.NET Core app with Azure App Service Authentication

4
votes

My webapp is developed with .NET Core and deployed in Azure. I have enabled Azure App Service Authentication and configured it to use Azure Active Directory. When I access the webapp I do get redirected to the correct login-page. After I login I can browse to the endpoint .auth/me and see that claims exists for my user. I can also verify that the request headers below exists with values:

  • X-MS-TOKEN-AAD-ID-TOKEN
  • X-MS-TOKEN-AAD-ACCESS-TOKEN
  • X-MS-TOKEN-AAD-EXPIRES-ON
  • X-MS-TOKEN-AAD-REFRESH-TOKEN

But I'm not able to retrieve these claims in my controller. Using User.Identity.isAuthenticated is always false and User.Identity.Claims is empty.

How can I make the user authenticated and retrieve the claims?

In theory I could maybe check if the request-header(X-MS-TOKEN-AAD-ID-TOKEN) exist and then retrieve the claims that exists on the endpoint .auth/me but that doesn't really seems like the correct way to go?

Edit: Am I stumbling on the same issue that is discussed here maybe? (Trouble getting ClaimsPrincipal populated when using EasyAuth to authenticate against AAD on Azure App Service in a Asp.Net Core web app)

1
azureauthenticationazure-active-directoryasp.net-core-2.0
Yup, you're doing it right, read the header, unpack the id_token and extract the claims. See this as well - stackoverflow.com/a/46765687/4148708. If you don't like this approach, drop EasyAuth and integrate with Azure AD directly (and use ADAL .NET).evilSnobu

1 Answers

3
votes

As Working with user identities in your application states:

App Service passes some user information to your application by using special headers. External requests prohibit these headers and will only be present if set by App Service Authentication / Authorization. Some example headers include:

  • X-MS-CLIENT-PRINCIPAL-NAME
  • X-MS-CLIENT-PRINCIPAL-ID
  • X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN
  • X-MS-TOKEN-FACEBOOK-EXPIRES-ON

Code that is written in any language or framework can get the information that it needs from these headers. For ASP.NET 4.6 apps, the ClaimsPrincipal is automatically set with the appropriate values.

our application can also obtain additional user details through an HTTP GET on the /.auth/me endpoint of your application. A valid token that's included with the request will return a JSON payload with details about the provider that's being used, the underlying provider token, and some other user information.

As Chris Gillum suggested that you could invoke the /.auth/me endpoint and retrieve the user claims. You could write your custom middleware to check the X-MS-CLIENT-PRINCIPAL-ID header and invoke the /.auth/me endpoint and set the user claims manually. Here is the detailed code sample, you could refer to this similar issue.

Moreover, you could modify your application and explicitly add authentication middleware instead of using App Service Authentication / Authorization (EasyAuth) as evilSnobu commented. For this approach, you could use the ASP.Net Core OpenID Connect middleware, details you could follow the tutorials below:

Integrating Azure AD (v2.0 endpoint) into an ASP.NET Core web app

Integrating Azure AD into an ASP.NET Core web app