ASP.NET Core OpenID Connect: Configure OIDC web authentication

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Error.cshtml

@@ -0,0 +1,26 @@
+@page
+@model ErrorModel
+@{
+    ViewData["Title"] = "Error";
+}
+
+<h1 class="text-danger">Error.</h1>
+<h2 class="text-danger">An error occurred while processing your request.</h2>
+
+@if (Model.ShowRequestId)
+{
+    <p>
+        <strong>Request ID:</strong> <code>@Model.RequestId</code>
+    </p>
+}
+
+<h3>Development Mode</h3>
+<p>
+    Swapping to the <strong>Development</strong> environment displays detailed information about the error that occurred.
+</p>
+<p>
+    <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
+    It can result in displaying sensitive information from exceptions to end users.
+    For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
+    and restarting the app.
+</p>

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Error.cshtml.cs

@@ -0,0 +1,18 @@
+using System.Diagnostics;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace RazorPageOidc.Pages;
+
+[ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
+public class ErrorModel : PageModel
+{
+    public string? RequestId { get; set; }
+
+    public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
+
+    public void OnGet()
+    {
+        RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;
+    }
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Index.cshtml

@@ -0,0 +1,10 @@
+@page
+@model IndexModel
+@{
+    ViewData["Title"] = "Home page";
+}
+
+<div class="text-center">
+    <h1 class="display-4">Welcome</h1>
+    <p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
+</div>

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Index.cshtml.cs

@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace RazorPageOidc.Pages;
+
+[Authorize]
+public class IndexModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Login.cshtml

@@ -0,0 +1,4 @@
+@page
+@model RazorPageOidc.Pages.LoginModel
+@{
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Login.cshtml.cs

@@ -0,0 +1,40 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace RazorPageOidc.Pages;
+
+[AllowAnonymous]
+public class LoginModel : PageModel
+{
+    [BindProperty(SupportsGet = true)]
+    public string? ReturnUrl { get; set; }
+
+    public async Task OnGetAsync()
+    {
+        var properties = GetAuthProperties(ReturnUrl);
+        await HttpContext.ChallengeAsync(properties);
+    }
+
+    private static AuthenticationProperties GetAuthProperties(string? returnUrl)
+    {
+        const string pathBase = "/";
+
+        // Prevent open redirects.
+        if (string.IsNullOrEmpty(returnUrl))
+        {
+            returnUrl = pathBase;
+        }
+        else if (!Uri.IsWellFormedUriString(returnUrl, UriKind.Relative))
+        {
+            returnUrl = new Uri(returnUrl, UriKind.Absolute).PathAndQuery;
+        }
+        else if (returnUrl[0] != '/')
+        {
+            returnUrl = $"{pathBase}{returnUrl}";
+        }
+
+        return new AuthenticationProperties { RedirectUri = returnUrl };
+    }
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Logout.cshtml

@@ -0,0 +1,8 @@
+@page
+@model RazorPageOidc.Pages.LogoutModel
+@{
+    ViewData["Title"] = "Logout";
+}
+
+<h1>Logout</h1>
+

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Logout.cshtml.cs

@@ -0,0 +1,24 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace RazorPageOidc.Pages;
+
+[Authorize]
+public class LogoutModel : PageModel
+{
+    public IActionResult OnGetAsync()
+    {
+        return SignOut(new AuthenticationProperties
+        {
+            RedirectUri = "/SignedOut"
+        },
+        // Clear auth cookie
+        CookieAuthenticationDefaults.AuthenticationScheme,
+        // Redirect to OIDC provider signout endpoint
+        OpenIdConnectDefaults.AuthenticationScheme);
+    }
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Shared/_Layout.cshtml

@@ -0,0 +1,64 @@
+@using Microsoft.AspNetCore.Authorization
+@inject IAuthorizationService AuthorizationService
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>@ViewData["Title"] - RazorPageOidcClient</title>
+    <link rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
+    <link rel="stylesheet" href="~/css/site.css" />
+</head>
+<body>
+    <header>
+        <nav class="navbar navbar-expand-sm navbar-toggleable-sm navbar-light bg-white border-bottom box-shadow mb-3">
+            <div class="container">
+                <a class="navbar-brand" asp-area="" asp-page="/Index">RazorPageOidcClient</a>
+                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target=".navbar-collapse" aria-controls="navbarSupportedContent"
+                        aria-expanded="false" aria-label="Toggle navigation">
+                    <span class="navbar-toggler-icon"></span>
+                </button>
+                <div class="navbar-collapse collapse d-sm-inline-flex flex-sm-row-reverse">
+                    <ul class="navbar-nav flex-grow-1">
+                        <li class="nav-item">
+                            <a class="nav-link text-dark" asp-area="" asp-page="/Index">Home</a>
+                        </li>
+                        @if (Context.User.Identity!.IsAuthenticated)
+                        {
+                            <li class="nav-item">
+                                <a class="nav-link text-dark" asp-area="" asp-page="/Logout">Logout</a>
+                            </li>
+
+                            <span class="nav-link text-dark">Hi @Context.User.Identity.Name</span>
+                        }
+                        else
+                        {
+                            <li class="nav-item">
+                                <a class="nav-link text-dark" asp-area="" asp-page="/Index">Login</a>
+                            </li>
+                        }
+
+                    </ul>
+                </div>
+            </div>
+        </nav>
+    </header>
+    <div class="container">
+        <main role="main" class="pb-3">
+            @RenderBody()
+        </main>
+    </div>
+
+    <footer class="border-top footer text-muted">
+        <div class="container">
+            &copy; 2024 - RazorPageOidcClient
+        </div>
+    </footer>
+
+    <script src="~/lib/jquery/dist/jquery.min.js"></script>
+    <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js"></script>
+    <script src="~/js/site.js" asp-append-version="true"></script>
+
+    @RenderSection("Scripts", required: false)
+</body>
+</html>

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/Shared/_ValidationScriptsPartial.cshtml

@@ -0,0 +1,2 @@
+<script src="~/lib/jquery-validation/dist/jquery.validate.min.js"></script>
+<script src="~/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js"></script>

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/SignedOut.cshtml

@@ -0,0 +1,8 @@
+@page
+@model RazorPageOidc.Pages.SignedOutModel
+@{
+    ViewData["Title"] = "SignedOut";
+}
+
+<h1>Signed out</h1>
+

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/SignedOut.cshtml.cs

@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace RazorPageOidc.Pages;
+
+[AllowAnonymous]
+public class SignedOutModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/_ViewImports.cshtml

@@ -0,0 +1,3 @@
+@using RazorPageOidc
+@namespace RazorPageOidc.Pages
+@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Pages/_ViewStart.cshtml

@@ -0,0 +1,3 @@
+@{
+    Layout = "_Layout";
+}

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/Program.cs

@@ -0,0 +1,119 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddAuthentication(options =>
+{
+    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
+})
+.AddCookie()
+.AddOpenIdConnect(options =>
+{
+    // ........................................................................
+    // The OIDC handler must use a sign-in scheme capable of persisting 
+    // user credentials across requests.
+
+    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+    // ........................................................................
+
+    // ........................................................................
+    // The "openid" and "profile" scopes are required for the OIDC handler 
+    // and included by default. 
+
+    //options.Scope.Add("some-scope");
+    // ........................................................................
+
+    // ........................................................................
+    // The following paths must match the redirect and post logout redirect 
+    // paths configured when registering the application with the OIDC provider. 
+    // Both the signin and signout paths must be registered as Redirect URIs.
+    // The default values are "/signin-oidc" and "/signout-callback-oidc".
+
+    //options.CallbackPath = new PathString("/signin-oidc");
+    //options.SignedOutCallbackPath = new PathString("/signout-callback-oidc");
+    // ........................................................................
+
+    // ........................................................................
+    // The RemoteSignOutPath is the "Front-channel logout URL" for remote single 
+    // sign-out. The default value is "/signout-oidc".
+
+    //options.RemoteSignOutPath = new PathString("/signout-oidc");
+    // ........................................................................
+
+    var oidcConfig = builder.Configuration.GetSection("OpenIDConnectSettings");
+    // ........................................................................
+    // Authority is the OIDC provider's base URL. Set the application settings
+
+    options.Authority = oidcConfig["Authority"];
+    // ........................................................................
+
+    // ........................................................................
+    // Set the Client ID for the app. Set the application settings to
+    // the Client ID.
+
+    options.ClientId = oidcConfig["ClientId"];
+    // ........................................................................
+
+
+    options.ClientSecret = oidcConfig["ClientSecret"];
+
+    // ........................................................................
+    // Setting ResponseType to "code" configures the OIDC handler to use 
+    // authorization code flow. The OIDC handler automatically requests the
+    // appropriate tokens using the code returned from the
+    // authorization endpoint.
+
+    options.ResponseType = OpenIdConnectResponseType.Code;
+    // ........................................................................
+
+    // ........................................................................
+    // Set MapInboundClaims to "false" to obtain the original claim types from 
+    // the token. Many OIDC servers use "name" and "role"/"roles" rather than 
+    // the SOAP/WS-Fed defaults in ClaimTypes. Adjust these values if your 
+    // identity provider uses different claim types.
+
+    options.MapInboundClaims = false;
+    options.TokenValidationParameters.NameClaimType = "name";
+    options.TokenValidationParameters.RoleClaimType = "role";
+    // ........................................................................
+
+    options.SaveTokens = true;
+    options.GetClaimsFromUserInfoEndpoint = true;
+});
+
+var requireAuthPolicy = new AuthorizationPolicyBuilder()
+    .RequireAuthenticatedUser()
+    .Build();
+
+builder.Services.AddAuthorizationBuilder()
+    .SetFallbackPolicy(requireAuthPolicy);
+
+builder.Services.AddRazorPages();
+
+var app = builder.Build();
+
+//IdentityModelEventSource.ShowPII = true;
+JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();
+
+if (app.Environment.IsDevelopment())
+{
+    app.UseDeveloperExceptionPage();
+}
+else
+{
+    app.UseExceptionHandler("/Error");
+}
+
+app.UseHttpsRedirection();
+app.UseStaticFiles();
+
+app.UseRouting();
+// Authorization is applied for middleware after the UseAuthorization method
+app.UseAuthorization();
+app.MapRazorPages();
+
+app.Run();

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/RazorPageOidc.csproj

@@ -0,0 +1,13 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.10" />
+  </ItemGroup>
+
+</Project>

aspnetcore/security/authentication/configure-oidc-web-authentication/sample/oidc-net8/RazorPageOidc/appsettings.Development.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Debug",
+      "System": "Information",
+      "Microsoft": "Information"
+    }
+  }
+}