Microsoft-identity-web: Is this supposed to replace Microsoft.AspNetCore.Authentication.AzureAD.UI?

Created on 30 Jun 2020  路  7Comments  路  Source: AzureAD/microsoft-identity-web

There is no "Issue Type" for a question so I apologize that this is listed as "enhancement" (please consider adding a Question type).

With so many Authentication/Identity nuget packages from Microsoft for .NET Core, it is _extremely confusing and frustrating_ to feel confident on which one to use:

  • Microsoft.AspNetCore.Authentication.AzureAD.UI
  • Microsoft.AspNetCore.Authentication.JwtBearer
  • Microsoft.AspNetCore.Identity
  • Microsoft.AspNetCore.Identity.UI
  • Microsoft.Extensions.Identity.Core
  • Microsoft.IdentityModel
  • Microsoft.IdentityModel.Tokens
  • Microsoft.IdentityModel.JsonWebTokens
  • Microsoft.Identity.Client
  • Microsoft.Identity.Web (this one)
  • System.IdentityModel.Tokens.Jwt

I'm using .NET Core 3.1.5 and have 2 types of Authentication for my API: AzureAD and custom JWT authentication.

I previously used a combination of the following to implement both forms of Auth (AzureAD and custom JWT):

I'm confused as to what I should be using now that Microsoft.Identity.Web has been released. Is this supposed to replace Microsoft.AspNetCore.Authentication.AzureAD.UI for using authentication via AzureAD Bearer Token?

Answered question

Most helpful comment

@udlose : yes, when Microsoft.Identity.Web releases this will be the solution of choice for these scenarios (both Web apps that sign-in users, (and call or not Web APIs), and protected Web APis (that call or not downstreams APIs)

High level APIs

Old stack | New Stack | Usage
---- | ----- | ------
Microsoft.AspNetCore.Authentication.AzureAD.UI | Microsoft.Identity.Web | Sign-in users and protect Web APIs with Azure active directory

ASP.NET Core

  • Microsoft.AspNetCore.Authentication.JwtBearer
  • Microsoft.Extensions.Identity.Core

Token validation (used in Web APIs)

  • Microsoft.IdentityModel
  • Microsoft.IdentityModel.Tokens
  • Microsoft.IdentityModel.JsonWebTokens
  • System.IdentityModel.Tokens.Jwt (old stack, I believe)

MSAL.NET (used to acquire tokens to call a protected API)

  • Microsoft.Identity.Client

*I believe that the following are for Identity Server.

  • Microsoft.AspNetCore.Identity
  • Microsoft.AspNetCore.Identity.UI

cc: @Tratcher to confirm or explain better

All 7 comments

@udlose : yes, when Microsoft.Identity.Web releases this will be the solution of choice for these scenarios (both Web apps that sign-in users, (and call or not Web APIs), and protected Web APis (that call or not downstreams APIs)

High level APIs

Old stack | New Stack | Usage
---- | ----- | ------
Microsoft.AspNetCore.Authentication.AzureAD.UI | Microsoft.Identity.Web | Sign-in users and protect Web APIs with Azure active directory

ASP.NET Core

  • Microsoft.AspNetCore.Authentication.JwtBearer
  • Microsoft.Extensions.Identity.Core

Token validation (used in Web APIs)

  • Microsoft.IdentityModel
  • Microsoft.IdentityModel.Tokens
  • Microsoft.IdentityModel.JsonWebTokens
  • System.IdentityModel.Tokens.Jwt (old stack, I believe)

MSAL.NET (used to acquire tokens to call a protected API)

  • Microsoft.Identity.Client

*I believe that the following are for Identity Server.

  • Microsoft.AspNetCore.Identity
  • Microsoft.AspNetCore.Identity.UI

cc: @Tratcher to confirm or explain better

*I believe that the following are for Identity Server.

  • Microsoft.AspNetCore.Identity
  • Microsoft.AspNetCore.Identity.UI

These refer to the ASP.NET Core Identity framework that manages identities locally in an application.
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio

@jmprieur @Tratcher thank you for the clarification! Jean-Marc that was exactly the kind of detailed answer I was looking for. This clarifies things quite nicely.

One challenge with the nuget packages where functionality is moved from one to another - e.g. Microsoft.Extensions.Caching.Redis => Microsoft.Extensions.Caching.StackExchangeRedis is the old ones are not marked as Deprecated and it is sometimes only by happenstance that you find out you should be migrating from the old to the new. Do you plan on marking the Microsoft.AspNetCore.Authentication.AzureAD.UI as Deprecated once the Release version for Microsoft.Identity.Web is released?

Yes, Microsoft.AspNetCore.Authentication.AzureAD.UI will be marked as Obsolete in the 5.0 release.

Thanks @udlose
that's a question for @Tratcher and @blowdart

Is there an example of how to configure a web application with a local user repo and with Azure Ad as the only/main login provider? I tried a few combinations of the config below with my Azure settings in appsettings, but was never able to register/login with my Azure user.

services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<IdentityUser>()
                .AddEntityFrameworkStores<ApplicationDbContext>();
services.AddMicrosoftIdentityWebAppAuthentication(Configuration)
            services.AddControllersWithViews()
                .AddMicrosoftIdentityUI();

Thanks

@destacey

That's not how ASP.NET identity works with external login providers, it's always going to prefer a user login.

Identity.Web is for no local user repos.

Finally, please don't respond to issues that are long closed, it's unlikely people will see your post in any triage process.

Was this page helpful?
0 / 5 - 0 ratings