OAuth 2.0 , Azure AD and OpenId Connect

1
votes

I am still trying to understand OAuth 2.0 flows with ASP.Net Core 2.0. The default code (see below) which was provided by Microsoft works well with Azure AD authentication using OAuth 2.0 and OpenId Connect.

I am actually testing the Authorization Code flow.

I am trying to change the code below so that it doesnt use OpenId Connect but instead use the plain OAuth. (You may want to ask why, the vendor I am working with is not supporting the OpenId Connect yet).

So I need to use plain OAuth to enable to Authorization Code flow using Azure AD.

 services.AddAuthentication(auth =>
            {
                auth.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                auth.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

            })
            .AddCookie()

            .AddOpenIdConnect(opts =>
            {
                Configuration.GetSection("Authentication").Bind(opts);

                opts.Events = new OpenIdConnectEvents
                {
                    OnAuthorizationCodeReceived = async ctx =>
                    {
                        HttpRequest request = ctx.HttpContext.Request;
                        //We need to also specify the redirect URL used
                        string currentUri = UriHelper.BuildAbsolute(request.Scheme, request.Host, request.PathBase, request.Path);
                        //Credentials for app itself
                        var credential = new ClientCredential(ctx.Options.ClientId, ctx.Options.ClientSecret);

                        //Construct token cache
                        ITokenCacheFactory cacheFactory = ctx.HttpContext.RequestServices.GetRequiredService<ITokenCacheFactory>();
                        TokenCache cache = cacheFactory.CreateForUser(ctx.Principal);

                        var authContext = new AuthenticationContext(ctx.Options.Authority, cache);

                        //Get token for Microsoft Graph API using the authorization code
                        string resource = "https://bupaau.onmicrosoft.com/4fa4b4a7-d34f-49af-8781-c8b39f0cf770";
                        AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
                            ctx.ProtocolMessage.Code, new Uri(currentUri), credential, resource);

                        //Tell the OIDC middleware we got the tokens, it doesn't need to do anything
                        ctx.HandleCodeRedemption(result.AccessToken, result.IdToken);
                    }
                };
            });

How do I turn the openId Connect off and enable the plain OAuth authentication for Authorization Code flow.

-Alan-

1
asp.net-coreoauthoauth-2.0asp.net-core-2.0openid-connect

1 Answers

1
votes

You specify this by using scope parameter values. For OpenID Connect, scope value is set to openid. This is what specification says about authorisation request.

But there are some Azure AD specifics you need to taken care of. This is highlighted in Azure AD documentation. For OpenID Connect,

When your web application needs to authenticate the user, it must direct the user to the /authorize endpoint. This request is similar to the first leg of the OAuth 2.0 Authorization Code Flow, with a few important distinctions:

  • The request must include the scope openid in the scope parameter.
  • The response_type parameter must include id_token.
  • The request must include the nonce parameter.

Also here is the link for OAuth 2.0 documentation. You may not simply remove OpenID Connect specific parameters to get OAuth 2.0 response as there could be implementation specific requirements.