Hybrid authentication in .net core with Open Id Connect and local database

Question

Is there a pattern to design an app who's cappable of authenticate users with both Open Id Connect (connected in Azure AD) and a local database?

The app I'm creating will have users from a company that does has an Azure Active Directory, but also has users not employed by said company who must use the app since they are not registred in Azure AD.

The authentication method without the Azure AD should use a local database, not other authentication providers.

Answer 1

You can use ASP.NET Identity for managing your local users in database ,and use Azure AD as external identity provider which enable the AAD accounts to login in your application . You can identify the Azure AD user and link to a user in your local DB , so that you can also manage relationship/roles both with your local users and Azure AD users .

I will provide a simple code sample for how to implement that feature :

1. Create new .net core application with ASP.NET Identity (Individual User Accounts template).

2. Install the package : Microsoft.AspNetCore.Authentication.AzureAD.UI

3. Modify the Startup.cs to enable Azure AD Authentication:

   services.AddDbContext<ApplicationDbContext>(options =>
       options.UseSqlServer(
           Configuration.GetConnectionString("DefaultConnection")));
   services.AddDefaultIdentity<IdentityUser>()
       .AddEntityFrameworkStores<ApplicationDbContext>();
   
   services.AddAuthentication(sharedOptions =>
   {
   
   }).AddAzureAD(options => Configuration.Bind("AzureAd", options)).AddCookie();
   

4. Modify the appsettings.json to add the Azure AD app settings:

   "AzureAd": {
       "Instance": "https://login.microsoftonline.com/",
       "Domain": "xxx.onmicrosoft.com",
       "TenantId": "xxxxxx-xxxxx-4f08-b544-b1eb456f228d",
       "ClientId": "xxxxx-xxxxx-4717-9821-e4f718fbece4",
       "CallbackPath": "/signin-oidc",
       "CookieSchemeName": "Identity.External"
   },
   

   Users could choose login with local user or AAD user during the login process .

Answer 2

You can use IdentityServer as a "federation gateway" which takes in a variety of authentication methods (Azure AD, local users, etc) and exposes them as a single, uniform OpenID Connect server. This makes integration of new applications into your environment easy because they have a single view of a user and single endpoint, and the "gateway" can solely have the responsibility of wrangling authentication methods and protocols.

See this page for details on the pattern:

http://docs.identityserver.io/en/latest/topics/federation_gateway.html