![\"aaddotnet-website-1\"](\"https:\/\/blog.redbaronofazure.com\/wp-content\/uploads\/2016\/06\/aaddotnet-website-1.png\")
<\/a>When the user press the “Azure AD Login” menu item, it goes to the Login page with action=login.<\/p>\nAzure AD authentication via OAuth and OpenID<\/strong><\/p>\n There are numerous flow charts out on the internet explaining the interaction between the browser, your web application and the Identity Provider (IDP) and to be honest, it can look a bit complex. Azure AD supports OAuth and OpenID and in Microsofts\u00a0documentation of OpenID and important detail about OpenID is explained<\/p>\n “OpenID Connect 1.0 in Azure Active Directory (Azure AD) enables you to use the OAuth 2.0 protocol for single sign-on. OAuth 2.0 is an authorization protocol, but OpenID Connect extends OAuth 2.0 for use as an authentication protocol. A primary feature of the OpenID Connect protocol is that it returns an id_token<\/em>, which is used to authenticate the user.” (see refs)<\/p>\n So, by redirecting from my web application to Azure AD, asking for an OAuth authorization AND asking for a response_type=id_token, we can do a authorization\/authentication in one call.<\/p>\n Login\u00a0Sequence<\/strong><\/p>\n By using Fiddler, we can get a clear understanding of what is happening here. Clicking on the menu item in the browser calls the Login.aspx page (frame 31) which responds with a redirection url\u00a0to\u00a0Azure AD. The browser redirects to Azure AD in frame 33 asking for an authentication. In the query parameter, we pass identification of the web application (redirect_uri, clientID and clientSecret) which\u00a0are items we have registered in Azure AD.<\/p>\n The important part is responseType=id_token, which tells Azure AD to return a JWT Token on a successfull authentication. Azure AD responds with yet a redirection request to the browser and this time to the destination we supplied in the callbackURL parameter. You can see the browser making this call in frame 35.<\/p>\n Code that handles clicking on the login link and that returns the redirection url to Azure AD<\/p>\n We’re authenticated, now what?<\/strong><\/p>\n The callback to Login.aspx then has to decode the JWT token and covert them to claims and setting up a claims identity. But that is not all. In order keep this on a session level we need to create a cookie on the callback processing and for each subsequent request, we need to read this cookie and recreate\/reapply the claims identity. Simple, right?<\/p>\n Step 1 – Handling the Callback<\/strong><\/p>\n First, we shouldn’t do anything if we are already authenticated or ir the callback is missing the id_token in it’s post body. Second, decode the JWT token into JSON and create a ClaimsPrincipal. Third, create the FormsAuthenticationTicket where we store the JWT token in the UserData section so that we always have it available. Fourth, create the cookie using the well known name ASPXAUTH (FormsCookieName) and redirect ourselves to wherever we should go after authentication is complete<\/p>\n Creating the ClaimsPrincipal is straight forward. Setting the HttpContext.Current.User makes the boolean flag Request.IsAuthentication flip from false to true, which is important since that is how we check in code if we are dealing with an anonymous or authenticated user. Setting Thread.CurrentPrincipal makes the claims available since the static method ClaimsPrincipal.Current actually uses this value.<\/p>\n <\/p>\n Step 2 – Reapplying the cookie on each subsequent Request<\/strong><\/p>\n If we do nothing on the following request, the flag Request.IsAuthenticated will be false, so we need to recreate the ClaimsPrincipal and reapply on each subsequent request. This is the only way it can work if your web applicaiton is hosted on multiple servers.<\/p>\n In Global.asax there is a method that is there just for this and it’s called AuthenticateRequest<\/p>\n <\/p>\n The end result is a web page that behaves just like you expect and that can show the claim values we created.<\/p>\n Logoff<\/strong><\/p>\n Logging off is basically the same process but simpler. It’s a redirect to Azure AD again asking it to logoff and at the same time making sure the cookie we have is set to expired.<\/p>\n Summary<\/strong><\/p>\n This excersie is about showing you that you can roll your own implementation of integrating Azure AD authentication in your web application. In doing so I hope I gave you an understanding of how easy it is and how it really works behind the covers. However, with Identity you should NEVER roll your own solutions and should ALWAYS use componants that are tested and maintained by bigger players.<\/p>\n References<\/strong><\/p>\n OpenID 1.0 Connect OpenID 1.0 Specifications Authorize webapps with OAuth and Azure AD Azure AD Developer’s Guide<\/a><\/p>\n<\/a><\/p>\n string nonce = System.Guid.NewGuid().ToString();\r\n string authUrl = \"https:\/\/login.microsoftonline.com\/common\/oauth2\/authorize\";\r\n string clientID = ConfigurationManager.AppSettings[\"aad.clientid\"];\r\n if (string.IsNullOrEmpty(clientID))\r\n throw new ArgumentNullException(\"clientID\", \"ClientID must be specified in Web.Config as aad.clientid under AppSettings\");\r\n string clientSecret = ConfigurationManager.AppSettings[\"aad.clientsecret\"];\r\n if (string.IsNullOrEmpty(clientSecret))\r\n throw new ArgumentNullException(\"clientSecret\", \"clientSecret must be specified in Web.Config as aad.clientsecret under AppSettings\");\r\n string appIdUri = ConfigurationManager.AppSettings[\"aad.appiduri\"];\r\n if (string.IsNullOrEmpty(appIdUri))\r\n throw new ArgumentNullException(\"appIdUri\", \"clientSecret must be specified in Web.Config as aad.appiduri under AppSettings\");\r\n redirectUri = GetRedirectUrl(Request, redirectUri);\r\n if (string.IsNullOrEmpty(redirectUri))\r\n throw new ArgumentNullException(\"redirectUri\", \"redirectUri must be specified in Web.Config as aad.appiduri under AppSettings\");\r\n \/\/ build url for AAD auth and redirect to ourself \r\n StringBuilder sb = new StringBuilder();\r\n sb.AppendFormat(\"{0}?\", authUrl);\r\n sb.AppendFormat(\"redirect_uri={0}\", Uri.EscapeDataString(redirectUri));\r\n sb.AppendFormat(\"&nonce={0}\", nonce);\r\n sb.AppendFormat(\"&authorizationURL={0}\", Uri.EscapeDataString(authUrl));\r\n sb.AppendFormat(\"&callbackURL={0}\", Uri.EscapeDataString(redirectUri));\r\n sb.AppendFormat(\"&clientID={0}\", clientID);\r\n sb.AppendFormat(\"&clientSecret={0}\", Uri.EscapeDataString(clientSecret));\r\n sb.AppendFormat(\"&identifierField=openid_identifier\");\r\n sb.AppendFormat(\"&oidcIssuer={0}\", Uri.EscapeDataString(\"https:\/\/sts.windows.net\/{tenantid}\/\"));\r\n sb.AppendFormat(\"&responseType=id_token\");\r\n sb.AppendFormat(\"&revocationURL={0}\", Uri.EscapeDataString(\"https:\/\/login.microsoftonline.com\/common\/oauth2\/logout\"));\r\n sb.AppendFormat(\"&scopeSeparator=%20\");\r\n sb.AppendFormat(\"&tokenInfoURL=\");\r\n sb.AppendFormat(\"&tokenURL={0}\", Uri.EscapeDataString(\"https:\/\/login.microsoftonline.com\/common\/oauth2\/token\"));\r\n sb.AppendFormat(\"&userInfoURL={0}\", Uri.EscapeDataString(\"https:\/\/login.microsoftonline.com\/common\/openid\/userinfo\"));\r\n sb.AppendFormat(\"&response_mode=form_post\");\r\n sb.AppendFormat(\"&response_type=id_token\");\r\n sb.AppendFormat(\"&scope=openid\");\r\n sb.AppendFormat(\"&client_id={0}\", clientID);\r\n sb.AppendFormat(\"&state={0}\", nonce);\r\n \/\/ redirect to auth via AAD (and then redirect back to ourself)\r\n Response.Redirect(sb.ToString(), true);\r\n<\/pre>\n \/\/ we shouln't already be Auth'd and we need the \"id_token\" part in the body\r\n if (Request.IsAuthenticated) return;\r\n if (!Request.Form.AllKeys.Contains(\"id_token\")) return;\r\n \r\n \/\/ decode shit\r\n string value = Request.Form.Get(\"id_token\");\r\n JObject id_token = JwtDecode(value);\r\n \/\/ UserPrincipalNme, ie a fancy word for the original e-mail address you have in ActiveDirectory\r\n string upn = id_token.GetValue(\"upn\").ToString();\r\n DateTime expireTime = GetExpireTime(id_token);\r\n SetUserPrincipal(id_token);\r\n\r\n \/\/ create the cookie and store the JWT token in the UserData attrribute so we can pick it up \r\n FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, upn, DateTime.UtcNow, expireTime, false, id_token.ToString(), FormsAuthentication.FormsCookiePath);\r\n string encryptedCookie = FormsAuthentication.Encrypt(ticket);\r\n HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie);\r\n cookie.Expires = expireTime;\r\n Response.Cookies.Add(cookie);\r\n\r\n \/\/ redirect to ourself\r\n redirectUri = GetRedirectUrl(Request, redirectUri);\r\n Response.Redirect(redirectUri, true);\r\n<\/pre>\n
private static void SetUserPrincipal( JObject id_token )\r\n{\r\n string upn = id_token.GetValue(\"upn\").ToString();\r\n List<Claim> claims = new List<Claim>\r\n {\r\n new Claim(ClaimTypes.Email, upn )\r\n , new Claim(ClaimTypes.Upn, upn )\r\n , new Claim( \"http:\/\/schemas.microsoft.com\/identity\/claims\/objectidentifier\", id_token.GetValue(\"oid\").ToString() )\r\n , new Claim(ClaimTypes.Surname, id_token.GetValue(\"family_name\").ToString() )\r\n , new Claim(ClaimTypes.GivenName, id_token.GetValue(\"given_name\").ToString() )\r\n , new Claim(ClaimTypes.Name, id_token.GetValue(\"unique_name\").ToString() )\r\n , new Claim(\"name\", id_token.GetValue(\"name\").ToString() )\r\n , new Claim(\"iss\", id_token.GetValue(\"iss\").ToString() )\r\n , new Claim(\"nbf\", id_token.GetValue(\"nbf\").ToString() )\r\n , new Claim(\"exp\", id_token.GetValue(\"exp\").ToString() )\r\n , new Claim(\"aud\", id_token.GetValue(\"aud\").ToString() )\r\n , new Claim(ClaimTypes.NameIdentifier, id_token.GetValue(\"sub\").ToString() )\r\n , new Claim(\"ipaddr\", id_token.GetValue(\"ipaddr\").ToString() )\r\n , new Claim(\"http:\/\/schemas.microsoft.com\/identity\/claims\/tenantid\", id_token.GetValue(\"tid\").ToString() )\r\n , new Claim(\"ver\", id_token.GetValue(\"ver\").ToString() )\r\n };\r\n ClaimsIdentity claimsIdentity = new ClaimsIdentity(claims, \"Cookies\");\r\n ClaimsPrincipal principal = new ClaimsPrincipal(claimsIdentity);\r\n HttpContext.Current.User = principal;\r\n Thread.CurrentPrincipal = principal; \/\/ updates ClaimsPrincipal.Current\r\n}\r\n<\/pre>\n<\/a><\/p>\npublic class Global : System.Web.HttpApplication\r\n{\r\n protected void Application_AuthenticateRequest(object sender, EventArgs e)\r\n {\r\n Tiny.AzureAD.OAuthHandler.GlobalApplication_AuthenticateRequest(Request, Response);\r\n }\r\n}\r\n<\/pre>\npublic static void GlobalApplication_AuthenticateRequest(HttpRequest Request, HttpResponse Response)\r\n{\r\n \/\/ if not already auth'd and we have the aspnet auth cookie, hook up the principal if cookie hasn't expired\r\n if (!Request.IsAuthenticated && Request.Cookies.AllKeys.Contains(FormsAuthentication.FormsCookieName))\r\n {\r\n HttpCookie cookie = Request.Cookies.Get(FormsAuthentication.FormsCookieName);\r\n if (cookie != null)\r\n {\r\n FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);\r\n var id_token = JObject.Parse(ticket.UserData);\r\n DateTime expireTime = GetExpireTime(id_token);\r\n if (DateTime.UtcNow < expireTime)\r\n {\r\n SetUserPrincipal(id_token);\r\n }\r\n }\r\n }\r\n}\r\n<\/pre>\n<\/a><\/p>\n
\nhttps:\/\/msdn.microsoft.com\/en-us\/library\/azure\/dn645541.aspx<\/a><\/p>\n
\nhttp:\/\/openid.net\/developers\/specs\/<\/a><\/p>\n
\nhttps:\/\/azure.microsoft.com\/en-us\/documentation\/articles\/active-directory-protocols-oauth-code\/<\/a><\/p>\n
\nhttps:\/\/azure.microsoft.com\/en-us\/documentation\/articles\/active-directory-developers-guide\/<\/a><\/p>\n