diff --git a/aspnetcore/blazor/security/blazor-web-app-with-entra.md b/aspnetcore/blazor/security/blazor-web-app-with-entra.md index 4a81ea3ba0af..20958d8f7a7c 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-entra.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-entra.md @@ -95,6 +95,25 @@ Example: The callback path (`CallbackPath`) must match the redirect URI (login callback path) configured when registering the application in the Entra or Azure portal. Paths are configured in the **Authentication** blade of the app's registration. The default value of `CallbackPath` is `/signin-oidc` for a registered redirect URI of `https://localhost/signin-oidc` (a port isn't required). +The (configuration key: "`SignedOutCallbackPath`") is the request path within the app's base path intercepted by the OpenID Connect handler where the user agent is first returned after signing out from Entra. The sample app doesn't set a value for the path because the default value of "`/signout-callback-oidc`" is used. After intercepting the request, the OpenID Connect handler finally redirects to the or , if specified. + +Configure the signed-out callback path in the app's Entra registration. In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI** entries: + +> :::no-loc text="https://localhost/signout-callback-oidc"::: + +> [!NOTE] +> A port isn't required for `localhost` addresses when using Entra. + +If you don't add the signed-out callback path URI to the app's registration in Entra, Entra refuses to redirect the user back to the app and merely asks them to close their browser window. + + + +> [!NOTE] +> Entra currently only redirects back to the if the `microsoftonline.com` Authority (`https://login.microsoftonline.com/{TENANT ID}/v2.0/`) is used. This limitation doesn't exist if you can use the "common" Authority with Microsoft Identity Web. For more information, see [postLogoutRedirectUri not working when authority url contains a tenant ID (`AzureAD/microsoft-authentication-library-for-js` #5783)](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5783). + [!INCLUDE[](~/blazor/security/includes/secure-authentication-flows.md)] ### Establish the client secret diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md index cd03d687c79a..38ec7cb128a5 100644 --- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md +++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md @@ -27,6 +27,8 @@ The following specification is covered: * Automatic non-interactive token refresh. * Securely calls a (web) API in the server project for data. +For an alternative experience using [Microsoft Authentication Library for .NET](/entra/msal/dotnet/), [Microsoft Identity Web](/entra/msal/dotnet/microsoft-identity-web/), and [Microsoft Entra ID](https://www.microsoft.com/security/business/identity-access/microsoft-entra-id), see . + ## Sample app The sample app consists of two projects: @@ -130,14 +132,15 @@ The following : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. - - In the Entra or Azure portal's **Implicit grant and hybrid flows** app registration configuration, do **not** select either checkbox for the authorization endpoint to return **Access tokens** or **ID tokens**. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. +* : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. ```csharp oidcOptions.ResponseType = OpenIdConnectResponseType.Code; ``` + > [!NOTE] + > In the Entra or Azure portal's **Implicit grant and hybrid flows** app registration configuration, do **not** select either checkbox for the authorization endpoint to return **Access tokens** or **ID tokens**. + * and configuration of and : Many OIDC servers use "`name`" and "`role`" rather than the SOAP/WS-Fed defaults in . When is set to `false`, the handler doesn't perform claims mappings, and the claim names from the JWT are used directly by the app. The following example sets the role claim type to "`roles`," which is appropriate for [Microsoft Entra ID (ME-ID)](https://www.microsoft.com/security/business/microsoft-entra). Consult your identity provider's documentation for more information. > [!NOTE] @@ -153,33 +156,30 @@ The following : The request path within the app's base path where the user-agent is returned. - In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI**: + Configure the signed-out callback path in the app's OIDC provider registration. In the following example, the `{PORT}` placeholder is the app's port: - > :::no-loc text="https://localhost/signin-oidc"::: + > :::no-loc text="https://localhost:{PORT}/signin-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require a correct port. + > A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require the correct port. - * : The request path within the app's base path where the user agent is returned after sign out from the identity provider. + * (configuration key: "`SignedOutCallbackPath`"): The request path within the app's base path intercepted by the OIDC handler where the user agent is first returned after signing out from Entra. The sample app doesn't set a value for the path because the default value of "`/signout-callback-oidc`" is used. After intercepting the request, the OIDC handler finally redirects to the or , if specified. - In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI**: + Configure the signed-out callback path in the app's OIDC provider registration. In the following example, the `{PORT}` placeholder is the app's port: - > :::no-loc text="https://localhost/signout-callback-oidc"::: + > :::no-loc text="https://localhost:{PORT}/signout-callback-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require a correct port. - - > [!NOTE] - > If using Microsoft Identity Web, the provider currently only redirects back to the if the `microsoftonline.com` Authority (`https://login.microsoftonline.com/{TENANT ID}/v2.0/`) is used. This limitation doesn't exist if you can use the "common" Authority with Microsoft Identity Web. For more information, see [postLogoutRedirectUri not working when authority url contains a tenant ID (`AzureAD/microsoft-authentication-library-for-js` #5783)](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5783). + > When using Microsoft Entra ID, set the path in the **Web** platform configuration's **Redirect URI** entries in the Entra or Azure portal. A port isn't required for `localhost` addresses when using Entra. Most other OIDC providers require the correct port. If you don't add the signed-out callback path URI to the app's registration in Entra, Entra refuses to redirect the user back to the app and merely asks them to close their browser window. * : Requests received on this path cause the handler to invoke sign-out using the sign-out scheme. - In the Entra or Azure portal, set the **Front-channel logout URL**: + In the following example, the `{PORT}` placeholder is the app's port: > :::no-loc text="https://localhost/signout-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require a correct port. + > When using Microsoft Entra ID, set the **Front-channel logout URL** in the Entra or Azure portal. A port isn't required for `localhost` addresses when using Entra. Most other OIDC providers require the correct port. ```csharp oidcOptions.CallbackPath = new PathString("{PATH}"); @@ -367,12 +367,15 @@ The following ): The `Weather.Get` scope is configured in the Azure or Entra portal under **Expose an API**. This is necessary for backend web API project (`MinimalApiJwt`) to validate the access token with bearer JWT. +* Scopes for obtaining weather data from the web API (): This is necessary for backend web API project (`MinimalApiJwt`) to validate the access token with bearer JWT. ```csharp oidcOptions.Scope.Add("{APP ID URI}/{API NAME}"); ``` + > [!NOTE] + > When using Microsoft Entra ID, the `Weather.Get` scope is configured in the Azure or Entra portal under **Expose an API**. + Example: * App ID URI (`{APP ID URI}`): `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}` @@ -420,14 +423,15 @@ The following : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. - - In the Entra or Azure portal's **Implicit grant and hybrid flows** app registration configuration, do **not** select either checkbox for the authorization endpoint to return **Access tokens** or **ID tokens**. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. +* : Configures the OIDC handler to only perform authorization code flow. Implicit grants and hybrid flows are unnecessary in this mode. The OIDC handler automatically requests the appropriate tokens using the code returned from the authorization endpoint. ```csharp oidcOptions.ResponseType = OpenIdConnectResponseType.Code; ``` + > [!NOTE] + > When using Microsoft Entra ID, do **not** select either checkbox for the authorization endpoint to return **Access tokens** or **ID tokens** in **Implicit grant and hybrid flows** app registration configuration. + * and configuration of and : Many OIDC servers use "`name`" and "`role`" rather than the SOAP/WS-Fed defaults in . When is set to `false`, the handler doesn't perform claims mappings and the claim names from the JWT are used directly by the app. The following example sets the role claim type to "`roles`," which is appropriate for [Microsoft Entra ID (ME-ID)](https://www.microsoft.com/security/business/microsoft-entra). Consult your identity provider's documentation for more information. > [!NOTE] @@ -441,35 +445,30 @@ The following : The request path within the app's base path where the user-agent is returned. - - In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI**: + Configure the signed-out callback path in the app's OIDC provider registration. In the following example, the `{PORT}` placeholder is the app's port: - > :::no-loc text="https://localhost/signin-oidc"::: + > :::no-loc text="https://localhost:{PORT}/signin-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses. + > A port isn't required for `localhost` addresses when using Microsoft Entra ID. Most other OIDC providers require the correct port. - * : The request path within the app's base path where the user agent is returned after sign out from the identity provider. + * (configuration key: "`SignedOutCallbackPath`"): The request path within the app's base path where the user agent is returned after sign out from the OIDC identity provider. Typically, the app's configuration relies on the default value of "`/signout-callback-oidc`". - In the Entra or Azure portal, set the path in the **Web** platform configuration's **Redirect URI**: + Configure the signed-out callback path in the app's OIDC provider registration. In the following example, the `{PORT}` placeholder is the app's port: - > :::no-loc text="https://localhost/signout-callback-oidc"::: + > :::no-loc text="https://localhost:{PORT}/signout-callback-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses. - - > [!NOTE] - > If using Microsoft Identity Web, the provider currently only redirects back to the if the `microsoftonline.com` Authority (`https://login.microsoftonline.com/{TENANT ID}/v2.0/`) is used. This limitation doesn't exist if you can use the "common" Authority with Microsoft Identity Web. For more information, see [postLogoutRedirectUri not working when authority url contains a tenant ID (`AzureAD/microsoft-authentication-library-for-js` #5783)](https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/5783). + > When using Microsoft Entra ID, set the path in the **Web** platform configuration's **Redirect URI** entries in the Entra or Azure portal. A port isn't required for `localhost` addresses when using Entra. Most other OIDC providers require the correct port. If you don't add the signed-out callback path URI to the app's registration in Entra, Entra refuses to redirect the user back to the app and merely asks them to close their browser window. * : Requests received on this path cause the handler to invoke sign-out using the sign-out scheme. - In the Entra or Azure portal, set the **Front-channel logout URL**: + In the following example, the `{PORT}` placeholder is the app's port: > :::no-loc text="https://localhost/signout-oidc"::: > [!NOTE] - > A port isn't required for `localhost` addresses. + > When using Microsoft Entra ID, set the **Front-channel logout URL** in the Entra or Azure portal. A port isn't required for `localhost` addresses when using Entra. Most other OIDC providers require the correct port. ```csharp oidcOptions.CallbackPath = new PathString("{PATH}"); @@ -548,14 +547,15 @@ The `MinimalApiJwt` project is a backend web API for multiple frontend projects. Configure the project in the of the call in the project's `Program` file: -* : Sets the Audience for any received OpenID Connect token. - - In the Azure or Entra portal: Match the value to just the path of the **Application ID URI** configured when adding the `Weather.Get` scope under **Expose an API**: +* : Sets the Audience for any received OIDC token. ```csharp jwtOptions.Audience = "{APP ID URI}"; ``` + > [!NOTE] + > When using Microsoft Entra ID, match the value to just the path of the **Application ID URI** configured when adding the `Weather.Get` scope under **Expose an API** in the Azure or Entra portal. + Example: App ID URI (`{APP ID URI}`): `https://{DIRECTORY NAME}.onmicrosoft.com/{CLIENT ID}`: @@ -577,7 +577,7 @@ Configure the project in the : Sets the Authority for making OpenID Connect calls. Match the value to the Authority configured for the OIDC handler in `BlazorWebAppOidc/Program.cs`: +* : Sets the Authority for making OIDC calls. Match the value to the Authority configured for the OIDC handler in `BlazorWebAppOidc/Program.cs`: ```csharp jwtOptions.Authority = "{AUTHORITY}"; diff --git a/aspnetcore/security/authentication/configure-oidc-web-authentication.md b/aspnetcore/security/authentication/configure-oidc-web-authentication.md index 52c66755d823..c4f6b90a5c85 100644 --- a/aspnetcore/security/authentication/configure-oidc-web-authentication.md +++ b/aspnetcore/security/authentication/configure-oidc-web-authentication.md @@ -23,6 +23,10 @@ This article covers the following areas: * Backend for frontend (BFF) security architecture * Advanced features, standards, extending the an OpenID Connect client +For an alternative experience using [Microsoft Authentication Library for .NET](/entra/msal/dotnet/), [Microsoft Identity Web](/entra/msal/dotnet/microsoft-identity-web/), and [Microsoft Entra ID](https://www.microsoft.com/security/business/identity-access/microsoft-entra-id), see [Quickstart: Sign in users and call the Microsoft Graph API from an ASP.NET Core web app (Azure documentation)](/entra/identity-platform/quickstart-web-app-dotnet-core-sign-in). + +For an example using Microsoft Entra External ID OIDC server, see [Sign in users for a sample ASP.NET Core web app in an external tenant](/entra/external-id/customers/sample-web-app-dotnet-sign-in) and [An ASP.NET Core web app authenticating users against Microsoft Entra External ID using Microsoft Identity Web](/samples/azure-samples/ms-identity-ciam-dotnet-tutorial/ms-identity-ciam-dotnet-tutorial-1-sign-in-aspnet-core-mvc/). + ## What is an OpenID Connect confidential interactive client [OpenID Connect](https://openid.net/developers/how-connect-works/) can be used to implement authentication in ASP.NET Core applications. The recommended way is to use an OpenID Connect confidential client using the code flow. Using the [Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://datatracker.ietf.org/doc/html/rfc7636) is recommended for this implementation. Both the application client and the user of the application are authenticated in the confidential flow. The application client uses a client secret or a client assertion to authenticate. @@ -44,15 +48,15 @@ The following section shows how to implement an OpenID Connect client in an empt ### Add OpenID Connect support -Add the [Microsoft.AspNetCore.Authentication.OpenIdConnect](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.OpenIdConnect) Nuget packages to the ASP.NET Core project. +Add the [`Microsoft.AspNetCore.Authentication.OpenIdConnect`](https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.OpenIdConnect) Nuget packages to the ASP.NET Core project. ### Setup the OpenID Connect client -Add the authentication to the web application using the builder.Services in the **Program.cs** file. The configuration is dependent on the OpenID Connect server. Each OpenID Connect server requires small differences in the setup. +Add the authentication to the web application using the builder.Services in the `Program.cs` file. The configuration is dependent on the OpenID Connect server. Each OpenID Connect server requires small differences in the setup. The OpenID Connect handler is used for challenges and signout. The cookie is used to handle the session in the web application. The default schemes for the authentication can be specified as required. -See the ASP.NET Core [authentication-handler](xref: security/authentication/index?view=aspnetcore-8.0#authentication-handler) for details. +For more information, see the [ASP.NET Core `authentication-handler` guidance](xref:security/authentication/index#authentication-handler). ```csharp builder.Services.AddAuthentication(options => @@ -81,23 +85,23 @@ builder.Services.AddAuthentication(options => }); ``` -See [Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC)](xref:blazor/security/blazor-web-app-oidc) for details on the different OpenID Connect options. +For details on the different OpenID Connect options, see . -See [Mapping, customizing, and transforming claims in ASP.NET Core](xref:security/authentication/claims) for the different claims mapping possibilities. +For the different claims mapping possibilities, see . > [!NOTE] > The following namespaces are required: - -```csharp -using Microsoft.AspNetCore.Authentication.Cookies; -using Microsoft.AspNetCore.Authentication.OpenIdConnect; -using Microsoft.IdentityModel.Protocols.OpenIdConnect; -using Microsoft.IdentityModel.Tokens; -``` +> +> ```csharp +> using Microsoft.AspNetCore.Authentication.Cookies; +> using Microsoft.AspNetCore.Authentication.OpenIdConnect; +> using Microsoft.IdentityModel.Protocols.OpenIdConnect; +> using Microsoft.IdentityModel.Tokens; +> ``` ### Setup the configuration properties -Add the OpenID Connect client settings to the application configuration properties. The settings must match the client configuration in the OpenID Connect server. No secrets should be persisted in application settings where they might get accidently checked in. Secrets should be stored in a secure location like Azure Key Vault in production environments or in user secrets in a development environment. See [App Secrets](xref:security/app-secrets). +Add the OpenID Connect client settings to the application configuration properties. The settings must match the client configuration in the OpenID Connect server. No secrets should be persisted in application settings where they might get accidentally checked in. Secrets should be stored in a secure location like Azure Key Vault in production environments or in user secrets in a development environment. For more informaiton, see . ```json "OpenIDConnectSettings": { @@ -109,9 +113,20 @@ Add the OpenID Connect client settings to the application configuration properti }, ``` +### Signed-out callback path configuration + +The (configuration key: "`SignedOutCallbackPath`") is the request path within the app's base path intercepted by the OpenID Connect handler where the user agent is first returned after signing out from Entra. The sample app doesn't set a value for the path because the default value of "`/signout-callback-oidc`" is used. After intercepting the request, the OpenID Connect handler finally redirects to the or , if specified. + +Configure the signed-out callback path in the app's OIDC provider registration. In the following example, the `{PORT}` placeholder is the app's port: + +> :::no-loc text="https://localhost:{PORT}/signout-callback-oidc"::: + +> [!NOTE] +> When using Microsoft Entra ID, set the path in the **Web** platform configuration's **Redirect URI** entries in the Entra or Azure portal. A port isn't required for `localhost` addresses when using Entra. Most other OIDC providers require the correct port. If you don't add the signed-out callback path URI to the app's registration in Entra, Entra refuses to redirect the user back to the app and merely asks them to close their browser window. + ### Update the ASP.NET Core pipeline method in the program class. -The UseRouting must be implemented before the UseAuthorization method. +The `UseRouting` method must be implemented before the `UseAuthorization` method. ```csharp app.UseHttpsRedirection(); @@ -126,13 +141,13 @@ app.MapRazorPages(); ### Force authorization -Add the Authorize attribute to the protected razor pages, for example the Index.cshtml.cs file +Add the [`[Authorize]` attribute](xref:Microsoft.AspNetCore.Authorization.AuthorizeAttribute) to the protected Razor pages: ```csharp [Authorize] ``` -A better way would be to force the whole application to be authorized and opt out for unsecure pages +A better approach is to force authorization for the whole app and opt out for unsecure pages: ```csharp var requireAuthPolicy = new AuthorizationPolicyBuilder() @@ -143,11 +158,11 @@ builder.Services.AddAuthorizationBuilder() .SetFallbackPolicy(requireAuthPolicy); ``` -### Add a new Logout.cshtml and SignedOut.cshtml Razor page to the project +### Add a new `Logout.cshtml` and `SignedOut.cshtml` Razor pages to the project -A logout is required to sign-out both the cookie session and the OpenID Connect session. The whole application needs to redirect to the OpenID Connect server to sign-out. After a successful sign-out, the application will open the RedirectUri route. +A logout is required to sign out both the cookie session and the OpenID Connect session. The whole app needs to redirect to the OpenID Connect server to sign out. After a successful sign out, the app opens the `RedirectUri` route. -Implement a default sign-out page and change the Logout razor page code with this: +Implement a default sign-out page and change the `Logout` razor page code to the following: ```csharp [Authorize] @@ -167,7 +182,7 @@ public class LogoutModel : PageModel } ``` -The `SignedOut.cshtml` requires the AllowAnonymous attribute. +The `SignedOut.cshtml` requires the [`[AllowAnonymous]` attribute](xref:Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute): ```csharp [AllowAnonymous] @@ -179,13 +194,13 @@ public class SignedOutModel : PageModel } ``` -### Implement Login Page +### Implement `Login` page -A Login Razor Page can also be implemented to call the **ChallengeAsync** directly with the required AuthProperties. This is not required if the whole web application requires authentication and the default Challenge is used. +A `Login` Razor page can also be implemented to call the `ChallengeAsync` directly with the required `AuthProperties`. This isn't required if the web app requires authentication and the default challenge is used. -The `login.cshtml` requires the AllowAnonymous attribute. +The `Login.cshtml` page requires the [`[AllowAnonymous]` attribute](xref:Microsoft.AspNetCore.Authorization.AllowAnonymousAttribute): -``` +```cshtml using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; @@ -229,7 +244,7 @@ public class LoginModel : PageModel ``` -### Add a login, logout button for the user. +### Add a login and logout button for the user ``` @if (Context.User.Identity!.IsAuthenticated) @@ -254,7 +269,7 @@ else The OpenID Connect options can be used to map claims, implement handlers or even save the tokens in the session for later usage. -The **Scope** option can be used to request different claims or a refresh token which is sent as information to the OpenID Connect server. Requesting the **offline_access** is asking the server to return a reference token which can be used to refresh the session without authenticating the user of the application again. +The `Scope` option can be used to request different claims or a refresh token which is sent as information to the OpenID Connect server. Requesting the `offline_access` is asking the server to return a reference token which can be used to refresh the session without authenticating the user of the application again. ```csharp services.AddAuthentication(options => @@ -299,33 +314,33 @@ Microsoft has multiple identity providers and OpenID Connect implementations. Mi * Microsoft Entra External ID * Azure AD B2C -If authenticating using one of the Microsoft identity providers in ASP.NET Core, it is recommended to use the [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web) Nuget packages. +If authenticating using one of the Microsoft identity providers in ASP.NET Core, it is recommended to use the [`Microsoft.Identity.Web`](https://github.com/AzureAD/microsoft-identity-web) Nuget packages. -The Microsoft.Identity.Web Nuget packages is a Microsoft specific client built on top on the ASP.NET Core OpenID Connect client with some changes to the default client. +The `Microsoft.Identity.Web` Nuget packages is a Microsoft specific client built on top on the ASP.NET Core OpenID Connect client with some changes to the default client. ## Using third party OpenID Connect provider clients -Many OpenID Connect server implementations create Nuget packages which are optimized for the same OpenID Connect implementation. These packages implement the OpenID Connect client specifics with the extras required by the specific OpenID Connect server. Microsoft.Identity.Web is one example of this. +Many OpenID Connect server implementations create Nuget packages which are optimized for the same OpenID Connect implementation. These packages implement the OpenID Connect client specifics with the extras required by the specific OpenID Connect server. `Microsoft.Identity.Web` is one example of this. -If implementing multiple OpenID Connect clients from different OpenID Connect servers in a single application, it is normally better to revert to the default ASP.NET Core implementation as the different clients overwrite some options which affect the other clients. +If implementing multiple OpenID Connect clients from different OpenID Connect servers in a single application, it's normally better to revert to the default ASP.NET Core implementation as the different clients overwrite some options which affect the other clients. [OpenIddict Web providers](https://documentation.openiddict.com/integrations/web-providers) is a client implementation which supports many different server implementations. -[IdentityModel](https://github.com/IdentityModel/IdentityModel) is a .NET standard helper library for claims-based identity, OAuth 2.0 and OpenID Connect. This can also be used to help with the client implementation. +[`IdentityModel`](https://github.com/IdentityModel/IdentityModel) is a .NET standard helper library for claims-based identity, OAuth 2.0 and OpenID Connect. This can also be used to help with the client implementation. ## Backend for frontend (BFF) security architecture -It is no longer recommended to implement OpenID Connect public clients for any web applications. +It is no longer recommended to implement OpenID Connect public clients for any web apps. -See the [draft OAuth 2.0 for Browser-Based Applications](https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/) for further details. +For more information, see the [draft OAuth 2.0 for Browser-Based Applications](https://datatracker.ietf.org/doc/draft-ietf-oauth-browser-based-apps/). -If implementing **web** applications which have no independent backend, it is recommended to use the [Backend for Frontend (BFF) pattern](/azure/architecture/patterns/backends-for-frontends) security architecture. This pattern can be implemented in different ways, but the authentication is always implemented in the backend and no sensitive data is sent to the web client for further authorization or authentication flows. +If implementing **web** applications which have no independent backend, we recommend using the [Backend for Frontend (BFF) pattern](/azure/architecture/patterns/backends-for-frontends) security architecture. This pattern can be implemented in different ways, but the authentication is always implemented in the backend, and no sensitive data is sent to the web client for further authorization or authentication flows. ## Advanced features, standards, extending the OIDC client ### Logging -Debugging OpenID Connect clients can be hard. Personally identifiable information (PII) data is not logged by default. If debugging in development mode, the ** IdentityModelEventSource.ShowPII** can be used to log sensitive personal data. This should never by deployed to productive servers. +Debugging OpenID Connect clients can be hard. Personally identifiable information (PII) data is not logged by default. If debugging in development mode, the `IdentityModelEventSource.ShowPII` can be used to log sensitive personal data. Don't deploy an app with `IdentityModelEventSource.ShowPII` to productive servers. ```csharp //using ... @@ -345,33 +360,26 @@ IdentityModelEventSource.ShowPII = true; app.Run(); ``` -See [Logging](xref:fundamentals/logging/index?view=aspnetcore-8.0#configure-logging) for further information on logging. +For more information, see [Logging](xref:fundamentals/logging/index#configure-logging). > [!NOTE] > You may want to lower the configured log level to see all the required logs. ### OIDC and OAuth Parameter Customization -The OAuth and OIDC authentication handlers [`AdditionalAuthorizationParameters`](https://source.dot.net/#Microsoft.AspNetCore.Authentication.OAuth/OAuthOptions.cs,ddb988460467cfbf) option allows customization of authorization message parameters that are usually included as part of the redirect query string. +The OAuth and OIDC authentication handlers () option allows customization of authorization message parameters that are usually included as part of the redirect query string. ## Map claims from OpenID Connect -Refer to the following document: - -[Mapping, customizing, and transforming claims in ASP.NET Core](xref:security/authentication/claims) +For more information, see . ## Blazor OpenID Connect -Refer to the following document: - -[Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC)](xref:blazor/security/blazor-web-app-oidc) +For more information, see . ## Standards -[OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0-final.html) - -[Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) - -[The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749) - -[OAuth 2.0 Pushed Authorization Requests (PAR) RFC 9126](https://datatracker.ietf.org/doc/html/rfc9126) +* [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0-final.html) +* [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) +* [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749) +* [OAuth 2.0 Pushed Authorization Requests (PAR) RFC 9126](https://datatracker.ietf.org/doc/html/rfc9126)