search

sotsera / sotsera.blazor.oidc

OpenID Connect client for Blazor client-side projects
https://blazor-oidc.sotsera.com/
Apache License 2.0
20 stars 8 forks source link

Recipes for "special" identity servers #2

Open ghidello opened 4 years ago

ghidello commented 4 years ago

Document the configurations needed for some Identity providers

ghidello commented 4 years ago

Azure Active Directory B2C

var baseUri = new Uri(WebAssemblyUriHelper.Instance.GetBaseUri());
var issuerUri = new Uri("https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/");

services.AddOidc(new OidcSettings(issuerUri, baseUri)
{
    MetadataEndpoint = "https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?p={user_flow}",
    ClientId = "{application_guid}",
    ResponseType = "id_token token", // the token enpoint does not support CORS so the "code" response type cannot be used
    Scope = "openid https://{tenant}.onmicrosoft.com/{application}/{published_scope}",
    LoadUserInfo = false // user_info endpoint does not support CORS (https://{tenant}.b2clogin.com/{tenant_guid}/openid/userinfo/)
});
ghidello commented 4 years ago

Gitter

It can't be used because it supports only the code flow but the token endpoint does not support CORS. I'm documenting the configuration just for future reference.

var issuerUri = new Uri("https://gitter.im");
var baseUri = new Uri(WebAssemblyUriHelper.Instance.GetBaseUri());

services.AddOidc(new OidcSettings(issuerUri, baseUri)
{
    ClientId = "OAUTH KEY",
    ClientSecret = "OAUTH SECRET",
    ResponseType = "code", // Implicit flow not supported
    Scope = "openid",
    Endpoints = new OpenidEndpoints
    {
        Issuer = "https://gitter.im",
        AuthorizationEndpoint = "https://gitter.im/login/oauth/authorize",
        TokenEndpoint = "https://gitter.im/login/oauth/token",
        UserinfoEndpoint = "https://gitter.im/v1/user/me"
    }
});
brettwinters commented 4 years ago

Okta

Configure Okta

In Okta after setting up your tenant, then create an application using the "SPA" ApplicationType which will disable client secrets and "Use PKCE (for public clients)". Also make sure you select "Authorization Code" in the Allowed grant types

The redirection endpoint URI must be an absolute URI as defined by [RFC3986] Section 4.3. In the application "General" tab, scroll down to the "Login" section and set up the redirect / logout Urls as follows:

Login redirect URIs: "https://{your_client}/oidc/callbacks/authentication-redirect" "https://{your_client}/_content/Sotsera.Blazor.Oidc/authentication-popup.html"

Logout redirect URIs: https://{your_client}/oidc/callbacks/logout-redirect
https://{your_client}/_content/Sotsera.Blazor.Oidc/logout-popup.html

Then you will need to setup CORS. Go to the "Api" menu and select "Trusted Origins". Press the "Add Origin" button and input the Uri for your client (e.g. "https://{your_client}" then select "CORS" and save your changes.

Configure Sotsera.Blazor.OIDC

Works out-of-the-box, except you will need to disable OIDC Session Monitoring

services.AddOidc(new Uri("https://xxxxx.okta.com/oauth2/default/"), (settings, siteUri) =>
{
    settings.UseDefaultCallbackUris(siteUri);

    settings.ClientId = "xxxxxxxxxx";
    settings.ResponseType = "code";
    settings.Scope = "openid, xxxx";
    settings.MonitorSession = false; //<-----
});
brettwinters commented 4 years ago

Azure AD (Implicit Flow Only)

I can confirm (like Azure B2C) that code-flow with PKCE is not yet available for Azure AD (you will get a CORS / 401 error when the client tries to exchange the auth code for the access token):

image

with "The origin 'https://xxxxxx' did not find 'https://xxxxx' in the Access-Control-Allow-Origin response header for cross-origin resource at 'https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token'." in the console.

but I got Implicit Flow working as follows

Setup Azure

Register an app with the Microsoft identity platform | Microsoft Docs using the Web template.

Settings can be found on the Active Directory "App Registrations" page

On the Overview page, click the "Redirect URIs" link and add the following URI's: "https://{your_app}/oidc/callbacks/authentication-redirect" "https://{your_app}/_content/Sotsera.Blazor.Oidc/authentication-popup.html"

Under logout URI enter the following (unfortunately, only one is allowed): https://{your_app}/oidc/callbacks/logout-redirect

Under "Implicit grant" (the only choice available) select the Access and Id Tokens

Under "Default client" type choose "Treat application as a public client."

Setup Sotsera.Blazor.Oidc

services.AddOidc(
    new Uri("https://login.microsoftonline.com/{tenantId}/v2.0/"),
    (settings, siteUri) =>
    {
        settings.UseDefaultCallbackUris(siteUri);
        settings.ResponseType = "id_token token"; 
        settings.ClientId = "{clientId}";
        settings.Scope = "openid";
        settings.MonitorSession = false;
});