Orchardcore: Add an OpenID Connect client feature

@PinpointTownes Can we? But please also advertize your solution here if you want.

Not currently, as we don't yet have an OIDC client story.

The long-term plan is to add this client authentication feature directly in the OpenID module but it's a pretty big task as we want to support many scenarios, including:

• Targeting an arbitrary OIDC server like OpenIddict, IdSrv, Azure AD or any other standard-compliant deployment.
• Targeting another tenant using the OpenID module with the server enabled (so necessarily OpenIddict).

Generally speaking, non-local authentication is still a TBD feature. We'll probably want to have dedicated Facebook, Google, Twitter, MSFT modules and support a variety of scenarios, like being able to use these providers as the unique source of truth (i.e without any local users database).

i think i found a workaround by adding o.DefaultChallengeScheme = "oidc"; in services.AddAuthentication

and

 .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = IdentityConstants.ApplicationScheme; //"Cookies";

                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ClientId = "OrchardClient";
                options.ClientSecret = "secret";
                options.ResponseType = OpenIdConnectResponseType.IdToken;

                options.Scope.Add("roles");
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name",
                    RoleClaimType = "role"
                };
                options.Events.OnTokenValidated = async (ctx) => {
                    var roleClaimStore = ctx.HttpContext.RequestServices.GetService<IRoleClaimStore<IRole>>();
                    var role = await roleClaimStore.FindByNameAsync("ADMINISTRATOR", CancellationToken.None);
                    var claims = await roleClaimStore.GetClaimsAsync(role);
                    ((ClaimsIdentity)ctx.Principal.Identity).AddClaims(claims);
                };
            });

to add the permissions as claims , see OnTokenValidated
do you think this should work ? or should i consider another approach

That should certainly work (at least, for a personal project, because for the OrchardCore OpenID module, we'll need something more complex that supports multitenancy and loads settings via the site service).

Note: you don't need to set options.ClientSecret when using the implicit flow (options.ResponseType = OpenIdConnectResponseType.IdToken).

Whoah, I’m gunna need this in a couple months too!!!

Renaming this ticket to track the addition of an OIDC client feature.

Note: the token validation part is already tracked by https://github.com/OrchardCMS/OrchardCore/issues/1402.

I could contribute a PR for OpenIdConnect external provider. It depends on https://github.com/OrchardCMS/OrchardCore/pull/1481
For now I override the Users module and create a local user from the external provider if it does not exist, otherwise I link the local user with the oidc provider. It works for multiple tenants.

@MichaelPetrinolis thanks!

A few words about the scenarios we'd need to support:

• Use multiple OIDC instances and allow the users to choose the one they want to authenticate (the approach used in the default ASP.NET Core templates).

• Use a single OIDC instance as the unique authentication source (in this case, no account selection form should be required). That said, we'd probably need to keep the local login/password method active to ensure the admins can still log in even if the OIDC server no longer works.

As part of this task, we should also decide what we want to do for our social authentication story (e.g Facebook/Google/Twitter): do we want to have dedicated packages for common providers? Or a single one? Or do we want to merge them in the OpenID module (not my preferred option).

/cc @sebastienros

Hi @PinpointTownes ,

I created PR #1622 that adds OpenIdConnect provider.
I changed the AccountController and login view to support external authentication
If user is not found and site allows user registration, it creates a user and associates the provideruserid
Could not use Orchard as external provider because it does not return email claim to match the user.

Is this PR on the right direction ?

I understand that we should allow multiple OpenIdConnect providers from this module,
and add specific modules/features to support social authentication, is this correct?

/cc @sebastienros

Closing as the PR adding the OpenID client feature was merged. I opened https://github.com/OrchardCMS/OrchardCore/issues/2029 to track future work items.

@MichaelPetrinolis thanks for your contribution! :clap: