diff --git a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/Configure.ps1 b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/Configure.ps1 index 9399cb99..d5e60264 100644 --- a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/Configure.ps1 +++ b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/Configure.ps1 @@ -127,9 +127,10 @@ Function ConfigureApplications # Update config file for 'webApp' + $commonendpoint = "common" $configFile = $pwd.Path + "\..\appsettings.json" Write-Host "Updating the sample code ($configFile)" - $dictionary = @{ "ClientId" = $webAppAadApplication.AppId;"TenantId" = "common";"Domain" = $tenantName }; + $dictionary = @{ "ClientId" = $webAppAadApplication.AppId;"TenantId" = $commonendpoint;"Domain" = $tenantName }; UpdateTextFile -configFilePath $configFile -dictionary $dictionary Add-Content -Value "" -Path createdApps.html diff --git a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/sample.json b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/sample.json index 258b4ffa..39436690 100644 --- a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/sample.json +++ b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/AppCreationScripts/sample.json @@ -1,6 +1,6 @@ { "Sample": { - "Title": "An ASP.NET Core 2.x Web App which lets sign-in users with work and school or Microsoft personal accounts", + "Title": "An ASP.NET Core 2.x Web App which sign-in users with either work and school or Microsoft personal accounts", "Level": 200, "Client": "ASP.NET Core 2.x Web App", "Service": "Microsoft Graph", @@ -19,7 +19,7 @@ "Audience" : "AzureADandPersonalMicrosoftAccount", "HomePage": "https://localhost:44321/", "ReplyUrls": "https://localhost:44321/, https://localhost:44321/signin-oidc", - "LogoutUrl": "https://localhost:44321/signout-oidc", + "LogoutUrl": "https://localhost:44321/signout-oidc" } ], @@ -41,7 +41,7 @@ }, { "key": "TenantId", - "value": "common" + "value": "$commonendpoint" }, { "key": "Domain", diff --git a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/README.md b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/README.md index 83347f03..8a421d12 100644 --- a/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/README.md +++ b/1-WebApp-OIDC/1-3-AnyOrgOrPersonal/README.md @@ -6,7 +6,7 @@ level: 100 service: ASP.NET Core Web App endpoint: AAD v2.0 --- -# Bulid an ASP.NET Core Web app signing-in users with the Microsoft identity platform +# An ASP.NET Core 2.x Web App which sign-in users with either work and school or Microsoft personal accounts > This sample is for Azure AD, not Azure AD B2C. See [active-directory-b2c-dotnetcore-webapp](https://github.com/Azure-Samples/active-directory-b2c-dotnetcore-webapp), until we incorporate the B2C variation in the tutorial. @@ -14,11 +14,11 @@ endpoint: AAD v2.0 ## Scenario -This sample shows how to build a .NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users. Users can use personal accounts (including outlook.com, live.com, and others) as well as work and school accounts from any company or organization that has integrated with Azure Active Directory. It leverages the ASP.NET Core OpenID Connect middleware. +This sample shows how to build an ASP.NET Core 2.2 MVC Web app that uses OpenID Connect to sign in users. Users can use either their personal accounts (including outlook.com, live.com, and others) as well as their work and school accounts. Thw work and school accounts are usually from an organization that has an Azure Active Directory tenant. It leverages the ASP.NET Core OpenID Connect middleware. ![Sign in with Azure AD](ReadmeFiles/sign-in.png) -> This is the first phase of a set of tutorials. Once you understand how to sign-in users in an ASP.NET Core Web App with Open Id Connect, can can learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user) +> This is the first chapter of a set of tutorials. Once you understand how to sign-in users in an ASP.NET Core Web App with Open Id Connect, can can learn how to enable your [Web App to call a Web API on behalf of the signed-in user](../../2-WebApp-graph-user) ## How to run this sample @@ -39,7 +39,7 @@ There is one project in this sample. To register it, you can: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force ``` - 3. Run the script to create your Azure AD application and configure the code of the sample application accordinly + 3. Run the following script to create and configure your Azure AD application and configure the code of the sample application as well. ```PowerShell .\AppCreationScripts\Configure.ps1 @@ -47,35 +47,54 @@ There is one project in this sample. To register it, you can: > Other ways of running the scripts are described in [App Creation Scripts](./AppCreationScripts/AppCreationScripts.md) - 4. Once you've run the script, be sure to follow the manual steps. Indeed Azure AD PowerShell does not create an app which audience is Work or School + personal accounts, even if this registration is already possible from the Azure portal: - In the list of pages for the application registration of the application, select **Manifest** - - search for **signInAudience** and make sure it's set to **AzureADandPersonalMicrosoftAccount** - - Select **Save** - - > Tip: If you register your apps with the scripts, to get directly to the app registration portal page for a give app, you can navigate to the links provided in the [AppCreationScripts\createdApps.html](AppCreationScripts\createdApps.html). This file is generated by the scripts during the app registration and configuration. - - 4. Open the Visual Studio solution and click start. That's it! + 4. Once you've run the script, please ensure that you've followed the following manual steps. Azure AD PowerShell does not yet create an app whose audience is `Work or School + personal accounts`. This audience setting is only possible from the Azure portal as of today: + 5. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. + 6. If your account is present in more than one Azure AD tenant, select `Directory + Subscription` at the top right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant. + 7. In the left-hand navigation blades, select the **Azure Active Directory** service, and then select **App registrations (Preview)**. + 8. In the **App registrations (Preview)** blade, locate your newly created app in the list. + 9. Select the **Manifest** blade for your app. + 10. Search for **signInAudience** and make sure it's set to **AzureADandPersonalMicrosoftAccount** + +```JSON + "signInUrl": null, + "signInAudience": "AzureADandPersonalMicrosoftAccount", +``` + +11. Click **Save** to save the app manifest. + + > Tip: If you register your apps with the the provided Poweshell scripts, you can navigate directly to the app registration portal page of your newly created app, using links provided in the [AppCreationScripts\createdApps.html](AppCreationScripts\createdApps.html). This file is generated by the scripts during the app registration and configuration process. + +12. Open the Visual Studio solution and click start. That's it! - or, if you don't want to use automation, follow the steps below: #### Choose the Azure AD tenant where you want to create your applications +As a first step you'll need to: + 1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account or a personal Microsoft account. -1. If your account is present in more than one Azure AD tenant, select `Directory + Subscription` at the top right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant. -1. In the left-hand navigation pane, select the **Azure Active Directory** service, and then select **App registrations (Preview)**. -1. In **App registrations (Preview)** page, select **New registration**. +1. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then **switch directory**. + Change your portal session to the desired Azure AD tenant. + +#### Register the webApp app (WebApp) + +1. Navigate to the Microsoft identity platform for developers [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) page. +1. Select **New registration**. 1. When the **Register an application page** appears, enter your application's registration information: - In the **Name** section, enter a meaningful application name that will be displayed to users of the app, for example `WebApp`. - In the **Supported account types** section, select **Accounts in any organizational directory and personal Microsoft accounts (e.g. Skype, Xbox, Outlook.com)**. - - In the Redirect URI (optional) section, select **Web** in the combo-box. - - For the *Redirect URI*, enter the base URL for the sample. By default, this sample uses `https://localhost:44321/`. - - Select **Register** to create the application. + > Note that there are more than one redirect URIs. You'll need to add them from the **Authentication** tab later after the app has been created succesfully. +1. Select **Register** to create the application. 1. On the app **Overview** page, find the **Application (client) ID** value and record it for later. You'll need it to configure the Visual Studio configuration file for this project. -1. In the list of pages for the app, select **Authentication**. - - In the **Redirect URIs**, add a redirect URL of type Web and valued `https://localhost:44321/signin-oidc` +1. In the list of pages for the app, select **Authentication**.. + - In the Redirect URIs section, select **Web** in the combo-box and enter the following redirect URIs. + - `https://localhost:44321/` + - `https://localhost:44321/signin-oidc` - In the **Advanced settings** section set **Logout URL** to `https://localhost:44321/signout-oidc` - - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires the [Implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to sign-in the user. - - Select **Save**. + - In the **Advanced settings** | **Implicit grant** section, check **ID tokens** as this sample requires + the [Implicit grant flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow) to be enabled to + sign-in the user, and call an API. +1. Select **Save**. > Note that unless the Web App calls a Web API no certificate or secret is needed. @@ -111,7 +130,7 @@ In the **appsettings.json** file: > Note: Replace *`Enter_the_Application_Id_here`* with the *Application Id* from the application Id you just registered in the Application Registration Portal. 1. Open the generated project (.csproj) in Visual Studio, and save the solution. -1. Add the `Microsoft.Identity.Web.csproj` project which is located at the root of this sample repo, to your solution (**Add Existing Project ...**). It's used to simplify signing-in and, in the next tutorial phases, to get a token +1. Add the `Microsoft.Identity.Web.csproj` project which is located at the root of this sample repo, to your solution (**Add Existing Project ...**). It's used to simplify signing-in and, in the next tutorial phases, to get a token. 1. Add a reference from your newly generated project to `Microsoft.Identity.Web` (right click on the **Dependencies** node under your new project, and choose **Add Reference ...**, and then in the projects tab find the `Microsoft.Identity.Web` project) 1. Open the **Startup.cs** file and: @@ -188,7 +207,7 @@ You can also learn from the [1. WebApp signs-in users with Microsoft Identity (O ### known issue on iOS 12 -ASP.NET core applications create session cookies that represent the identity of the caller. Some Safari users using iOS 12 had issues which are described in [ASP.NET Core #4467](https://github.com/aspnet/AspNetCore/issues/4647) and the Web kit bugs database [Bug 188165 - iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication](https://bugs.webkit.org/show_bug.cgi?id=188165). +ASP.NET core applications create session cookies that represent the identity of the caller. Some Safari users using iOS 12 had issues which are described in [ASP.NET Core #4467](https://github.com/aspnet/AspNetCore/issues/4647) and the Web kit bugs database [Bug 188165 - iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication](https://bugs.webkit.org/show_bug.cgi?id=188165). If your web site needs to be accessed from users using iOS 12, you probably want to disable the SameSite protection, but also ensure that state changes are protected with CSRF anti-forgery mecanism. See the how to fix section of [Microsoft Security Advisory: iOS12 breaks social, WSFed and OIDC logins #4647](https://github.com/aspnet/AspNetCore/issues/4647)