OidcProxy.Net.EntraId
4.0.0
Prefix Reserved
See the version list below for details.
dotnet add package OidcProxy.Net.EntraId --version 4.0.0
NuGet\Install-Package OidcProxy.Net.EntraId -Version 4.0.0
<PackageReference Include="OidcProxy.Net.EntraId" Version="4.0.0" />
paket add OidcProxy.Net.EntraId --version 4.0.0
#r "nuget: OidcProxy.Net.EntraId, 4.0.0"
// Install OidcProxy.Net.EntraId as a Cake Addin #addin nuget:?package=OidcProxy.Net.EntraId&version=4.0.0 // Install OidcProxy.Net.EntraId as a Cake Tool #tool nuget:?package=OidcProxy.Net.EntraId&version=4.0.0
OidcProxy.Net.EntraId
This package contains the software you need to implement the BFF Security Pattern. This software does three things:
- It manages the user session
- It allows the user to log into the site
- It forwards request to downstream services and adds the Authorization header with the user's access token to the requests
OidcProxy.Net is a stateful reverse proxy. To forward requests to downstream services OidcProxy.Net uses YARP.
Currently, OidcProxy.Net supports logging in with Azure, Auth0, IdentityServer4, and any other OpenID Connect compliant authorization server. Currently, only the Authorization Code flow with Proof-Key Client Exchange is supported.
Quickstart: Implementing the BFF Security Pattern
To build it, execute the following commands:
dotnet new web
dotnet add package OidcProxy.Net.EntraId
Create the following Program.cs
file:
using OidcProxy.Net.EntraId;
using OidcProxy.Net.ModuleInitializers;
var builder = WebApplication.CreateBuilder(args);
var entraIdConfig = builder.Configuration
.GetSection("OidcProxy")
.Get<EntraIdProxyConfig>();
builder.Services.AddEntraIdProxy(entraIdConfig);
var app = builder.Build();
app.UseEntraIdProxy();
app.Run();
Create the following appsettings.json
file:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"EntraId": {
"ClientId": "{yourClientId}",
"ClientSecret": "{yourClientSecret}",
"TenantId": "{yourTenantId}",
"DiscoveryEndpoint": "{https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration}",
"Scopes": [
"openid", "profile", "offline_access", "https://yourDomain.onmicrosoft.com/test/api1"
]
},
"AllowedHosts": "*",
"OidcProxy": {
"LandingPage": "/hello",
"EntraId": {
"ClientId": "{yourClientId}",
"ClientSecret": "{yourClientSecret}",
"Scopes": [
"openid",
"profile",
"offline_access",
"https://foo.onmicrosoft.com/api/test/weatherforecast.read"
]
},
"ReverseProxy": {
"Routes": {
"api": {
"ClusterId": "api",
"Match": {
"Path": "/api/{*any}"
}
}
},
"Clusters": {
"api": {
"Destinations": {
"api/node1": {
"Address": "https://{your_api}/"
}
}
}
}
}
}
}
In this example we assume you are running a Single Page Application on localhost on port 4200
and you have an API running at localhost on port 8080
. If that is not the case, then update the appsettings.json
accordingly.
To run it, type dotnet run
or just hit the 'play'-button in Visual Studio.
Endpoints
The proxy relays all requests as configured in the ReverseProxy
section in the appsettings.json
file, except for four endpoints:
[GET] /.auth/login
To log a user in and to start a http session, navigate to /.auth/login
. The software will redirect to the login page of the Identity Provider to log the user in. The resulting tokens will be stored in the user session and are not available in the browser.
[GET] /.auth/login/callback
This endpoint is used by the IdentityProvider.
[GET] /.auth/me
To see the logged in user, navigate to the /.auth/me
endpoint. This endpoint shows the claims that are in the id_token
.
[GET] /.auth/end-session
To revoke the tokens that have been obtained when the user logged in, execute a get request on the /.auth/end-session
endpoint. This will revoke the tokens that have been stored in the user session and will not log the user out from the Identity Provider session. This must be implemented at client side.
Issues
Are you encountering issues? Please let us know at: https://github.com/thecloudnativewebapp/OidcProxy.Net/issues
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net8.0
- IdentityModel.OidcClient (>= 6.0.0)
- OidcProxy.Net (>= 4.0.0)
- OidcProxy.Net.OpenIdConnect (>= 4.0.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories (1)
Showing the top 1 popular GitHub repositories that depend on OidcProxy.Net.EntraId:
Repository | Stars |
---|---|
oidcproxydotnet/OidcProxy.Net
An extendible framework for .NET to implement the BFF Security Pattern (a.k.a. Token Handler Pattern) in Single Page Applications
|
Version | Downloads | Last updated |
---|---|---|
5.1.6 | 85 | 11/11/2024 |
5.1.5 | 249 | 9/14/2024 |
5.1.4 | 115 | 9/10/2024 |
5.1.3 | 458 | 8/19/2024 |
5.1.2 | 95 | 8/7/2024 |
5.1.1 | 84 | 8/2/2024 |
5.1.0 | 92 | 8/1/2024 |
5.0.1 | 139 | 7/10/2024 |
5.0.0 | 92 | 7/9/2024 |
4.0.0 | 132 | 7/3/2024 |
3.3.2 | 379 | 6/26/2024 |
3.3.1 | 289 | 6/14/2024 |
3.3.0 | 107 | 6/11/2024 |
3.2.2 | 170 | 5/21/2024 |
3.2.1 | 133 | 5/14/2024 |
3.0.0 | 229 | 5/4/2024 |
2.0.6 | 111 | 4/30/2024 |
2.0.5 | 91 | 4/29/2024 |
2.0.4 | 827 | 3/28/2024 |
2.0.3 | 117 | 3/27/2024 |
2.0.2 | 161 | 3/13/2024 |
2.0.1 | 123 | 2/29/2024 |
2.0.0 | 132 | 2/26/2024 |
1.3.1 | 147 | 2/19/2024 |
1.3.0 | 128 | 2/14/2024 |
1.2.0 | 114 | 2/5/2024 |
1.1.2 | 110 | 2/3/2024 |
1.1.1 | 120 | 1/31/2024 |
1.0.0 | 130 | 1/22/2024 |
Enhancements
- Implemented signature verification RS256
- Implemented signature verification HS256
Fixes
- Removed scope parameter from Token request
- Added scope parameter to Token request when refreshing the token
Breaking changes:
- DefaultAuthenticationCallbackHandler.OnAuthenticationFailed returns a 401 when authentication fails instead of redirect.
- Moved OidcProxy.Net.OpenIdConnect.JweParser to OidcProxy.Net.Jwt.JweParser. Removed options parameter from constructor.
- Moved OidcProxy.Net.OpenIdConnect.ITokenParser to OidcProxy.Net.Jwt.ITokenParser.
- Renamed JwtParser.ParseAccessToken to JwtParser.ParseJwtPayload
- Renamed options.UseJweKey to options.UseEncryptionKey
- Renamed and moved OidcProxy.Net.OpenIdConnect.Jwe.EncryptionKey to OidcProxy.Net.Cryptography.SymmetricKey
- Renamed and moved OidcProxy.Net.OpenIdConnect.IJweEncryptionKey to OidcProxy.Net.Cryptography.IEncryptionKey
- Renamed and moved OidcProxy.Net.OpenIdConnect.Jwe.EncryptionCertificate to OidcProxy.Net.Cryptography.SslCertificate
- Removed OidcProxyAuthenticationHandler