Quick and easily add authentication to your DotNet application.
Prerequisites
This guide assumes you’ve already set up your application in the Kenni developer portal.
Create an ApplicationThis guide also assumes you already have an up and running DotNet (MVC) application.
Register Kenni as your application’s OIDC provider
Add the following code to your application’s
Program.cs
:c#builder.Services .AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie() .AddOpenIdConnect("oidc", options => { options.Authority = builder.Configuration["Kenni:Authority"]; options.ClientId = builder.Configuration["Kenni:ClientId"]; options.ClientSecret = builder.Configuration["Kenni:ClientSecret"]; options.ResponseType = "code"; options.Scope.Add("openid"); options.Scope.Add("profile"); options.Scope.Add("national_id"); var apiScope = builder.Configuration["Kenni:ApiScope"]; if (apiScope != null) { options.Scope.Add(apiScope); } options.SaveTokens = true; })
Adding the “oidc” authentication scheme is optional, but might be useful in cases where your application has multiple authentication schemes defined, f.ex, if you have API routes with JWT Bearer authentication defined in the same application.
Use your application’s details
All required values in this section can be found in the overview tab of your application in the Kenni Developer Portal.
This guide will not make assumptions on how your application stores its secrets, but for this example (running locally), we’ve used DotNet’s user-secrets store, which can be added like
dotnet user-secrets set "Kenni:Authority" "https://idp.kenni.is/your-domain
.Add an appropriate value for
Kenni:Authority
. This will be your team’s issuer, and would look something like: https://idp.kenni.is/your-domain
.Add appropriate values for
Kenni:ClientId
and Kenni:ClientSecret
.Optionally, add an appropriate value for
Kenni:ApiScope
or omit it entirely. This will be required if the issuing of JWT Bearer access tokens are required. For more information regarding API scopes, see Authorizing API scopes.Setting the redirect-uri in production environments
If for whichever reason the base-url of your application cannot be inferred in production environments, it may be required to read the redirect URI from your environment file in order to override the value that is passed as the
redirect_uri
authorization parameter. To achieve this, add the following to the AddOpenIdConnect
directive, replacing RedirectUri
with the appropriate value:c#options.Events.OnRedirectToIdentityProvider = async ctx => { ctx.ProtocolMessage.RedirectUri = "https://my-awesome-app.is/signin-oidc"; await Task.FromResult(0); };
Accessing tokens and user claims in controllers
User claims can be read from the
User
claims principal in MVC controllers. Both the ID- and Access Token can be read from the current request’s HttpContext
.Important! In order to keep the session cookie’s payload small, by default Access- and ID Tokens will not be retrievable from the request’s
HttpContext
. For this to work, the options.SaveTokens = true;
line from the code sample above is required. For example:
c#[Authorize(AuthenticationSchemes = "oidc")] public async Task<IActionResult> LoggedIn() { ViewData["NationalID"] = User.FindFirstValue("national_id"); ViewData["Name"] = User.FindFirstValue("name"); var token = await HttpContext.GetTokenAsync("oidc", "access_token"); ViewData["AccessToken"] = token; return View(); }
The example above is for demonstration purposes, and we would not recommend adding the Access Token to
ViewData
.View complete integration
Visit our Github repository for a complete DotNet MVC integration sample.