Code samples for a series of articles about implementing Transparent Auth Gateway:
- Needs and means. Requirements for enterprise apps and available off-the-shelf solutions.
- Auth Flows. Relevant authentication/authorisation flows (OAuth2, OIDC) with sequence diagrams.
- Writing the code in C#. Comments to the code in this repo – a Transparent Auth Gateway in .NET.
- Deploying to Azure. App Registrations and Firewall settings (Azure WAF / Front Door).
A trusted authority for our enterprise application(s) that
- transparently (without additional user interaction) confirms the identity with the linked Identity Provider (an Azure AD tenant in this case), supporting SSO;
- conducts extra authentication checks (with a potential for own user management);
- issues an access token with app-specific attributes (user’s roles/groups/etc.);
- is self-hosted without reliance on third-party services.
The code uses Azure AD as the linked Identity Provider (for the identity checks) and its own bespoke authorisation server.
The implemented protocols:
- OpenID Connect (OIDC).
- OAuth 2 Authorisation Code Flow (RFC 6749) with Proof Key for Code Exchange (RFC 7636).
- OAuth 2 Client Credentials Flow.
There are 3 projects:
- AzureADAuthClient – a quick way to ensure that Azure AD authentication is configured. Uses Swagger UI to acquire a token and the standard
Microsoft.Identityway to validate the token on WebAPI. - OpenIdDict.Server – a bespoke Transparent Auth Gateway to confirm the user's identity from the linked provider and authorise the user (issue own access token) according to the bespoke rules:
- implements OAuth 2 flows to serve as the trusted authorization authority to other client apps:
- Authorization Code Flow with PKCE for user authorization;
- Client Credentials Flow for API integration;
- for users authorization, it perform authentication from the linked Identity Provider (a specified tenant of Azure Entra ID).
- implements OAuth 2 flows to serve as the trusted authorization authority to other client apps:
- OpenIdDict.Client.Api – A Web API app that validates the access token issued by the Auth Gateway (
OpenIdDict.Server). Contains:- Swagger front-end to request the token and run HTTP requests;
- test API end-points.
The key differences:
- Issues its own access token based on internal rules and confirmed user's identity from an Azure Entra ID tenant.
- Requires no database.
- Has minimum code and "magical" behaviour from the packages.