Adding authentication to an ASP.NET Core app using Asgardeo
ASP.NET Core is a cross-platform, open-source web framework that allows you to develop MVC applications and Web APIs with ease. This article will explore how we can easily add authentication to an ASP.NET Core 7.0 MVC application using Asgardeo.
I will be using C# to write this application and will be using the Web Application (MVC) boilerplate code provided by the Visual Studio IDE. So, first, go ahead and create a Web Application in Visual Studio.
Next, run the application and make note of the application’s URL origin because we will be using it to generate the callback URLs. Now that we have a simple application running, let’s create an OpenID Connect application in Asgardeo.
Create an OpenID Connect Asgardeo application
To that end, go to the Console app of Asgardeo and sign in to your tenant. Then, click on “Applications” on the side panel and click on “New Application” to create a new application. Since we are going to create a server-side application, select “Traditional Web Application”. Then, provide a name for your application and select OpenID Connect as the protocol. Now, remember the URL of the application we noted down? Now, append “signin-oidc” to the origin of this URL and add that as an authorized redirect URL. This will be the URL to which Asgardeo will redirect the user after signing in. Next, add the URL origin of the application as an authorized URL as well. We will redirect the user to the origin following a sign-out. Click on the “Allow” button to add the origin to the CORS whitelist.
Finally, click on “Register” to create the application. Once done, proceed to the “Protocol” tab and check “Refresh Token” and “Code” under “Allowed grant types”. Click on “Update” to save the changes.
Next, click on the “User Attributes” tab, expand “Profile” and tick “Username”, “First Name”, “Last Name”, and “URL”. Once again, click on “Update” to save the changes. Then, go back to the “Protocol” tab again and copy the “Client ID” and “Client secret”.
Add OIDC config to the ASP.NET application
Now, go back to Visual Studio and open the “appsettings.json” file. Here, create a new attribute at the root of the JSON object called “Asgardeo” and add the following attributes under it:
- Tenant
- ClientID
- ClientSecret
Add the name of your tenant, client ID, and client secret you just copied against the respective keys. The file should now look like this:
Add authentication using the ASP.NET OpenIdConnect library
Next, go to the “program.cs” file and add the following code.
This code fetches the configuration from the “appsettings.json” file and sets it to a variable called “Configuration”. Once you add this code, add the following code above the line where the “Build” method of the “builder” object is called.
Here, we use the native OpenID Connect library of ASP.NET core to add authentication to our app. We first mention that we will be using cookies to authenticate the session between the user’s browser and the server. Then, we mention that we will use OIDC as the challenge scheme. Finally, add cookie authentication and the OIDC configuration. If you want to request more scopes, you can do that by using the “Add” method of the “Scope” collection. Finally, add the following code before the “MapControllerRoute” method.
Your “program.cs” file should look like this now:
Implement login and logout
We have now added authentication to our app. Let’s now implement the login and logout logic. To do that, let’s create a controller in the “Controllers” folder called “IdentityController”. Add the following code inside the controller file.
In this controller class, we first pass a parameter called configuration into the constructor. This will make the framework inject the configuration defined in the “appsettings.json” file as a dependency. Then, we create two actions called “Login” and “Logout”. The “Login” action calls the “Challenge” method to initiate login. The “Logout” method clears the authentication cookie and information before redirecting the user to the logout endpoint of Asgardeo.
We have now written the logic to log in and log out. Let’s now add login and logout links to our app to execute this logic. I am going to add these links below the unordered list in the nav bar of the “_Layout.cshtml” page under the “Shared” directory in the “Views” directory.
This code shows the login link if the user is not logged in and the user’s name and the logout link if the user is logged in. Here, I have created a util method to get the user’s name from the id token claims. The method is as follows:
Once you implement this, you should be able to log in to and log out of Asgardeo from your web application.
Display sensitive information to authorized users
Before we wrap up, let’s create a page that can be accessed only by authenticated users. This page should show the claims, the access token, the refresh token, and the id token. We will also send an API request to the “userinfo” endpoint of Asgardeo, obtain the profile picture URL of the user, and show the profile picture on this page.
To that end, add the following action method to the “HomeController”.
Here, the “Authorize” decorator tells the framework that this action should only be accessible to authenticated users. If unauthenticated users access this action, they will be redirected to the sign-in flow. In this method, we get the tokens from “HttpContext” and the profile picture URL from the “userinfo” endpoint, and set them to the “Secure” model. An instance of this model class is injected as an argument into the “View” method. The “Secure” model class is defined as follows:
Now, let’s create the “Secure” page under the “Home” directory in the “Views” directory.
This page obtains the data injected from the action method through the “Model” object and displays them. Now, let’s add a link to this page in the “_Layout.cshtml” page under the “Home” and “Privacy” links.
That’s it. We are done and, now, your app should look like this:
In this article, we looked at how we can use Asgardeo to add authentication to an ASP.NET Core MVC application. We configured our application, added login and logout, and created a page to show the user’s tokens, claims, and profile picture. As we have seen, integrating Asgardeo with a .NET application is straightforward and easy! You can find the codebase of the application we developed here.
Leave a Reply