock out people of the company from accessing the network)Tseng
Editing question.Newport99

1 Answers

1
votes

If you are building an app which may include azure ad user management , and want to create/edit users after admin user login . You could firstly refer to below code sample about how to call a web API in an ASP.NET Core web application using Azure AD :

https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect-aspnetcore

Then you could use Azure AD graph api to create azure ad users :

  1. Firstly register the app in azure portal , setting redirect url(https://localhost:44371/signin-oidc for example) , add a key ,configure permissions for your application , To use azure ad graph api , you need to choose Windows Azure Active Directory ,and set delegate permission Read and write directory data(require admin consent) .

  2. In the controller action(HttpPost) , you could use below code to create a user :

            AuthenticationResult result = null;
        try
        {
            string userObjectID = (User.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier"))?.Value;
            AuthenticationContext authContext = new AuthenticationContext(Startup.Authority, new NaiveSessionCache(userObjectID, HttpContext.Session));
            ClientCredential credential = new ClientCredential(Startup.ClientId, Startup.ClientSecret);
            result = await authContext.AcquireTokenSilentAsync("https://graph.windows.net", credential, new UserIdentifier(userObjectID, UserIdentifierType.UniqueId));
            var userData = new
            {
                accountEnabled = true,
                displayName = "nan yu",
                mailNickname = "nanyu",
                passwordProfile = new
                {
                    password = "xxxxxx",
                    forceChangePasswordNextLogin = false
                },
                userPrincipalName = "[email protected]"
            };
            // Forms encode todo item, to POST to the Azure AD graph api.
            HttpContent content = new StringContent(JsonConvert.SerializeObject(userData), System.Text.Encoding.UTF8, "application/json");

            //
            // Add the azure ad user.
            //
            HttpClient client = new HttpClient();
            HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, "https://graph.windows.net/myorganization/users?api-version=1.6");
            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
            request.Content = content;
            HttpResponseMessage response = await client.SendAsync(request);

            //
            // Return user in the view.
            //
            if (response.IsSuccessStatusCode)
            {
                return RedirectToAction("Index");
            }
            else
            {
                //
                // If the call failed with access denied, then drop the current access token from the cache, 
                //     and show the user an error indicating they might need to sign-in again.
                //
                if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
                {

                }
            }

        }
        catch (Exception ee)
        {
            //
            // The user needs to re-authorize.  Show them a message to that effect.
            //

        }

If i misunderstand your requirement , please feel free to let me know .