Seeking Examples of Windows Integrated Security Modules

[markdav-is]

In my new job, I've inherited some of line of business applications that use windows integrated security on an Intranet. In my server startup, I was able to configure authentication negotiation based on some reading I was doing about common configurations for intranets with AD SSO.

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();

I was hoping this would magically load the HttpContext with everything Oqtane would need to populate the PageState.User properties and show the users as authenticated. I found out Kestrel doesn't do integrated security so I've configured IIS Express in the launchsettings.json as follows.

 "iisSettings": {
   "windowsAuthentication": true,
   "anonymousAuthentication": false,
   "iisExpress": {
     "applicationUrl": "http://localhost:13959",
     "sslPort": 44308
   }
 }

In my Module, I've attempted to access the UserName via Oqtane PageState or HttpContext without success:

    protected override async Task OnInitializedAsync()
    {
        //UserName = HttpContextAccessor.HttpContext?.User?.Identity?.Name ?? "User not authenticated";
        UserName = PageState.User?.Username ?? "User not authenticated";

    }

These settings work fine when building a new blazor app from the default templates and I can see the username as my network login. But in Oqtane, I'm never authenticated.

It's been many years from my last intranet windows authentication adventure and I'm very rusty. If anyone has a similar configuration and trying to use Oqtane, I'd love to hear from you.

[markdav-is]

the first step in getting windows auth working in Oqtane is to edit your oqtane.server launchSettings.json to look like the following:

{
  "iisSettings": {
    "windowsAuthentication": true,
    "anonymousAuthentication": false,
    "iisExpress": {
      "applicationUrl": "http://localhost:44357/",
      "sslPort": 44308
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "Oqtane.Server": {
      "commandName": "Project",
      "launchBrowser": true,
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      },
      "applicationUrl": "https://localhost:44308;http://localhost:44357/"

    }
  }
}

This will allow you to debug and then the httpContextAccessor will be populated with the user's credentials. This is not quite enough to get a valid Oqtane login, but it's closer.

Special Note: You mist use IIS Express as your launch profile as Windows Integrated Security is not supported by Kestrel.

[markdav-is]

To pass the windows integrated credentials from the client to the server, we need to make some code changes. Once I have a deeper understanding of the details, I'll try packaging this up as a PR and perhaps a new auth provider.

OqtaneServiceCollectionExtensions is where the HttpClients are sourced. To pass the windows integrated credentials, we need to add UseDefaultCredentials =true to the constructor.

By doing this, we can rely on the creds being passed to the controllers. This is needed to pass as "authenticated" when performing an auto-login the first time we hit the site router.

[sbwalker]

@markdav-is ADFS supports OIDC since 2016 - which is what Oqtane supports as well for External Login:

https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios

You need to use ADFS as an IDP - by configuring your OIDC External Login settings in Oqtane. Once this is configured the user would authenticate against ADFS and then follow the standard OIDC flow in Oqtane which creates a BFF auth cookie which will be used when calling the Oqtane API, etc...

[sbwalker]

Oqtane relies on OIDC/OAuth2 as a standard protocol for integrating with Identity Providers. This ensures a single standardized auth flow which passes through the .NET Core middleware and populates an Oqtane compatible auth cookie which ensures no other aspects of the framework need to be customized.

[markdav-is]

thanks for this! I'll have to wrap my head around a few acronyms, but it sounds like this can work without code changes.