I have a need to implement Open ID Connect in an ASP.NET Core 5 web app for authentication at an organization. I cannot test against the identity provider as this org has their own internal one.
I thought Open ID Connect (oidc) was a standard - yet when I look at docs and sample code for the various providers around, they all either have something provided with ASP.NET or I have to install their package.
For example, to use Google, the ASP.NET Core docs say to use services.AddAuthentication().AddGoogle()
. For Facebook, it says to use .AddFacebook()
.
For Auth0, it wants me to install the package Auth0.AspNetCore.Authentication
.
Is it not possible to just add OIDC authentication to my app and have it work with any OIDC provider and just change a configuration file to specify the authority URL, Client ID, Client Secret?
I'm confused about why I need these provider-specific calls and packages.
CodePudding user response:
OpenID Connect is an open standard that organisations use to authenticate users. IdPs use this so that users can sign in to the IdP
And about the OIDC protocol, it allows you to authenticate users, and is designed for users to sign in many websites with only one account, usually it's a social/work account. This is only a protocol and you have to use an implement such as Google/Azure authentication to allow your users to sign in with their specific account.
By the way, since the implements are from different companies, so the configuration in our codes are different and they required different nuget packages like Microsoft.Identity.Web
. For example, when using Azure, we need to set such as client id, client secret, tenant id, domain, redirect url...
in appsettings.json.
CodePudding user response:
Architecturally, tieing an app to a single form of authentication is entirely wrong, as you suggest. These packages have limited use, perhaps for very simple use cases.
The original OAuth 2.0 spec from RFC6749, from 2012, describes how the OAuth framework is designed, to externalize difficult security from your apps:
- The client only implements a code flow
- It redirects to an authorization server (AS)
- The AS can authenticate users in a myriad of potential ways, including many identity providers
- After authentication (and possibly consent) the AS issues tokens to your apps
- Tokens enable authorization in your APIs in a myriad of potential ways
Once you've implemented a code flow in your app, your set of users can potentially login in many ways, with zero code changes in the app:
- Password sign in (a default option)
- Multi-factor authentication (in a dynamic way potentially)
- Cloud platform identity providers (for engineering staff)
- CRM identity provider (for client focused staff)
- SAML identity providet (for users from business partners)
- Webauthn, Passkeys and Digital wallets (for some of your customers)
Unless you have a very good reason, stick to OpenID Connect standards based code flows in clients. You can do all of the above using the Microsoft libraries. Auth0 have good libraries also - just make sure you use the standards based ones.