Open ghidello opened 4 years ago
Azure Active Directory B2C
var baseUri = new Uri(WebAssemblyUriHelper.Instance.GetBaseUri());
var issuerUri = new Uri("https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/");
services.AddOidc(new OidcSettings(issuerUri, baseUri)
{
MetadataEndpoint = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={user_flow}",
ClientId = "{application_guid}",
ResponseType = "id_token token", // the token enpoint does not support CORS so the "code" response type cannot be used
Scope = "openid https://{tenant}.onmicrosoft.com/{application}/{published_scope}",
LoadUserInfo = false // user_info endpoint does not support CORS (https://{tenant}.b2clogin.com/{tenant_guid}/openid/userinfo/)
});
Gitter
It can't be used because it supports only the code flow but the token endpoint does not support CORS. I'm documenting the configuration just for future reference.
var issuerUri = new Uri("https://gitter.im");
var baseUri = new Uri(WebAssemblyUriHelper.Instance.GetBaseUri());
services.AddOidc(new OidcSettings(issuerUri, baseUri)
{
ClientId = "OAUTH KEY",
ClientSecret = "OAUTH SECRET",
ResponseType = "code", // Implicit flow not supported
Scope = "openid",
Endpoints = new OpenidEndpoints
{
Issuer = "https://gitter.im",
AuthorizationEndpoint = "https://gitter.im/login/oauth/authorize",
TokenEndpoint = "https://gitter.im/login/oauth/token",
UserinfoEndpoint = "https://gitter.im/v1/user/me"
}
});
In Okta after setting up your tenant, then create an application using the "SPA" ApplicationType
which will disable client secrets and "Use PKCE (for public clients)". Also make sure you select "Authorization Code" in the Allowed grant types
The redirection endpoint URI must be an absolute URI as defined by [RFC3986] Section 4.3. In the application "General" tab, scroll down to the "Login" section and set up the redirect / logout Urls as follows:
Login redirect URIs: "https://{your_client}/oidc/callbacks/authentication-redirect" "https://{your_client}/_content/Sotsera.Blazor.Oidc/authentication-popup.html"
Logout redirect URIs:
https://{your_client}/oidc/callbacks/logout-redirect
https://{your_client}/_content/Sotsera.Blazor.Oidc/logout-popup.html
Then you will need to setup CORS. Go to the "Api" menu and select "Trusted Origins". Press the "Add Origin" button and input the Uri for your client (e.g. "https://{your_client}" then select "CORS" and save your changes.
Works out-of-the-box, except you will need to disable OIDC Session Monitoring
services.AddOidc(new Uri("https://xxxxx.okta.com/oauth2/default/"), (settings, siteUri) =>
{
settings.UseDefaultCallbackUris(siteUri);
settings.ClientId = "xxxxxxxxxx";
settings.ResponseType = "code";
settings.Scope = "openid, xxxx";
settings.MonitorSession = false; //<-----
});
I can confirm (like Azure B2C) that code-flow with PKCE is not yet available for Azure AD (you will get a CORS / 401 error when the client tries to exchange the auth code for the access token):
with "The origin 'https://xxxxxx' did not find 'https://xxxxx' in the Access-Control-Allow-Origin response header for cross-origin resource at 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token'." in the console.
but I got Implicit Flow working as follows
Register an app with the Microsoft identity platform | Microsoft Docs using the Web template.
Settings can be found on the Active Directory "App Registrations" page
On the Overview page, click the "Redirect URIs" link and add the following URI's: "https://{your_app}/oidc/callbacks/authentication-redirect" "https://{your_app}/_content/Sotsera.Blazor.Oidc/authentication-popup.html"
Under logout URI enter the following (unfortunately, only one is allowed): https://{your_app}/oidc/callbacks/logout-redirect
Under "Implicit grant" (the only choice available) select the Access and Id Tokens
Under "Default client" type choose "Treat application as a public client."
services.AddOidc(
new Uri("https://login.microsoftonline.com/{tenantId}/v2.0/"),
(settings, siteUri) =>
{
settings.UseDefaultCallbackUris(siteUri);
settings.ResponseType = "id_token token";
settings.ClientId = "{clientId}";
settings.Scope = "openid";
settings.MonitorSession = false;
});
Document the configurations needed for some Identity providers