How-To: Get Started with Oidc Authentication
OidcAuthenticationProvider
allows your users to sign in using their identities from a participating identity provider. It can wrap support for any OpenID Connect backend, such as IdentityServer into an implementation of IAuthenticationProvider
. This tutorial will use the OIDC authorization to validate user credentials.
Step-by-steps
Important
This guide assumes you used the template wizard or dotnet new unoapp
to create your solution. If not, it is recommended that you follow the instructions for creating an application from the template.
1. Prepare for OIDC authentication
For this type of authentication, the application must already be registered with the desired identity provider.
A client id (and client secret) will be provided to you.
Make sure
Uno.Extensions.Authentication.Oidc.WinUI
NuGet package is installed in your solution.
2. Set up OIDC authentication
Use the
UseAuthentication()
extension method to configure theIHostBuilder
to use an authentication provider. In our case, we will be using theOidcAuthenticationProvider
.private IHost Host { get; } protected override void OnLaunched(LaunchActivatedEventArgs args) { var builder = this.CreateBuilder(args) .Configure(host => { host .UseAuthentication(builder => { // Add the authentication provider here }); }); ...
Add the
OidcAuthenticationProvider
using theAddOidc()
extension method which configures theIAuthenticationBuilder
to use it.private IHost Host { get; } protected override void OnLaunched(LaunchActivatedEventArgs args) { var builder = this.CreateBuilder(args) .Configure(host => { host .UseAuthentication(builder => { builder.AddOidc(); }); }); ...
The
IAuthenticationBuilder
is responsible for managing the lifecycle of the associated provider that was built.Because it is configured to use OpenID Connect, the user will eventually be prompted to sign in to their identity provider account when they use your application.
OidcAuthenticationProvider
will then store the user's access token in credential storage. The token will be automatically refreshed when it expires.
3. Configure the OidcAuthenticationProvider
While the
AddOidc()
extension method will configure theIAuthenticationBuilder
to use theOidcAuthenticationProvider
, it will not configure the provider itself. TheOidcAuthenticationProvider
can be configured using a configuration section.We will use the default section name
Oidc
in this example:{ "Oidc": { "Authority": "https://demo.duendesoftware.com/", "ClientId": "interactive.confidential", "ClientSecret": "secret", "Scope": "openid profile email api offline_access", "RedirectUri": "oidc-auth://callback", } }
Authority
: The URL of the identity provider.ClientId
andClientSecret
: The client ID and client secret that were provided to you.Scope
: The scope of the access token.RedirectUri
: The URL that the identity provider will redirect to after the user has authenticated.
4. Use the provider in your application
Update the
MainPage
to include a button that will allow the user to sign in with your desired service.<Page x:Class="UnoOidcAuthentication.MainPage" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:local="using:UnoOidcAuthentication" xmlns:d="http://schemas.microsoft.com/expression/blend/2008" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="d"> <Grid Background="{ThemeResource ApplicationPageBackgroundThemeBrush}"> <Button x:Name="SignInButton" Content="Sign In" Command="{x:Bind ViewModel.Authenticate}" /> </Grid> </Page>
Update the
MainViewModel
to include a command that will allow the user to sign in with your desired service.public class MainViewModel : ObservableObject { private readonly IAuthenticationService _authenticationService; public MainViewModel(IAuthenticationService authenticationService) { _authenticationService = authenticationService; } public ICommand Authenticate => new AsyncRelayCommand(AuthenticateImpl); private async Task AuthenticateImpl() { await _authenticationService.LoginAsync(/* ... */); } }
Finally, we can pass the login credentials to the
LoginAsync()
method and authenticate with the identity provider. The user will be prompted to sign in to their account when they tap the button in the application.OidcAuthenticationProvider
will then store the user's access token in credential storage. The token will be automatically refreshed when it expires.