(1) Can someone please point me to a (Microsoft supported) example that demonstrates using AAD B2C with Kubernetes with the OAuthAuthCodeFlow/OpenIDConnect on ASP.NET Core?
I had a assumed I would implemented AAD B2C on an ASP.NET webapp in a container in a Kubernetes POD and expose that POD(s) thru the the load balancer.
(2) Is this a viable approach?
(3) I'm now reading about deploying Ingress and registering Ingress in an AAD (instead of an AADB2C) tenant. Is this the preferred approach? Why?
(4) Then what? I believe I create an OAUTH2_PROXY as a service to be used by ingress. Is this correct? Is using OAUTH2_PROXY the recommend approach? Are there alternatives I might consider?
(5) Please help me understand how OAUTH2_PROXY works. Does it implement Implicit grant flow, OAuth Authorization Code Flow or the OpenIDConnect flow (assuming I am using AAD or AADB2C). I'm looking at auth-configuration and it is not clear to me if I can use OpenIDConnect with AAD (auth-configuration).
(6) After looking at links above, It looks like I can use OAUTH2_PROXY with AAD (and not AADB2C) and I can still accommodate multiple Auth Providers like Facebook and Github. This seems strange .... Is it correct? In other words, what is the recommended approach when accommodating multiple auth providers with OAUTH2_PROXY: use AAD or AADB2C? That SUSI flow in AADB2C is pretty nice. Will it work with OAUTH2_PROXY?
(7) So if we install OAUTH2_PROXY as a service for Ingress, how does my front end WebApp get all that nice information about the user like the custom user attributes that I defined in AADB2C and the OID that I need for RLS (row level security)?
Fri Jun 26 2020 Update
Since you are using asp.net core app to integrate with AAD B2C, you can refer microsoft-identity-web. In the readme section, you will find link to official samples which covers most of the common scenario. Though I am not sure about the specific scenario you have, but here is a generic asp.net core sample for B2C.
Please explain why you believe this approach of implementing Authentication (and Authorization) with a normal web app is a viable approach with Kubernetes (and specifically Kubernetes load balancers). (I assume you are familiar with the Kubernetes replica set feature that will create new instances of a web app on demand to deal with increasing web traffic and the kubernetes load balancer that distribute the traffic accordingly). Suppose I point my browser at a WebApp behind a load balancer and successfully become authenticated and I now have a cookie or (more likely) a JWT that contains my OID from AAD and then I click on a link local to that URL and I the load balancer shuffles me off to different instance of that WebApp with which I do not have a session? How will this other instance of the WebApp know my OID and that I have already authenticated?
Please(!) correct me if I am wrong but I don't think this approach is viable because there is no way for the other instance of the authenticating webapp to know that I am already authenticated.
This is why we use the OAUTH2_PROXY which is a plug-in to the Ingress/NGINX load balancer.
I assume you would expose a public endpoint for the Kubernetes service using ingress controllers? There is also Application Gateway Ingress Controller which is native in Azure. I don't think you would need OAUTH2_PROXY, however if you are specifically looking for leveraging OAUTH2_PROXY, please let us know and we will try to find answer which might take us some time.
Well I was assuming that Microsoft Azure had a preferred (and supported) solution to this problem of using AADB2C to authenticate public users to access Kubernetes clusters.
I also assumed it was not OAUTH2_PROXY because OAUTH2_PROXY does not use AADB2C (only AAD) so I cannot use my AADB2C signin-signup (and other) flows.
As per your link to ingress-controller-overview I assumed that AGIC was the official Microsoft Solution but when I visited tutorial-ingress-controller-add-on-new I could find no instructions or tutorial on using AADB2C with AGIC. Please point me to these tutorials and instructions.
Again: How do I implement OAuth Authentication Code Flow/OPENIDConnect using AAD (preferably with AADB2C) with a Kuberetes Cluster so that the Ingress load balancer passes along the OID to the back end so I can use it for row level authentication? Can this be done with AGIC? Can this be done with OAUTH2_Proxy? (Judging by the OAUTH2_PROXY documentation, it looks like I have to make a choice between AAD and OPENIDConnect but it is not clear and I could not find an example). Do I use something else? Where are the instructions, tutorials and examples?
I'm thinking that surely I'm not the only developer to want to do this. It must be extremely common.
Tue Jun 30 2020 Update
OK, that idea to cache sounds like it would work with an exposed K8 replica set. What options do I have? REDIS? MSQLSVR? Any others?
I'm trying it out now and having some difficulties enhancing 4-2-B2C. Here is my attempt to cache with MS SQL SVR/LocalDB:
The original startup.cs code looks like this:
services.AddWebAppCallsProtectedWebApi(Configuration, new string[] {
Configuration["TodoList:TodoListScope"] },
configSectionName: "AzureAdB2C")
.AddInMemoryTokenCaches()
;
This works (but of course, does not implement caching suitable for a K8 replica set).
This latest attempt is not crashing:
services.AddWebAppCallsProtectedWebApi(Configuration, new string[] {
Configuration["TodoList:TodoListScope"] },
configSectionName: "AzureAdB2C")
.AddDistributedSqlServerCache(options => { options.ConnectionString = Configuration["DistCache_ConnectionString"]; options.SchemaName = "dbo"; options.TableName = "Tokens"; })
.AddSessionTokenCaches()
.AddSessionAppTokenCache()
.AddInMemoryTokenCaches()
;
Some of these calls looked redundant and experimented with removing the redundancies but no success. I was surprised that it crashed in startup whenever I removed the call to AddInMemoryTokenCaches.
I have added this to the appsettings.json:
"ConnectionStrings": {
"DefaultConnection": "Server=(localdb)\MSSQLLocalDB;Database=DistCacheToDoList; MultipleActiveResultSets=true"
},
I have created a database in localdb called DistCacheToDoList.
I have executed the following commands:
pushd ${SRCROOT}/active-directory-aspnetcore-webapp-openidconnect-v2/4-WebApp-your-API/4-2-B2C/Client
dotnet add package Microsoft.Extensions.Caching.SqlServer --version 3.0.0
dotnet tool uninstall --global dotnet-sql-cache
dotnet tool install --global dotnet-sql-cache --version 3.0.0
dotnet sql-cache create "Server=(localdb)\MSSQLLocalDB;Database=DistCacheToDoList" "dbo" "Tokens"
(I borrowed these from another tutorial on Session Caching).
So now I log out of my web site at https://localhost:5000 and log in again and use SSMS to dump my localdb table called tokens and nothing appears.
Should it not be creating entries in there when I log in?
Should I be able to see them with SSMS SQL queries?