Open geno-github opened 3 years ago
@geno-github see this GitHub comment
Update: For 6.0 we should obsolete AddMicrosoftAccount and AddGoogle and rewrite the docs to use AddOpenIdConnect.
Sor for now, keep using AddMicrosoftAccount
until we add AddMicrosoftAccountOidc
Reviving this. While we don't intend to deprecate AddMicrosoftAccount or add AddMicrosoftAccountOidc in 6.0, we still want to transition the docs to show using AddOpenIdConnect (or Identity.Web) instead. @blowdart
The same goes for AddGoogle.
@jennyf19 for guidance on moving to Identity.Web.
@jennyf19 if you can outline the steps we'll get this published.
yes @Rick-Anderson will do. thanks.
@Rick-Anderson @Tratcher Here is an md file above with suggestions. Just a note, that most customers use the 3rd or 4th option in the screen shot below from the portal. The difference in code (which i mention in a comment in the md file) is in appsettings.json, either using /common
(or 3rd option) or /consumers
(4th option). if using /consumers
, the UI that is rendered from AAD is ONLY for MSA.
Login w//common
UI:
This is the error, if I try to use an MSA only app with a non-MSA account because I don't have /consumers
in the appsetting.json
Login w//consumers
UI:
Thanks @jennyf19.
There are a few details to work out:
services.AddAuthentication()
.AddMicrosoftIdentityWebApp(microsoftOptions =>
{
microsoftOptions.Instance = "https://login.microsoftonline.com";
microsoftOptions.TenantId = "consumers";
microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ClientId"];
}, cookieScheme = null);
Is this using the id_token flow so the client secret isn't required anymore?
@Tratcher will need to talk to @henrik-me and @jmprieur about prioritization w/our other items.
It looks like that will require setting the cookieScheme to null? yes
How to set the display name so this still shows up as Microsoft Account on Identity's external providers page? we need to do this -> issue here.
Is this using the id_token flow so the client secret isn't required anymore? The client secret is only needed if calling a web API or calling Graph, so if just signing-in users, it's not needed. Auth code flow, with
response_type=id_token
.
For the migration story, I would need time to look at the current one and ours to compare, and that will need to be prioritized, as mentioned above.
@blowdart for the prioritization discussion. Since this is doc focused it's not on a strict release deadline, but we'd like to get it done in the .NET 6 time frame (Nov).
AddMicrosoftAccountIsDeprecated.md
@Tratcher @blowdart @Rick-Anderson I believe all the questions are answered above. LMK if there is more to do. thanks.
I created an aspnetcore 3.1 project template with
--auth SingleOrg
. I followed this doc, plus this GitHub issue to get things to work.
Ok, I think this is the disconnect, most people using AddMicrosoftAccount aren't using the SingleOrg
auth template, they're using the Individual
one where MicrosoftAccount isn't the primary authentication provider, it's secondary to the local user database. Users link their MicrosoftAccount to a local user account. If the nameidentifier changes when migrating that's a problem because the accounts won't be linked anymore. It looks like they'll need some more sample code to map the new objectidentifier back to the old nameidentifier to maintain the link.
How to set the display name so this still shows up as Microsoft Account on Identity's external providers page?
- Not sure what this means exactly. But the value for
User.Identity.Name
is different:
I meant the display name field of the authentication scheme, not the user. See
https://docs.microsoft.com/en-us/dotnet/api/microsoft.extensions.dependencyinjection.microsoftaccountextensions.addmicrosoftaccount?view=aspnetcore-5.0#Microsoft_Extensions_DependencyInjection_MicrosoftAccountExtensions_AddMicrosoftAccount_Microsoft_AspNetCore_Authentication_AuthenticationBuilder_System_String_System_String_System_Action_Microsoft_AspNetCore_Authentication_MicrosoftAccount_MicrosoftAccountOptions__
that has the overload that accepts a displayName
. Identity special cases schemes with a display name set so they show up as external login providers on the sign-in page.
I hope the doc will show how to use AddOpenIdConnect
instead of Identity.Web
. Identity.Web
requires EnableTokenAcquisitionToCallDownstreamApi
to use the authorization code flow (which then requires token storage), adds offline_access
to scope
unnecessarily and breaks the AuthenticationBuilder
chain. AddOpenIdConnect
should be used for simple authentication, and the following code should work very similar to AddMicrosoftAccount
:
.AddOpenIdConnect("Microsoft", "Microsoft", options => {
options.Authority = "https://login.microsoftonline.com/common/v2.0/";
options.ClientId = Configuration["Authentication:Microsoft:ClientId"];
options.ClientSecret = Configuration["Authentication:Microsoft:ClientSecret"];
options.ResponseType = OpenIdConnectResponseType.Code;
options.CallbackPath = "/signin-microsoft";
options.TokenValidationParameters.IssuerValidator = AadIssuerValidator.GetAadIssuerValidator("https://login.microsoftonline.com/").Validate;
})
Email sent to @jennyf19
@Tratcher any update on this topic? should we use AddMicrosoftIdentityWebApp instead of AddMicrosoftAccount
also filed an discussion here https://github.com/dotnet/aspnetcore/discussions/49484
Please replace this method with supported method like AddOpenIdConnect. Thanks.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.