-
Notifications
You must be signed in to change notification settings - Fork 217
asp net
jennyf19 edited this page Nov 17, 2021
·
28 revisions
Starting with version 1.17+, you have the option of using either Microsoft.Identity.Web, which brings specific ASP.NET Core dependencies, or one or both of the following:
Microsoft.Identity.Web.TokenCache
- Token cache serializers and adapters for MSAL.NET
- ClaimsPrincipalExtension which add extensions methods to a ClaimsPrincipal. See Utility classes
Microsoft.Identity.Web.Certificate
- Helper methods to load certificates
By using the Microsoft.Identity.Web.TokenCache or Microsoft.Identity.Web.Certificate NuGet packages, you have the advantage of fewer dependencies and .NET Standard 2.0 support. See package dependencies for more info.
The principle is the same as in ASP.NET Core.
#using Microsoft.Identity.Web private static IConfidentialClientApplication app;
public static async Task<IConfidentialClientApplication> BuildConfidentialClientApplication()
{
if (app== null)
{
// Create the confidential client application
app= ConfidentialClientApplicationBuilder.Create(clientId)
// Alternatively to the certificate you can use .WithClientSecret(clientSecret)
.WithCertificate(certDescription.Certificate)
.WithTenantId(tenant)
.Build();
// Add an in-memory token cache. Other options available: see below
app.UseInMemoryTokenCaches();
}
return clientapp;
} // Add an in-memory token cache
app.AddInMemoryTokenCache();Available in Microsoft.Identity.Web 1.20, to handle eviction and size options.
// In memory token caches (App and User caches)
app.AddInMemoryTokenCache(services =>
{
// Configure the memory cache options
services.Configure<MemoryCacheOptions>(options =>
{
options.SizeLimit = 5000000; // in bytes (5 Mb)
});
}); // In memory distributed token cache
app.UseDistributedTokenCaches(services =>
{
// In net462/net472, requires to reference Microsoft.Extensions.Caching.Memory
services.AddDistributedMemoryCache();
}); // SQL Server token cache
app.UseDistributedTokenCaches(services =>
{
services.AddDistributedSqlServerCache(options =>
{
// In net462/net472, requires to reference Microsoft.Extensions.Caching.Memory
// Requires to reference Microsoft.Extensions.Caching.SqlServer
options.ConnectionString = @"Data Source=(localdb)\MSSQLLocalDB;Initial Catalog=TestCache;Integrated Security=True;Connect Timeout=30;Encrypt=False;TrustServerCertificate=False;ApplicationIntent=ReadWrite;MultiSubnetFailover=False";
options.SchemaName = "dbo";
options.TableName = "TestCache";
// You don't want the SQL token cache to be purged before the access token has expired. Usually
// access tokens expire after 1 hour (but this can be changed by token lifetime policies), whereas
// the default sliding expiration for the distributed SQL database is 20 mins.
// Use a value which is above 60 mins (or the lifetime of a token in case of longer lived tokens)
options.DefaultSlidingExpiration = TimeSpan.FromMinutes(90);
});
}); // Redis token cache
app.UseDistributedTokenCaches(services =>
{
// Requires to reference Microsoft.Extensions.Caching.StackExchangeRedis
services.AddStackExchangeRedisCache(options =>
{
options.Configuration = "localhost";
options.InstanceName = "Redis";
});
}); // Cosmos DB token cache
app.UseDistributedTokenCaches(services =>
{
// Requires to reference Microsoft.Extensions.Caching.Cosmos (preview)
services.AddCosmosCache((CosmosCacheOptions cacheOptions) =>
{
cacheOptions.ContainerName = Configuration["CosmosCacheContainer"];
cacheOptions.DatabaseName = Configuration["CosmosCacheDatabase"];
cacheOptions.ClientBuilder = new CosmosClientBuilder(Configuration["CosmosConnectionString"]);
cacheOptions.CreateIfNotExists = true;
});
});See Token cache serialization for details on the other token cache providers/serializers
- Using this cache in a .NET Framework and .NET Core (not ASP.NET) application is showed-cased in this sample ConfidentialClientTokenCache
- The following sample is an ASP.NET web app using the same technics: https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect (See WebApp/Utils/MsalAppBuilder.cs
Microsoft.Identity.Web 1.6.0 and later expose the DefaultCertificateLoader class to .NET framework.
// Certificate
string keyVaultContainer = "https://WebAppsApisTests.vault.azure.net";
string keyVaultReference = "MsIdWebScenarioTestCert";
CertificateDescription certDescription = CertificateDescription.FromKeyVault(keyVaultContainer, keyVaultReference);
ICertificateLoader certificateLoader = new DefaultCertificateLoader();
certificateLoader.LoadIfNeeded(certDescription);
// Create the confidential client application
IConfidentialClientApplication app;
app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithCertificate(certDescription.Certificate)
.WithTenantId(tenant)
.Build();For details, see:
- the Using certicates article for details.
- the ConfidentialClientTokenCache which showcases loading a certificate from KeyVault.
| Sample | Platform | Description |
|---|---|---|
| active-directory-dotnet-v1-to-v2 | Desktop (Console) | Visual Studio solution illustrating the migration of Azure AD v1.0 applications (using ADAL.NET) to Azure AD v2.0 applications, also named converged applications (using MSAL.NET), in particular ConfidentialClientTokenCache |
| ms-identity-aspnet-webapp-openidconnect | ASP.NET (net472) | Example of token cache serialization in an ASP.NET MVC application (using MSAL.NET). See in particular MsalAppBuilder |
| active-directory-dotnetcore-daemon-v2 | .NET Core (Console) | Part of the daemon tutorial, this chapter shows how to have a daemon using certificates acquired from KeyVault. |
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Using certificates
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities