ASP.NET Framework OIDC
Step 1: Create ASP.NET Application
- Create new asp.net framework mvc application. eg AspnetFrameworkAzureOIDCSample
- Run the application
- Copy the url. eg https://localhost:44318
Step 2: Register your Application in Azure Portal
- Go to azure https://portal.azure.com/
- Search Microsoft Entra ID
- In Sidebar under Manage > App registrations > New registration.
- Set a name: AspnetFrameworkAzureOIDCSample
- choose your Supported account types: Single Tenant
- In the Redirect URI dropdown, select Web and enter your local development URL (e.g.,
https://localhost:44318/). - Click Register.
- Copy the Application (client) ID and Directory (tenant) ID from the Overview page.
- Go to Certificates & secrets > New client secret to generate a secret key. Copy the secret value immediately.
Step 3: Install Required NuGet Packages
Open the Package Manager Console in Visual Studio and install the essential OWIN and Microsoft Identity packages:
powershell
Install-Package Microsoft.Owin.Host.SystemWeb
Install-Package Microsoft.Owin.Security.Cookies
Install-Package Microsoft.Owin.Security.OpenIdConnect
Install-Package Microsoft.IdentityModel.Protocols.OpenIdConnect
Step 4: Configure Web.config
Add your Azure AD credentials securely under the <appSettings> section:
xml
<appSettings>
<add key="ida:ClientId" value="YOUR_APPLICATION_CLIENT_ID" />
<add key="ida:ClientSecret" value="YOUR_CLIENT_SECRET" />
<add key="ida:TenantId" value="YOUR_DIRECTORY_TENANT_ID" />
<!-- For single tenant apps, use your tenant ID. For multi-tenant, use 'common' -->
<add key="ida:Authority" value="https://login.microsoftonline.com/{YOUR_DIRECTORY_TENANT_ID}" />
<add key="ida:RedirectUri" value="https://localhost:44318/" />
</appSettings>
Step 5: Create Startup.cs
Wire up the OWIN authentication pipeline to process the cookie and standard authorization code exchange.
csharp
using System;
using System.Configuration;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.Owin;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
[assembly: OwinStartup(typeof(AspnetFrameworkAzureOIDCSample.Startup))]
namespace AspnetFrameworkAzureOIDCSample
{
public class Startup
{
private static readonly string ClientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static readonly string ClientSecret = ConfigurationManager.AppSettings["ida:ClientSecret"];
private static readonly string Authority = ConfigurationManager.AppSettings["ida:Authority"];
private static readonly string RedirectUri = ConfigurationManager.AppSettings["ida:RedirectUri"];
public void Configuration(IAppBuilder app)
{
// 1. Setup local encrypted session cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
// 2. Configure Azure AD OIDC
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
ClientSecret = ClientSecret,
Authority = Authority,
RedirectUri = RedirectUri,
ResponseType = OpenIdConnectResponseType.Code,
Scope = "openid profile offline_access", // offline_access yields refresh tokens
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
RedeemCode = true,
UsePkce = true,
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = async context =>
{
var identity = context.AuthenticationTicket.Identity;
// Capture tokens safely after validation completes
var accessToken = context.ProtocolMessage.AccessToken;
if (!string.IsNullOrEmpty(accessToken))
{
identity.AddClaim(new Claim("access_token", accessToken));
}
// Map Azure unique identifier if desired
var objectId = identity.FindFirst("http://schemas.microsoft.com/identity/claims/objectidentifier")?.Value;
if (!string.IsNullOrEmpty(objectId))
{
identity.AddClaim(new Claim("azure_user_id", objectId));
}
await Task.CompletedTask;
},
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Home/Error?message=" + context.Exception.Message);
return Task.CompletedTask;
}
}
});
}
}
}
Step 6: Implement Login and Logout Controllers
Create an Account controller to explicitly trigger the challenge and clear local user sessions.
csharp
using System.Web;
using System.Web.Mvc;
using Microsoft.Owin.Security;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
public class AccountController : Controller
{
public void SignIn()
{
if (!Request.IsAuthenticated)
{
// Send challenge to Azure AD middleware
HttpContext.GetOwinContext().Authentication.Challenge(
new AuthenticationProperties { RedirectUri = "/" },
OpenIdConnectAuthenticationDefaults.AuthenticationType
);
}
}
public void SignOut()
{
// Clear local cookie session and execute remote OIDC signout
HttpContext.GetOwinContext().Authentication.SignOut(
OpenIdConnectAuthenticationDefaults.AuthenticationType,
CookieAuthenticationDefaults.AuthenticationType
);
}
}
Step 7
- Run application
- Go to https://localhost:44318/Account/SignIn
- To logout https://localhost:44318/Account/SignOut
- You can also add
[Authorize]attribute to HomeController to trigger signin on home page