I like to do stuff with as little code as possible. Faced with the issue of forcing authentication (using a Microsoft account) I first looked at some tutorials/guidelines but they involved an identity database accessed using Entity Framework, which I was not interested in. I just wanted to force authentication, I didn’t want users to register. So here is the minimal approach I ended up with. The web app is using razor pages and .NET 6 by the way.
- Add Microsoft’s identity package:
install-package Microsoft.Identity.Web - In
Program.cs, add services to the container and configure the http request pipeline:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddAuthorization(options =>
options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireUserName("user.email@outlook.com").Build());
...
app.UseAuthentication();
app.UseAuthorization();In the lambda for AddAuthorization, I create a fallback policy, which means that pages lacking [Authorize] or [Anonymous] attributes will get that policy. This particular policy only allows a single, hard-coded user.
- In
appsettings.json,add anAzureAdsection:
"AzureAd": {
"ClientId": "...",
"Instance": "https://login.microsoftonline.com/",
"TenantId": "consumers",
"CallbackPath": "/signin-oidc"
}For generating a client ID, go to Azure Active Directory App Registrations. Under Redirect URIs, add signin-oidc and the root for all environments, e.g. https://localhost:7235/signin-oidc and https://localhost:7235/.
Henrik Olsson's Computer Software Notes 