OpenID Connect Authentication with Azure AD and AD-B2C

Nishra Nasar
8 min readJun 20, 2023

--

Microsoft Active Directory and B2C authentication with .NET Core

OpenID Connect with Azure AD and Azure AD B2C

In this article, I will share my learnings on,

  1. How to configure the Microsoft Azure AD with .NET application with OpenID Connect.
  2. How to configure the Microsoft Azure AD B2C with .NET application with OpenID Connect.

Prerequisites

  1. Microsoft Azure Portal Access (Free Subscription is sufficient)
  2. .NET Core Project (Examples in this article use .NET Core 7).)

What is OpenID Connect?

Before diving into the configuration process, let’s understand the concept of OpenID Connect and its role in authentication and authorization.

Authentication (AuthN) is where the identity of users is checked to Verify the user’s access to the system. Authorization (AuthZ) is the person’s or user’s authorities are checked to validate the user for accessing the resources.

The OpenID Connect (OIDC) protocol is an authentication protocol (AuthN protocol) that is generally in charge of the user authentication process. It works in conjunction with the OAuth 2.0 protocol, which handles the authorization process.

Configure Azure Active Directory with .NET Applications.

Create Azure AD in Azure Portal

  1. Create an Azure AD under a selected resource group.

Under the selected resource group click on the Create Button as below, this will redirect you to the Azure Market Place.

P.S. Best practice is to create different resource groups based on your environments (Dev, QA, Prod).

Create resources within a resource group.

2. Search for ‘Azure Active Directory’ and click on the Create button of the Microsoft Azure AD.

P.s. I have changed the Market place view to ‘list view’, default will be ‘Tile View.’

Create Azure Active Directory

3. Select Azure Active Directory from the Tenant Type.

Azure Active Directory Tenant

4. Provide a unique organization and domain name in the Configuration Tab.

Configuration Details

5. Click on Review and Create.

6. Once the Azure AD is created navigate to the resource and Click on App registrations.

App Registration in Azure Active Directory

7. App Registration

If there’s an existing application that needs the Azure AD integration, it can be selected from the owned application tab. In my case, there’s no application in the current directory. Therefore, I will be creating a new application.

App Registration

8. New App Registration.

  • Name: Provide a meaningful name for the Application
  • Supported Account Type: Based on the project business case, the account type can be selected.
  • Redirect URI: Even though it shows as optional, it is necessary to configure a redirect Uri. During the development phase we can provide the base URL as localhost. Once the application is moved to a hosted server it needs to be changed accordingly.

redirect URI format: your-base-url/any-call-back-url

Once you have add the relevant details click on the registration button.

New App Registration

9. App listed under the App registrations of Azure Active Directory.

App listed under App registrations.

10. Add Users to the Azure Active Directory.

By clicking on the ‘users’ tab, of Azure Active Directory users can be added. This provides the option to invite external users via email or create new users under the domain name of the Azure Active Directory. (These users will get a new email address)

Users of Azure Active Directory.

Once the app and the users are created the configuration can be done in the .NET application.

Configure Azure AD with .NET Core.

  1. Create a .NET Core Application with .NET 7 version (or later)
  2. Install the latest version of following NuGet Package Microsoft.AspNetCore.Authentication.OpenIdConnect
  3. Configure the program.cs file with the AddOpenIdConnect as following.
  • SignInScheme : This need to be IdentityConstants.ExternalScheme
  • Authority: Authority Can be taken as following. https://login.microsoftonline.com/client-Id/v2.0
  • ClientId : This is the application ID of the registered app (Blog App)
Client ID
  • ResponseType : “code” This is the Authorization Flow. In this case I'm using the Authorization Code Flow.
  • SaveTokens : true
  • ClientSecret : This needs to be generated using the certificates & secrets of Azure AD. Once this is generated, the value needs to add as the client secret.
Add New Client Secret
Add a client secret.
Value needs to be added as the Client secret.
  • CallbackPath : Call Back Path need to be same as the Redirect Uri added to the App.
Redirect URI

Once the configurations are done accordingly and the Login Button is configured, the application needs to run successfully with the Azure AD integration.

Azure AD integrated Application.

Configure Azure Active Directory B2C with .NET Applications.

Create Azure AD B2C in Azure Portal

  1. Create an Azure AD B2C under a selected resource group.

Under the selected resource group click on the Create Button as below, this will redirect you to the Azure Market Place.

P.s. Best practice is to create different resource groups based on your environments (Dev, QA, Prod).

Create resources within a resource group.

2. Search for ‘Azure Active Directory B2C’ and click on the Create button of the Microsoft Azure AD B2C.

P.s. I have changed the Market place view to ‘list view’, default will be ‘Tile View.’

Azure Active Directory B2C

3. Select the tenant

Once clicked on the Create button, it will navigate to the following view. In your project if there is an existing B2C tenant it can be linked by selecting the link option. In this case, I will be Creating a new Azure AD B2C tenant.

Create / Link B2C Tenant

4. Select Azure B2C tenant from the basic tab

B2C Tenant Type

5. Provide a unique organization and domain name in the Configuration Tab.

Configurations of the tenant

7. Once the Azure AD B2C is created navigate to the resource and Click on User Flows.

User flows are predefined, configured policies that you can use to set up authentication experiences for your end users. A user flow lets you determine how users interact with your application when they do things like sign-in, sign-up, edit a profile, or reset a password.

User Flows

8. Select Sign up and Sign In User flow from the Create a User Flow window.

Create User Flow

9. Provide a Name, identity provider and select User attributes and token claims as required.

Sign in Out User Flow

10. Once the Azure AD B2C is created navigate to the resource and Click on App registrations.

11. App Registration

If there’s an existing application that needs the Azure AD integration, it can be selected from the owned application tab. In my case, there’s no application in the current directory. Therefore, I will be creating a new application.

12. New App Registration.

  • Name: Provide a meaningful name for the Application
  • Supported Account Type: Based on the project business case, the account type can be selected.
  • Redirect URI: Even though it shows as optional, it is necessary to configure a redirect Uri. During the development phase we can provide the base URL as localhost. Once the application is moved to a hosted server it needs to be changed accordingly.

redirect URI format: your-base-url/signin-oidc

Once you have added the relevant details click on the registration button.

13. Add Users to the Azure Active Directory B2C.

By clicking on the ‘users’ tab, of Azure Active Directory users can be added. This provides the option to invite external users via email or create new users under the domain name of the Azure Active Directory. (These users will get a new email address)

Users of Azure Active Directory B2C.

Once the app and the users are created the configuration can be done in the .NET application.

Configure Azure AD B2C with .NET

  1. Create a .NET Core Application with .NET 7 version (or later)
  2. Install the latest version of following NuGet Package Microsoft.AspNetCore.Authentication.OpenIdConnect
  3. Configure the program.cs file with the AddOpenIdConnect as following.
  • SignInScheme: This need to be IdentityConstants.ExternalScheme
  • Authority: This can be created by following the endpoints of the Created App Overview.
Endpoints of the app

From this endpoint get the endpoint of Azure AD B2C OpenID Connect metadata document. In this the authority will be upto v2.0 Replace the user flow (policy) name as <policy-name>

Authority Endpoint
  • ClientId: This is the application ID of the registered app (Blog App)
  • ResponseType: “code” This is the Authorization Flow. In this case I’m using the Authorization Code Flow.
  • SaveTokens: true
  • ClientSecret: This needs to be generated using the certificates & secrets of Azure AD. Once this is generated, the value needs to add as the client secret.
Add New Client Secret
Add a client secret.
Value needs to be added as the Client secret.
  • CallbackPath : Call Back Path need to be same as the Redirect Uri added to the App.
  • Scope: This needs to be same as the Client Id
Redirect URI

Once the configurations are done accordingly and the Login Button is configured, the application need to run successfully with the Azure AD integration.

Azure AD B2C

Hope this article helped you to connect Microsoft Azure AD and AD B2C into your project.

Follow me for the upcoming articles….

--

--