asp.net-coreazure-active-directoryidentityserver4openid-connect

Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?

I'm trying to get Microsoft configured as an external login provider in Identityserver4. I succeeded by following identity server's documentation with using AddMicrosoftAccount:

services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
 {
  microsoftOptions.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
  microsoftOptions.ClientId = configuration["MicrosoftLoginProvider:ClientId"];
  microsoftOptions.ClientSecret = configuration["MicrosoftLoginProvider:ClientSecret"];
 });

However, I didn't have luck with getting single sign-out to work. The documentation is in line with Microsoft's documentation at https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins?view=aspnetcore-5.0.

However, if you follow the instructions to create an app in Microsoft Developer Portal (portal.azure.com), the sample code on that portal suggests a different way. The sample application that the portal generated for me (WebApp-OpenIDConnect-DotNet) is using AddMicrosoftIdentityWebApp:

 services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

Since this application is working out-of-the-box including single sign-out, Iam wondering if this is the way I have to continue.

To my surprise, however, I can't find any doc/blogs about how to integrate this approach in IdentityServer4. I almost got it to work myself, but there are a few weird issues.

Can someone clarify if using AddMicrosoftIdentityWebApp is the way to go to add Microsoft as an external identity provider to Identityserver4? Has someone succeeded in getting AddMicrosoftIdentityWebApp to work with IdentityServer4?

THanks for your help!

Solution

  • I figured how to get it to work.

    Actually, only two things I had to do.

    First, I had to remove OpenIdConnectDefaults.AuthenticationScheme in the call to AddAuthentication in the example code that Microsoft generated. So the code becomes:

      services.AddAuthentication()
     .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"));

    Then, in the code that reads the external identity from a temporary cookie, I had to use CookieAuthenticationDefaults.AuthenticationScheme. So, that code now reads as follows:

    var authenticationResult = await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);

    That was all.