This repository provides a demo identity server Moryx.Identity.IdentityServer that reference the Moryx.Identity.AccessManagement package and a demo application StartProject.Asp that relies on this server for authentication.
- The
Moryx.Identity.IdentityServerproject provides an example for an MORYX Access Management server application. It can be started to run the server locally under identity.dev.localhost - The
StartProject.Aspproject provides an example on how to integrate an IAM server connection to any Asp.Net application. Refer to theStartup.csfor the code that is also given in the snippets in the Access Management repository.
- Setup host mappings on your system. For that, add the following two lines to your hosts file under C:\Windows\System32\drivers\etc\hosts
127.0.0.1 identity.dev.localhost
127.0.0.1 app.dev.localhost
Important: The line-endings in the file need to be (LF) for the .Net
HttpClientto use them propperly
- Trust the provided self-signed certificate. For that,
- Open the
certmgrapplication - Select the Trusted Root Certification Authorities
- Select Action -> All Tasks -> Import...
- Select Next -> Browse
- Find the localhost.crt file and click Next -> Next -> Finish
- Open the
- (Optional) Adjust
appsettings.jsonin both applications according to your database configuration - Build and run
Moryx.Identity.IdentityServerandStartProject.Asp(or your own application that should interact with the IAM server)
Note: The default seeding of the
Moryx.Identity.IdentityServerconfigures the following SuperAdmin. Change it for your production environments! User:admin
Password:Admin1!
Global Role: SuperAdmin
Background Information
- The MORYX Access Management provides the authentication token via a cookie thta is configured to be Secure and HttpOnly
- Cookies (if configured accordingly) are shared between subdomains with propper ssl encryptions, not on localhost however
- The dotnet dev-certs tool does only allow self-signed certificates for localhost, not for any other (sub-)domains
In order to modify the domains identity.dev.localhost and app.dev.localhost in your local environment you have to
- Create or modify a configuration file similar to localhost.conf
- Run the following command in the Git Bash (it comes with OpenSSL preinstalled)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf - Convert the certificate to PFX format:
winpty openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt - Replace the paths to the certificate in the
appsettings.jsonfiles in both applications - Follow the Initial setup of the local development environment
Once the application is started with the seed, the api is described in Swagger and can be downloaded as an OpenApi spec.
You need the Microsoft identity packages. Make sure that these packages are installed.
<ItemGroup>
<!-- Asp.Net Core dependencies -->
<PackageReference Include="Microsoft.AspNetCore.Identity.UI" />
<PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" />
+ <PackageReference Include="Microsoft.Identity.Web" />
+ <PackageReference Include="Microsoft.Identity.Web.DownstreamApi" />
+ <PackageReference Include="Microsoft.Identity.Web.UI" />
...
</ItemGroup>Use the following code snipped in you Program.cs to get started:
...
const string entraIdConfigName = "EntraId";
const string downstreamApiConfigName = "DownstreamApi";
if (builder.Configuration.GetSection(entraIdConfigName).Exists())
{
IEnumerable<string> initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');
// If you want to use the OpenIdConnect scheme more than once, you have to specify here a custom name (e.g. "MicrosoftSingleSignOn") and use it in the controller where you want to use it for authentication
builder.Services.AddMicrosoftIdentityWebAppAuthentication(builder.Configuration, entraIdConfigName,
OpenIdConnectDefaults.AuthenticationScheme)
.EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
.AddDownstreamApi("DownstreamApi", builder.Configuration.GetSection(downstreamApiConfigName))
.AddInMemoryTokenCaches();
}
...
builder.Services.AddRazorPages()
.AddMicrosoftIdentityUI();
...In addition the following entries in the appsettings.json must be configured:
...
"EntraId": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "YOUR-TENNANT-ID",
"ClientId": "YOUR-CLIENT-ID",
"ClientSecret": "YOUR-CLIENT-SECRET",
"CallbackPath": "/signin-oidc"
},
"DownstreamApi": {
"BaseUrl": "https://graph.microsoft.com/v1.0/",
"AcquireTokenOptions": {
"AuthenticationOptionsName": "OpenIdConnect"
},
"RelativePath": "me",
"Scopes": [
"User.Read"
]
}
...- The access management system requests an authorization code and delegates a private dialogue with the user to the Microsoft identity platform. If the dialogue ends successfully, the web app receives an authorization code at its redirect URI.
- Afterwards, the access management system requests an access token for the API by redeeming the authorization code.
- In the specific case of the single-sign-on endpoint of the access management system, the user is checked against the database and created if they do not already exist. Otherwise, the user information is updated by the leading system (EntraID).
- Finally, the default login via cookie authentication is performed. From that point on, the access management system is responsible for the permissions and roles assigned to the user.
For more detailled information visit https://learn.microsoft.com/en-us/entra/identity-platform/scenario-web-app-call-api-app-configuration?tabs=aspnetcore