How to configure multiple clientIDs for .net core 5.0 openidconnect authentication?

asked 2021-05-04T09:46:55.783+00:00
Diana 1 Reputation point

1

I am using asp.net core 5.0 and openidconnect to authenticate users. My application will be used by several organizations. My database stores the openid Connect options (client id, client secret, authority, etc) for each organization. I authenticated users by getting all the stored openid connect options (for all organizations) in my database and add each as below in the startup.cs

foreach(OrganizationSetting setting in settings)
{
authBuilder.AddOpenIdConnect(settings.AuthenticationScheme, options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = setting.Authority
options.ClientId = setting.ClientId;
options.CallbackPath =setting.CallbackPath;
options.ClientSecret =setting.ClientSecret;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.Scope.Add("openid");
options.SaveTokens = true;
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateIssuer = false,
SaveSigninToken = true
};
})
}
As you see, I must have different values for the autheticationscheme property and for the options.CallbackPath, else the application will throw an exception. Since I am new to this, is there a better way to achieve my goal? maybe setting the clientid/tenantid at runtime before calling the challenge method ?

Thank you

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,550 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. answered 2021-05-13T13:27:18.917+00:00
    AmanpreetSingh-MSFT 55,161 Reputation points

    Hi @Diana · Thanks for your query.

    Although your application will be accessed by multiple organizations, you don't have to use multiple or different Client ID for each organization. You need to register the application as a Multi-tenant application in Azure AD > App Registration and you can use same Client ID for multiple organizations. All you need to update in your code is, the tenant ID. Instead of using a specific tenant name or ID, you need to either use Organizations or Common.

    Once this is done, user will be redirected to his/her tenant based on the domain name in the UPN suffix that he enters on the sign in page. After successful authentication, he/she will be presented with a consent prompt, accepting that will result in creation on a servicePrincipal corresponding your multi-tenant application. The object id of the servicePrincipal will be different in every tenant but the app/client ID will be same in every tenant. That is why client id is not required to be changed for each and every tenant accessing your application.

    Here is a sample authentication request with Organizations endpoint for your reference, which will redirect you to the tenant based on the domain name in the UPN suffix that you enter in username field.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    No comments