Quick and easily add authentication to your DotNet application.

Prerequisites

This guide assumes you’ve already set up your application in the Kenni developer portal.
Create an Application
This guide also assumes you already have an up and running DotNet (MVC) application.

Register Kenni as your application’s OIDC provider

Add the following code to your application’s Program.cs:
c#
builder.Services .AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie() .AddOpenIdConnect("oidc", options => { options.Authority = builder.Configuration["Kenni:Authority"]; options.ClientId = builder.Configuration["Kenni:ClientId"]; options.ClientSecret = builder.Configuration["Kenni:ClientSecret"]; options.ResponseType = "code"; options.Scope.Add("openid"); options.Scope.Add("profile"); options.Scope.Add("national_id"); var apiScope = builder.Configuration["Kenni:ApiScope"]; if (apiScope != null) { options.Scope.Add(apiScope); } options.SaveTokens = true; })
Adding the “oidc” authentication scheme is optional, but might be useful in cases where your application has multiple authentication schemes defined, f.ex, if you have API routes with JWT Bearer authentication defined in the same application.

Use your application’s details

💡
All required values in this section can be found in the overview tab of your application in the Kenni Developer Portal.
This guide will not make assumptions on how your application stores its secrets, but for this example (running locally), we’ve used DotNet’s user-secrets store, which can be added like dotnet user-secrets set "Kenni:Authority" "https://idp.kenni.is/your-domain.
Add an appropriate value for Kenni:Authority. This will be your team’s issuer, and would look something like: https://idp.kenni.is/your-domain.
Add appropriate values for Kenni:ClientId and Kenni:ClientSecret.
Optionally, add an appropriate value for Kenni:ApiScope or omit it entirely. This will be required if the issuing of JWT Bearer access tokens are required. For more information regarding API scopes, see Authorizing API scopes.

Setting the redirect-uri in production environments

If for whichever reason the base-url of your application cannot be inferred in production environments, it may be required to read the redirect URI from your environment file in order to override the value that is passed as the redirect_uri authorization parameter. To achieve this, add the following to the AddOpenIdConnect directive, replacing RedirectUri with the appropriate value:
c#
options.Events.OnRedirectToIdentityProvider = async ctx => { ctx.ProtocolMessage.RedirectUri = "https://my-awesome-app.is/signin-oidc"; await Task.FromResult(0); };

Accessing tokens and user claims in controllers

User claims can be read from the User claims principal in MVC controllers. Both the ID- and Access Token can be read from the current request’s HttpContext.
💡
Important! In order to keep the session cookie’s payload small, by default Access- and ID Tokens will not be retrievable from the request’s HttpContext. For this to work, the options.SaveTokens = true; line from the code sample above is required.
For example:
c#
[Authorize(AuthenticationSchemes = "oidc")] public async Task<IActionResult> LoggedIn() { ViewData["NationalID"] = User.FindFirstValue("national_id"); ViewData["Name"] = User.FindFirstValue("name"); var token = await HttpContext.GetTokenAsync("oidc", "access_token"); ViewData["AccessToken"] = token; return View(); }
The example above is for demonstration purposes, and we would not recommend adding the Access Token to ViewData.

View complete integration

Visit our Github repository for a complete DotNet MVC integration sample.