Azure AD OpenIDConnect + ASP.NET Core - Authenticate and Extra Permissions/Token?

Question

I am using the following bits against my Azure AD to authenticate with ASP.NET Core.

https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-webapp-openidconnect-aspnetcore/

https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore

I have the basic login/auth working after creating an Azure AD app. User can login/logout.

My question is given this, what's the best way when a user Auth's to log to a DB? I thought about making the redirect URL to an endpoint, saving, then just redirecting back to "Home" but is that ideal?

Also, is it possible to retrieve a bearer token via this approach? Or does this require another type of call or extending "scope"? So that for example I could retrieve the authenticated users Manager.

https://graph.microsoft.com/v1.0/me/manager

Answer 1

My question is given this, what's the best way when a user Auth's to log to a DB? I thought about making the redirect URL to an endpoint, saving, then just redirecting back to "Home" but is that ideal?

This way only able to log those who already sign-in your app successfully. It is not able to log those users who are attempt to sign-in your app but enter the wrong password.

Azure AD already provide lots of report to gain visibility into the integrity and security of your organization’s directory.( refer here)

And if you are using the Azure AD Premium, you can review the sign-in activities via the Azure new portal below:

And if you want to store the sign-in activity in your web app, you can write the custom code after the token is verified. Here is the code for your reference:

// Configure the OWIN pipeline to use OpenID Connect auth.
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
 {
            ClientId = Configuration["AzureAD:ClientId"],
            Authority = String.Format(Configuration["AzureAd:AadInstance"], Configuration["AzureAd:Tenant"]),
            ResponseType = OpenIdConnectResponseType.IdToken,
            PostLogoutRedirectUri = Configuration["AzureAd:PostLogoutRedirectUri"],
            Events = new OpenIdConnectEvents
            {
                OnRemoteFailure = OnAuthenticationFailed,
                OnTokenValidated = context => {
                    //write the custom code to store users login-in                         
                    return Task.FromResult(0); }
            },

});

Also, is it possible to retrieve a bearer token via this approach?

Yes. We can get the token after receive the authorization code. You can refer the code sample here to acquire the token from asp.net core app.