You typically use the following two ASP.NET Core authentication handlers to implement remote authentication:
Furthermore the BFF plumbing relies on the configuration of the ASP.NET Core default authentication schemes. This describes how the two handlers share the work.
OpenID Connect for challenge and signout - cookies for all the other operations:
services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
options.DefaultSignOutScheme = "oidc";
})
.AddCookie("cookie", options => { ... })
.AddOpenIdConnect("oidc", options => { ... });
The OIDC handler connects the application to the authentication / access token system.
The exact settings depend on the OIDC provider and its configuration settings. We recommend:
services.AddAuthentication().AddOpenIdConnect("oidc", options =>
{
options.Authority = "https://demo.duendesoftware.com";
// confidential client using code flow + PKCE
options.ClientId = "spa";
options.ClientSecret = "secret";
options.ResponseType = "code";
// query response type is compatible with strict SameSite mode
options.ResponseMode = "query";
// get claims without mappings
options.MapInboundClaims = false;
options.GetClaimsFromUserInfoEndpoint = true;
// save tokens into authentication session
// to enable automatic token management
options.SaveTokens = true;
// request scopes
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("api");
// and refresh token
options.Scope.Add("offline_access");
});
The OIDC handler will use the default sign-in handler (the cookie handler) to establish a session after successful validation of the OIDC response.
The cookie handler is responsible for establishing the session and manage authentication session related data.
Things to consider:
services.AddAuthentication().AddCookie("cookie", options =>
{
// set session lifetime
options.ExpireTimeSpan = TimeSpan.FromHours(8);
// sliding or absolute
options.SlidingExpiration = false;
// host prefixed cookie name
options.Cookie.Name = "__Host-spa";
// strict SameSite handling
options.Cookie.SameSite = SameSiteMode.Strict;
});