In this article you will learn to us OAuth2 and Open ID Connect in an ASP.NET Core Application to authenticate your users. OAuth2 is the gold-standard protocol for authorization and used by most of the organization nowadays. Open Id Connect sits on top of the OAuth2 protocol and provides an extra identity layer. You can learn more about those two standards on their official homepage - linked above.
In this tutorial we will use Auth0 as our authentication server, but you can use any other authentication service of your choice. If you have any extra needs or want to host the authentication server by yourself you may want to consider using Identity Server. Identity Server is made for .NET applications and it is open source - so you can dive deep in the actual implementation.
The source code and a working prototype is available on my Github page. You only have to adapt the appSettings file with your keys. I would also recommend to use OData when providing an API. You can find a guide to achieve this here.
Deciding the Authorization Grant Type
OAuth2 actually has many different ways of granting access. You can find all below.
I would strongly suggest to use the Authorization Code Grant Type whenever it is possible. It is by far the most secure way - since everything is handled in the backend. In this tutorial we'll use exactly this type to get authenticated.
Should you consider to use the Implicit flow read the official statemant from the OAuth2 standard:
"It is generally not recommended to use the implicit flow (and some servers prohibit this flow entirely)." (source)
Adding Authorization to an ASP.NET Core Application
At first we are going to add the Open Id Connect and Cookie handler to our Application. For this purpose we are adding code to the ConfigureServices method within the Startup.cs file.
The next step is to add the Authentication Middleware within the Configure Method in our Startup.cs file.
And that's it, you have configures Open Id Connect and OAuth2 with Cookie based Authentication and Auth0. But you guessed it, we have to used it as well.
Login and Logout
To Challenge the Login you simply have to call the ChallengeAsync Extension Method on the HttpContext object. Usually you will do this on an dedicated Account (or any other name is fine as well) Controller. In our Sample we use an AccountController who has two endpoints called Login and Logout.
The ChallengeAsync method has two parameters - the Authentication Provider we have before configured and a AuthenticationProperties object. The first parameter should match the value in .AddOpenIdConnect("Auth0"... and the second is used to pass a return Url to redirect the user after a login when a specfic resource is requested. This resource could be any protected resource or path in your application (e.g. https://yourdomain.com/user).
The Logout should only be accessible to users who are authenticated. For this purpose we are decorating the Logout method with an Authorize attribute. In our case we are redirecting to a specific url when the user got logged out.
The same Authorize attribute should be used when you want to protect your API calls, but don't forget that Authorization says nothing about Authorization.
Using Authorization in any ASP.NET Core Application is simple and should no one hold back to use it. It's also fairly easy to add this functionality later on.
If you have any further questions or additions please use the comment box below.
Happy authenticating :):