From 75a57168060a8e80db5409af896625ee0f69956c Mon Sep 17 00:00:00 2001 From: Bogdan Gavril Date: Wed, 23 Jul 2025 13:36:08 +0100 Subject: [PATCH 1/2] Update sign in sample to not use hybrid flow (implicit id token) --- 1-WebApp-OIDC/1-1-MyOrg/README.md | 15 +++++++++------ 1-WebApp-OIDC/1-1-MyOrg/Startup.cs | 5 +++-- 1-WebApp-OIDC/1-1-MyOrg/appsettings.json | 8 +++++++- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/1-WebApp-OIDC/1-1-MyOrg/README.md b/1-WebApp-OIDC/1-1-MyOrg/README.md index 04112db6..06dce8c0 100644 --- a/1-WebApp-OIDC/1-1-MyOrg/README.md +++ b/1-WebApp-OIDC/1-1-MyOrg/README.md @@ -96,10 +96,7 @@ As a first step you'll need to: - In the Redirect URIs section, select **Web** in the combo-box and enter the following redirect URIs. - `https://localhost:44321/` - `https://localhost:44321/signin-oidc` - - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc` - - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires - the [ID Token](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) to be enabled to - sign-in the user. + - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc`
Expand/collapse screenshot @@ -109,7 +106,12 @@ As a first step you'll need to: 1. Select **Save**. -> Note that unless the Web App calls a Web API, no certificate or secret is needed. +1. In the app's registration screen, select the **Certificates & secrets** blade in the left to open the page where we can generate secrets and upload certificates. +1. In the **Client secrets** section, select **New client secret** and add a new secret + +> [!NOTE] +> Secrets are weak credentials. In production, use a federated credential if you are hosted on Azure, or a certificate otherwise. See https://aka.ms/idweb/client-credentials + ### Step 2: Download/ Clone this sample code or build the application using a template @@ -132,7 +134,8 @@ cd "1-WebApp-OIDC\1-1-MyOrg" - replace the `ClientID` value with the *Application ID* from the application you registered in Application Registration portal on *Step 1*. - replace the `TenantId` value with the *Tenant ID* where you registered your Application on *Step 1*. - replace the `Domain` value with the *Microsoft Entra domain name*, e.g. contoso.onmicrosoft.com where you registered your Application on *Step 1*. - + - replace the `ClientSecret` value with the *client secret* you created in the previous step. + #### Option 2: Create the sample from the command line 1. Run the following command to create a sample from the command line using the `SingleOrg` template: diff --git a/1-WebApp-OIDC/1-1-MyOrg/Startup.cs b/1-WebApp-OIDC/1-1-MyOrg/Startup.cs index 237c0ccb..82e485e5 100644 --- a/1-WebApp-OIDC/1-1-MyOrg/Startup.cs +++ b/1-WebApp-OIDC/1-1-MyOrg/Startup.cs @@ -33,9 +33,10 @@ public void ConfigureServices(IServiceCollection services) options.HandleSameSiteCookieCompatibility(); }); - // Sign-in users with the Microsoft identity platform services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) - .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options)); + .AddMicrosoftIdentityWebApp(options => Configuration.Bind("AzureAd", options)) + .EnableTokenAcquisitionToCallDownstreamApi() // This is needed to exchange the authorization code for an ID Token + .AddInMemoryTokenCaches(); services.AddControllersWithViews(options => { diff --git a/1-WebApp-OIDC/1-1-MyOrg/appsettings.json b/1-WebApp-OIDC/1-1-MyOrg/appsettings.json index cb0a396a..77277cdd 100644 --- a/1-WebApp-OIDC/1-1-MyOrg/appsettings.json +++ b/1-WebApp-OIDC/1-1-MyOrg/appsettings.json @@ -5,7 +5,13 @@ "TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]", "ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]", "CallbackPath": "/signin-oidc", - "SignedOutCallbackPath": "/signout-callback-oidc" + "SignedOutCallbackPath": "/signout-callback-oidc", + "ClientCredentials": [ + { + "SourceType": "ClientSecret", // Secrets are weak credentials. Use certificates or federated credentials instead. See https://aka.ms/idweb/client-credentials + "ClientSecret": "[Enter you secret here]" + } + ] }, "Logging": { "LogLevel": { From fecc7cbf3f2a8aceeba60239b5d4245a6de14046 Mon Sep 17 00:00:00 2001 From: Bogdan Gavril Date: Wed, 23 Jul 2025 14:08:59 +0100 Subject: [PATCH 2/2] Update 1-WebApp-OIDC/1-1-MyOrg/appsettings.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- 1-WebApp-OIDC/1-1-MyOrg/appsettings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/1-WebApp-OIDC/1-1-MyOrg/appsettings.json b/1-WebApp-OIDC/1-1-MyOrg/appsettings.json index 77277cdd..29192c87 100644 --- a/1-WebApp-OIDC/1-1-MyOrg/appsettings.json +++ b/1-WebApp-OIDC/1-1-MyOrg/appsettings.json @@ -9,7 +9,7 @@ "ClientCredentials": [ { "SourceType": "ClientSecret", // Secrets are weak credentials. Use certificates or federated credentials instead. See https://aka.ms/idweb/client-credentials - "ClientSecret": "[Enter you secret here]" + "ClientSecret": "[Enter your secret here]" } ] },