Is there a .Net 4.8 example using Authorization Code Flow? Does IAppBuilder UseOktaMvc work in Web Forms, not Mvc?

ljames · September 24, 2021, 7:56pm

I can find examples for .Net 4.8 and Implicit Flow. I can find examples for .Net Web Forms Mvc and Authoriztion Code Flow. Is there an example for .Net 4.8 and Authorization Code Flow?

Thanks, John

HeatherDowning · October 12, 2021, 8:26pm

Hello James!

I used the Auth Code flow with .NET 4.8 for a Web API call in this article I wrote on Alexa integration:

ljames · October 13, 2021, 2:45am

I started with this example from 2018, striped out all the stuff that is not needed for a Visual Studio Web Site, and updated the code to use updated packages.
Secure Your ASP.NET Web Forms Application with OpenIDConnect and Okta

I am left with 3 packages that are not provided by Microsoft, IdentityModel, Newtonsoft.Json and Owin. Does this sound like a good solution for a production environment?

Here is what the code looks like using the new packages.

static readonly HttpClient client = new HttpClient();
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = _authority,
ClientId = _clientId,
ClientSecret = _clientSecret,
RedirectUri = _redirectUri,
ResponseType = OpenIdConnectResponseType.CodeIdToken, // GrantType.Hybrid
Scope = “openid profile email your_own_scopes”,
TokenValidationParameters = new TokenValidationParameters { NameClaimType = “name” },

Notifications = new OpenIdConnectAuthenticationNotifications
{
    AuthorizationCodeReceived = async n => // Exchange code for access and ID tokens
    {
        // use auth server URL, client id, client secret and auth code to request access token
        var tokenResponse = await client.RequestAuthorizationCodeTokenAsync(new AuthorizationCodeTokenRequest
        {
            Address = _authority + "/v1/token",
            ClientId = _clientId,
            ClientSecret = _clientSecret,
            Code = n.Code,
            RedirectUri = _redirectUri,
            // CodeVerifier = "xyz" // optional PKCE parameter 
         });

        if (tokenResponse.IsError)
            throw new Exception(tokenResponse.Error);

        // use auth server URL and access token to request id token
        var userInfoResponse = await client.GetUserInfoAsync(new UserInfoRequest
        {
            Address = _authority + "/v1/userinfo",
            Token = tokenResponse.AccessToken
        });

        if (userInfoResponse.IsError)
            throw new Exception(userInfoResponse.Error);

        var claims = new List<Claim>(userInfoResponse.Claims)
        {
            new Claim("id_token", tokenResponse.IdentityToken),
            new Claim("access_token", tokenResponse.AccessToken)
        };

        n.AuthenticationTicket.Identity.AddClaims(claims);
        // validate claims and use them as needed