Aliencube.Azure.Extensions.EasyAuth.EntraID 1.0.0-preview

Azure EasyAuth Extensions

Azure services like Azure App Service, Azure Functions, Azure Container Apps and Azure Static Web Apps offer a built-in authentication service called EasyAuth.

While EasyAuth significantly reduces the time for implementing authentication, because it protects the entire application, you can't protect only specific pages or components.

To give granular controls over individual pages or components, there have been attempts to figure out this issue from developer communities, and here are some resources:

• EasyAuth for App Service by Maxime Rouiller
• EasyAuth for Azure Container Apps by John Reilly
• EasyAuth for Azure Static Web Apps by Anthony Chu

They are still mostly valid, but need to be updated to use the latest .NET features.

By focusing on two services – Azure App Service and Azure Container Apps, this repository gives several libraries that are easily integrated with your existing ASP.NET Core applications, leverage the Azure EasyAuth features and give fine controls to each page and component.

Prerequisites

• .NET 9 SDK or later
• Visual Studio 2022 or Visual Studio Code with C# Dev Kit
• Azure CLI with Bicep extension
• Azure Devloper CLI
• GitHub CLI
• Docker Desktop
• For Windows users, PowerShell 7 or later

Getting Started

Deploying Sample Apps to Azure App Service and Azure Container Apps

1. Fork this repository to your GitHub account and clone this repository to your local machine.

   gh repo fork aliencube/azure-easyauth-extensions --clone
   

   NOTE: You must be logged in to GitHub beforehand. If not, use the command, gh auth login.

2. Get into the cloned repository.

   cd azure-easyauth-extensions
   

3. Login to Azure.

   # Login to Azure via az CLI
   az login
   

   # Login to Azure via azd CLI
   azd auth login
   

4. Make sure your az CLI and Bicep CLI are up-to-date.

   # az CLI
   az upgrade --allow-preview true
   

   # az bicep CLI
   az bicep upgrade
   

   NOTE: If you see an error while upgrading Bicep CLI, install it first with the command, az bicep install.

5. Deploy sample apps through azd CLI.

   azd up
   

   NOTE 1: You will be asked to provide Azure subscription and location.

   NOTE 2: You might be facing an error like app-registration.bicep(1,11) : Error BCP400: Fetching types from the registry requires enabling EXPERIMENTAL feature "ExtensionRegistry".. If you see this error, set up an environment variable like:

   # Bazh/Zsh
   export AZD_BICEP_TOOL_PATH="~/.azure/bin/bicep"
   

   # PowerShell
   $env:AZD_BICEP_TOOL_PATH = "~/.azure/bin/bicep.exe"
   

6. Once deployed, visit both web apps hosted on Azure App Service and Azure Container Apps. Then, navigate to the /weather page, and you'll see the 401 Unauthorized error.

7. Navigate back to the home page and click the "Login" button at the top. Once you sign-in, navigate to the /weather page again and see the content.

8. Clean up all resources.

   azd down --force --purge
   

Integrating with Existing ASP.NET Core Apps

Blazor is used for explanation, but you can apply it to your ASP.NET Core web app as well.

1. Add a NuGet package to your Blazor web app project. You can add one or more NuGet package libraries depending on your requirements.

   # For Entra ID
   dotnet add package Aliencube.Azure.Extensions.EasyAuth.EntraID
   

2. Open Program.cs of your Blazor app, find the line, var app = builder.Build();, and add the following lines just above the line:

   // 👇👇👇 Add EasyAuth handler with Entra ID below.
   builder.Services.AddAuthentication(EasyAuthAuthenticationScheme.Name)
                   .AddAzureEasyAuthHandler<EntraIDEasyAuthAuthenticationHandler>();
   builder.Services.AddAuthorization();
   // 👆👆👆 Add EasyAuth handler with Entra ID above.
   
   var app = builder.Build();
   

3. In the same Program.cs of your Blazor app, find the line, app.Run();, and add the following lines just above the line:

   // 👇👇👇 Add authentication/authorization below.
   app.UseAuthentication();
   app.UseAuthorization();
   // 👆👆👆 Add authentication/authorization above.
   
   app.Run();
   

4. Open any Razor page component and add the following lines:

   @page "/random-page-url"
   
   @* 👇👇👇 Add the lines below *@
   @using Aliencube.Azure.Extensions.EasyAuth
   @using Microsoft.AspNetCore.Authorization
   @attribute [Authorize(AuthenticationSchemes = EasyAuthAuthenticationScheme.Name)]
   @* 👆👆👆 Add the lines above *@
   

5. Use Azure Portal, and make sure that you have enabled the EasyAuth feature and allow unauthenticated access.

6. Alternatively, use Bicep to enable the EasyAuth feature and allow unauthenticated access.

   // For Azure Container Apps
   resource containerappAuthConfig 'Microsoft.App/containerApps/authConfigs@2024-10-02-preview' = {
     name: 'current'
     parent: containerapp
     properties: {
       globalValidation: {
         requireAuthentication: true
         unauthenticatedClientAction: 'AllowAnonymous'
       }
     }
   }
   

   // For Azure App Service
   resource appServiceAuthConfig 'Microsoft.Web/sites/config@2022-03-01' = {
     name: 'authsettingsV2'
     parent: appService
     properties: {
       globalValidation: {
         requireAuthentication: true
         unauthenticatedClientAction: 'AllowAnonymous'
       }
     }
   }
   

7. Deploy the app to either Azure App Service or Azure Container Apps, navigate to the page that you enabled authorization and see the 401 Unauthorized error.

8. Sign-in the web app, navigate to the page again and see no error.

Out-of-Scope

This repository currently doesn't support:

• EasyAuth for Azure Static Web Apps

TO-DO List

• Publish NuGet packages
• Implementation for Entra ID
• Implementation for GitHub
• Implementation for OpenID Connect
• Implementation for Google
• Implementation for Facebook
• Implementation for X
• Implementation for Apple