Protect .NET Core 6.0 Web Application (Razor Pages) with IBM Security Verify

Add OIDC protection to your web application

At this stage you should have a clientId and clientSecret issued from the ISV Admin Portal, or the ISV Developer Portal. Once you have those, you need add the neccessary libraries to your web application using NuGet. Then, add the OIDC settings required in the Program.cs file. Let's go through that process below.

Getting Started

1. Create a .NET Core new web application using the following command:

   dotnet new webapp
   

2. Install the Microsoft.AspNetCore.Authentication.OpenIdConnect package using NuGet (click here).

3. Add the following code to the top of the Program.cs file.

   using Microsoft.AspNetCore.Authentication;
   using Microsoft.AspNetCore.Authentication.Cookies;
   using Microsoft.AspNetCore.Authentication.OpenIdConnect;
   

4. In Program.cs directly beneath builder.Services.AddRazorPages();, add the following lines of code:

   builder.Services.AddAuthentication(x => {
       x.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
       x.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
       x.DefaultAuthenticateScheme = OpenIdConnectDefaults.AuthenticationScheme;
   })
   .AddCookie(x => {
       x.Cookie.HttpOnly = true;
       x.ExpireTimeSpan = TimeSpan.FromHours(2);
   })
   .AddOpenIdConnect(options =>
   {
       options.ClientId = "{client_id}";
       options.ClientSecret = "{client_secret}";
       options.Authority = "{tenant_id}/oidc/endpoint/default";
       options.SignInScheme = "Cookies";
       options.ResponseType = "code";
       options.Scope.Add("openid");
       options.Scope.Add("profile");
       options.Scope.Add("email");
       options.GetClaimsFromUserInfoEndpoint = true;
       options.SaveTokens = true;
   });
   

   In the above code, replace the following with the values ISV returned:
   • Replace "{client_id}" with clientId value returned from ISV.
   • Replace "{client_secret}" with the clientSecret value returned from ISV.
   • Replace "{tenant_id}/oidc/endpoint/default" with your ISV tenant url (e.g. https://demo.verify.ibm.com/oidc/endpoint/default)

5. Within Program.cs add the highlighted text below in between app.UseRouting(); and app.UseAuthorization();. When done, this area of the Program.cs file should look as shown below:

   app.UseRouting();
   app.UseAuthentication(); //<- Add this line
   app.UseAuthorization();
   

6. Optional: By default .NET Core assumes all of the controllers should be accessible anonymously. Let's change that, and enable authorisation on ALL pages by default. This means as soon as a user attempts to visit any page in your web application, they will first need to authenticate before being permitted access to the app. To make this change, replace app.MapRazorPages() with app.MapRazorPages().RequireAuthorization(); within file, Program.cs.

   When done, your Program.cs file should look like this:

   app.MapRazorPages().RequireAuthorization();
   

   With this added, this means all pages within your application require user authentication. Add the [AllowAnonymous] attribute above any method(s) or Controllers you want to allow anonymous access to. For more details, please see the following Microsoft Techa article.

7. Run your web application using dotnet run. As soon as the application opens, you will immediately be redirected to IBM Security Verify to authenticate, then straight back to your web application. You get access to the user's attributes with the following code:

   foreach (var claim in User.Claims)
   {
       Console.WriteLine($"{claim.Type} = {claim.Value}");
   }
   

Notes

Where is the GroupIds user attribute?

ISV always assumes you want to protect end-user information. This is why, by default, ISV will not return all of the end-user's attributes (a.k.a. claims). There are a few key attributes that will be missing; for example, Groups. To control what attributes you want to share with your application, within the ISV Admin Portal go to Applications > Your App > Sign-on > Attribute mappings. You can specify each attribute you want to share wih the application. Or, for high-trust applications, select the Send all known user attributes in the ID token option which will include all of the end-user's attributes in ISV.

If you want to see what attributes are returned by default, add this to your Index.cshtml file:

@{
    if(User.Identity != null)
    {
        @foreach (var claim in User.Claims)
        {
            <div><code>@claim.Type</code>: <strong>@claim.Value</strong></div>
        }
    }
}

Troubleshooting common errors

Below is a list of commmon errors you could run into:

Error: CSIAQ0167E

The redirection URI that is provided in the request is either invalid, or does not meet the matching criteria for the registered redirection URI.

For security reasons, the URL to your web application must match one of the Redirect URIs defined in ISV for your OIDC web application. In our examples we assumed it would be https://localhost:50001. That is because when you run a .NET web application locally, .NET will almost always assign that URL to your web application. If, however, port 5001 is already being used, .NET will randomly assign a new port to your web application. If that occurs, you need to update the Redirect URI in the ISV Admin Portal or in the IBM Security Verify Developer Portal.