The Redakt Identity Server supports authentication via external identity providers. A separate NuGet package is available to add authentication for a number of popular OpenID Connect / oAuth2 identity providers. Others can be added through custom implementation if required. Multiple OpenID Connect providers can be configured at the same time.

The Redakt OpenID Connect NuGet package supports the following OpenID Connect providers:

  • Google Identity: Sign in with Google (corporate) accounts. See here for OpenID Connect configuration of Google Identity.
  • Azure Active Directory: Sign in with Azure / Office 365 active directory accounts. See here for OpenID Connect configuration of Active Directory.
  • Generic OpenID Connect: Sign in with other OpenID Connect providers such as LinkedIn, Facebook, Slack, and Salesforce, through the discovery endpoint of the provider. See the provider's documentation for configuration instructions.

The Identity Server will automatically send the callback/redirect URL to the provider, to redirect the browser after sign-in is complete. However, most OpenID Connect providers will require you to set this URL explicitly for security reasons. The callback URL is based on the Identity Server root URL. By default, with the back office installed in the same application, the absolute callback URL is /redakt/account/signin-oidc on the Identity Server host. Both the redakt and account URL segments may be changed through configuration of the back office and the identity server respectively.

Installation

Install the package with the NuGet package manager or the Package Manager Console.

PM> Install-Package Redakt.IdentityServer.OpenIdConnect

Service registration

Register authentication methods services in the ConfigureServices() method of your project's Startup.cs file by adding the appropriate calls to the IdentityServerBuilder instance that is returned from the AddIdentityServer() call. The example below shows how to add all available authentication methods. You should add only the ones you would like your users to authenticate with.

public void ConfigureServices(IServiceCollection services)
{
    // ... framework and other services here

    var builder = services.AddRedakt();
    var identityBuilder = builder.AddIdentityServer();
    identityBuilder.AddGoogleAuthentication();  // Optionally pass Action<GoogleAuthenticationOptions> parameter.
    identityBuilder.AddAzureADAuthentication();  // Optionally pass Action<AzureADAuthenticationOptions> parameter.
    identityBuilder.AddGenericOpenIdConnectAuthentication();  // Optionally pass Action<GenericOpenIdConnectAuthenticationOptions> parameter.
    // ... other Redakt services
}

Configuration settings

All OpenID Connect / oAuth2 authentication methods share the same base configuration. The authentication methods are configured through the appsettings.json file. Any configuration that is not included in the appsettings.json file will be set to its default values. Additionally, an Action<...AuthenticationOptions> configuration delegate may be passed to the Add...Authentication() call. Configuration set through this delegate takes priority and overrides values in the appsettings.json file.

{
    "Redakt": {
        "IdentityServer": {
            "Google": {
                "DisplayName": "Google",
                "ClientId": "<your google client id>",
                "ClientSecret": "<your google client secret>",
                "Scope": "openid email profile"
            },
            "AzureAD": {
                "DisplayName": "Azure Active Directory",
                "ClientId": "<your azure ad client id>",
                "ClientSecret": "<your azure ad client secret>",
                "Scope": "openid email profile",
                "TenantId": "common"
            },
            "OpenIdConnect": {
                "DisplayName": "OpenIdConnect",
                "ClientId": "<your openid connect client id>",
                "ClientSecret": "<your openidconnect client secret>",
                "Scope": "openid email profile",
                "DiscoveryEndpoint": "<your openid connect discovery endpoint>"
            }
        }
    }
}

Display Name

The name displayed on the login screen for this authentication method.

Client Id & Secret

Required. Sets the OpenId Connect client id and client secrets. See the respective identity provider developer documentation for how to create an application and obtain the client id and secret.

Scope

The scope of user data that is requested from the identity provider. You should not change the default setting unless an identity provider has deviant scope identifiers.

OpenIdConnect Discovery Endpoint

Required for generic OpenID connect providers. The discovery endpoint URL for a generic OpenIdConnect provider.