CyberArk Identity

CyberArk Identity and OIDC (OpenID Connect) in ASP.NET Core 7.0 Application - Part 1: Authentication

Prudhvi Keertipati

Prudhvi Keertipati

5 min read
CyberArk Identity and OIDC (OpenID Connect) in ASP.NET Core 7.0 Application - Part 1: Authentication

In this tutorial, will demonstrate how quickly and securely setup user authentication with CyberArk Identity and OIDC (OpenID Connect) in ASP.NET Core 7.0 web application.

Prerequisites

  • Visual Studio Code or any IDE that supports ASP.NET application
  • .NET 7.0 SDK
  • CyberArk Identity

Demo

Create a Web App in CyberArk Identity

Log in to CyberArk Identity Admin Portal and Navigate to App & Widgets -> Web Apps menu, then click on Add Web Apps button.

On the Add Web Apps screen, choose Custom and click on Add button next to OpenID Connect. Click Yes on confirmation and click close.

Once closed, page will be redirected to Settings tab of OIDC application.

In Settings tab, Provide the Application ID, value must be unique across your CyberArk Identity tenant. Enter Application Name and click on Save.

Click on Trust tab, Under Identity Provider Configuration, enter OpenID Connect client secret.

Under Service Provider Configuration, Select Login initiated by the relying party (RP). Add Authorized redirect URIs value to https://localhost:7000/signin-oidc and add Post-logout redirect URIs value to https://localhost:7000/signout-callback-oidc, then click Save. These URI values align with what the ASP.NET Core OIDC middleware expects.

Click on Permissions tab, add a user or role or group and select Run access then click Save to deploy. For demonstration purpose, here I added Everybody role.

Once Web App is saved, Identity Provider metadata can be requested using the URI https://<tenant_url>/<application_id>/.well-known/openid-configuration. This metadata will provide the information of endpoints, supported response types, default scopes & claims, etc.,

Create and Configure ASP.NET Core 7.0 Application for Authentication

Microsoft article reference to create ASP.NET web app for authentication.

Open terminal and navigate to the location in which to create a new project. Enter the following commands to make a ASP.NET project and install the relevant packages.

dotnet new mvc -n identity-oidc

cd identity-oidc
dotnet add package Microsoft.Identity.Web.UI

Open the project in VS Code, edit appsettings.json file and replace the existing code with the following then replace the values with your tenant and application values.

{
  "cyberark": {
    "Authority": "https://<tenant_url>/<application_id>/",
    "ClientId": "<client_id>",
    "ClientSecret": "<client_secret>",
    "CallbackPath": "/signin-oidc",
    "SignedOutCallbackPath": "/signout-callback-oidc"
  },
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}

In the properties/launchSettings.json, In https section of profiles, change the https URL port to 7000 in applicationUrl to match the port in CyberArk Identity OIDC redirect URIs.

In the program.cs file, add the below code right before builder.Services.AddControllersWithViews(). CyberArk Identity by default issues openid and profile scopes in the token, here we are requesting an additional email scope.

builder.Services.AddAuthentication(options => {
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options => {
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.ClientId = builder.Configuration["cyberark:ClientId"];
    options.ClientSecret = builder.Configuration["cyberark:ClientSecret"];
    options.Authority = builder.Configuration["cyberark:Authority"];
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.Scope.Add("email");
    options.SaveTokens = true;
});

builder.Services.AddAuthorization();

In the program.cs program.cs file, add the below two lines after app.UseRouting() for the app to use Authentication and Authorization.

app.UseAuthentication();
app.UseAuthorization();

Now that web app is configured to use CyberArk Identity as the OpenID Connect Identity Provider, add the necessary login and logout actions to the web app to actually utilize OpenID Connect for authentication.

Add a new controller called AccountController.cs with the following code: It has two actions SignIn() and SignOut().

using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Mvc;

namespace identity_oidc.Controllers
{
  public class AccountController : Controller
  {
    public IActionResult SignIn()
    {
      if(!HttpContext.User.Identity.IsAuthenticated)
      {
        return Challenge(OpenIdConnectDefaults.AuthenticationScheme);
      }
      return RedirectToAction("Index", "Home");
    }

    public IActionResult SignOut()
    {
      return new SignOutResult(new[]
      {
        OpenIdConnectDefaults.AuthenticationScheme,
        CookieAuthenticationDefaults.AuthenticationScheme
      });
    }
  }
}

Now add the sign-in and sign-out user experiences. In the /Views/Shared folder, add a file called _LoginPartial.cshtml and add the following code:

@using System.Security.Principal

<ul class="navbar-nav">
@if (User.Identity is not null && User.Identity.IsAuthenticated)
{
    <li class="nav-item">
        <span class="nav-link text-dark">Hello @User.Claims.First(c => c.Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname").Value</span>
    </li>
    <li class="nav-item">
        <a class="nav-link text-dark" asp-controller="Account" asp-action="SignOut">Sign out</a>
    </li>
}
else
{
    <li class="nav-item">
        <a class="nav-link text-dark" asp-controller="Account" asp-action="SignIn">Sign in</a>
    </li>
}
</ul>

Next, add a reference to _LoginPartial in the _Layout.cshtml file. Place the below code after the navbar-collapse div class.

<partial name="_LoginPartial" />

Finally, to view the ID token claims add the below code: It will check that user is authenticated and list out the ID token claims.

@if (@User.Identity is not null && @User.Identity.IsAuthenticated)
{
   <p>You are signed in! Below are the claims in your ID token</p>
   <table>
      <tbody>
        @foreach (var item in @User.Claims)
          {
            <tr>
              <td>@item.Type</td>
              <td>@item.Value</td>
            </tr>
          }
     </tbody>
   </table>
}

Save all the code and return back to the terminal. Run the below command to launch the web application.

dotnet run --launch-profile https

Open a new private browser, and enter the application URL into the browser, in this case https://localhost:7000. Once successfully authenticated on CyberArk Identity, browser will be redirected to home page with returned user identity claims.

The final code for this post, can get it from GitHub.

Read more