Skip to content

Microsoft.AspnetCore.Authentication.Google -> Use demo.duendesoftware.com #721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 15, 2025
Merged

Microsoft.AspnetCore.Authentication.Google -> Use demo.duendesoftware.com #721

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a8f7750
Microsoft.AspnetCore.Authentication.Google -> Google.Apis.Auth.AspNet…
maartenba May 12, 2025
12733cc
Update src/content/docs/identityserver/quickstarts/2-interactive.md
maartenba May 13, 2025
2f998c4
Demonstrate AddOpenIdConnect with demo.duendesoftware.com as the firs…
maartenba May 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 87 additions & 89 deletions src/content/docs/identityserver/quickstarts/2-interactive.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ To enable OIDC in IdentityServer you need:
### Add The UI

Support for the OpenID Connect protocol is already built into IdentityServer.
You need to provide the User Interface for login, logout, consent and error.
You need to provide the User Interface for login, logout, consent, and error.

While the look & feel and workflows will differ in each implementation, we
provide a Razor Pages-based UI that you can use as a starting point. You can use
Expand Down Expand Up @@ -541,84 +541,22 @@ will automatically include requested claims from the test users added in
Adding support for external authentication to your IdentityServer can be done
with very little code; all that is needed is an authentication handler.

ASP.NET Core ships with handlers for Google, Facebook, Twitter, Microsoft
Account and OpenID Connect. In addition, you can find handlers for many
other authentication providers
[here](https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers).
ASP.NET Core ships with handlers for OpenID Connect, and provides [integrations for Google, Facebook, Microsoft Account, Entra ID, and more](/identityserver/ui/login/external.md#third-party-aspnet-core-authentication-handlers).

#### Add Google support
In this section, you'll register the Duende IdentityServer demo instance at `demo.duendesoftware.com` as an external provider.
Since no other configuration is required apart from your IdentityServer, it is a good starting point.
You'll also see [how to add Google authentication support](#add-google-support).

To use Google for authentication, you need to:

- Add the `Microsoft.AspNetCore.Authentication.Google` NuGet package to
the IdentityServer project.
- Register with Google and set up a client.
- Store the client id and secret securely with *dotnet user-secrets*.
- Add the Google authentication handler to the middleware pipeline and configure
it.
#### Adding An Additional OpenID Connect-Based External Provider

See [Microsoft's
guide](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-8.0#create-a-google-api-console-project-and-client-id)
for details on how to register with Google, create the client, and store the
secrets in user-secrets. **Stop before adding the authentication middleware and
Google authentication handler to the pipeline.** You will need an
IdentityServer specific option.
A cloud-hosted [demo instance of Duende IdentityServer](https://demo.duendesoftware.com) can be added as an additional external provider.

Add the following to `ConfigureServices` in
`src/IdentityServer/HostingExtensions.cs`:

```cs
// Program.cs
builder.Services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
});
```

When authenticating with Google, there are again two [authentication
schemes](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-8.0#authentication-scheme).
`AddGoogle` adds the Google scheme, which handles the protocol flow back and
forth with Google. After successful login, the application needs to sign in to
an additional scheme that can authenticate future requests without needing a
roundtrip to Google - typically by issuing a local cookie. The `SignInScheme`
tells the Google handler to use the scheme named
`IdentityServerConstants.ExternalCookieAuthenticationScheme`, which is a cookie
authentication handler automatically created by IdentityServer that is intended
for external logins.

Now run `IdentityServer` and `WebClient` and try to authenticate (you may need
to log out and log back in). You will see a Google button on the login page.

![IdentityServer login page showing Google as an external login option](./images/2_google_login.png)

Click on Google and authenticate with a Google account. You should land back on
the `WebClient` home page, showing that the user is now coming from Google with
claims sourced from Google's data.

:::note
The Google button is rendered by the login page automatically when there are
external providers registered as authentication schemes. See the
`BuildModelAsync` method in `src/IdentityServer/Pages/Account/Login/Index.cshtml.cs` and
the corresponding Razor template for more details.
:::

#### Adding an additional OpenID Connect-based external provider

A [cloud-hosted demo](https://demo.duendesoftware.com) version of Duende
IdentityServer can be added as an additional external provider.

Register and configure the services for the OpenId Connect handler in
`src/IdentityServer/HostingExtensions.cs`:
Register and configure the services for the OpenId Connect handler in`src/IdentityServer/HostingExtensions.cs`:

```cs
// HostingExtensions.cs
builder.Services.AddAuthentication()
.AddGoogle("Google", options => { /* ... */ })
.AddOpenIdConnect("oidc", "Demo IdentityServer", options =>
.AddOpenIdConnect("oidc", "Sign-in with demo.duendesoftware.com", options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
options.SignOutScheme = IdentityServerConstants.SignoutScheme;
Expand All @@ -637,25 +575,85 @@ builder.Services.AddAuthentication()
});
```

Now if you try to authenticate, you should see an additional button to log in to
the cloud-hosted Demo IdentityServer. If you click that button, you will be
redirected to https://demo.duendesoftware.com/. Note that the demo site is using
the same UI as your site, so there will not be very much that changes visually
when you're redirected. Check that the page's location has changed and then log
in using the alice or bob users (their passwords are their usernames, just as
they are for the local test users). You should land back at `WebClient`,
authenticated with a demo user.
Now if you try to authenticate, you should see an additional *Sign-in with demo.duendesoftware.com* button to log in to
the cloud-hosted demo IdentityServer. If you click that button, you will be redirected to https://demo.duendesoftware.com/.

Check that the page's location has changed and then log in using the `alice` or `bob` users (their passwords are their usernames, just as
they are for the local test users). You should land back at `WebClient`, authenticated with a demo user.

The demo users are logically distinct entities from the local test
users, even though they happen to have identical usernames. Inspect their claims
in `WebClient` and note the differences between them, such as the distinct sub
claims.
The demo users are logically distinct entities from the local test users, even though they happen to have identical usernames.
Inspect their claims in `WebClient` and note the differences between them, such as the distinct `sub` claims.

:::note
The quickstart UI auto-provisions external users. When an external user logs in
for the first time, a new local user is created with a copy of all the external
user's claims. This auto-provisioning process occurs in the `OnGet` method of
`src/IdentityServer/Pages/ExternalLogin/Callback.cshtml.cs`, and is completely
customizable. For example, you could modify `Callback` so that it will require
registration before provisioning the external user.
The quickstart UI auto-provisions external users. When an external user logs in for the first time, a new local user is
created with a copy of all the external user's claims. This auto-provisioning process occurs in the `OnGet` method of
`src/IdentityServer/Pages/ExternalLogin/Callback.cshtml.cs`, and is completely customizable.
For example, you could modify `Callback` so that it will require registration before provisioning the external user.
:::

#### Add Google Support

:::note[`Microsoft.AspnetCore.Authentication.Google` no longer maintained]
Before .NET 10, the `Microsoft.AspnetCore.Authentication.Google` package was provided by Microsoft. Starting with .NET 10,
Microsoft [stopped shipping new versions of the `Microsoft.AspnetCore.Authentication.Google` package](https://github.com/dotnet/aspnetcore/issues/61817).

To add Google authentication, we recommend using the [`Google.Apis.Auth.AspNetCore3`](https://www.nuget.org/packages/Google.Apis.Auth.AspNetCore3/)
package that is shipped by Google.
:::

To use Google for authentication, you need to:

- Add the `Google.Apis.Auth.AspNetCore3` NuGet package to the IdentityServer project.
- Register with Google and [set up a client](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-9.0#create-the-google-oauth-20-client-id-and-secret).
- Store the client id and secret securely with `dotnet user-secrets`.
- Add the Google authentication handler to the middleware pipeline and configure it.

See [Microsoft's guide](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-9.0#create-the-google-oauth-20-client-id-and-secret)
for details on how to register with Google, create the client, and store the
secrets in user secrets. **Stop before adding the authentication middleware and
Google authentication handler to the pipeline.** You will need an
IdentityServer specific option.

Add the following to `ConfigureServices` in `src/IdentityServer/HostingExtensions.cs`:

```cs
// Program.cs
builder.Services.AddAuthentication()
.AddGoogleOpenIdConnect(
authenticationScheme: GoogleOpenIdConnectDefaults.AuthenticationScheme,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you don't need to set authenticatScheme - just displayName should be enough to change the way the button is rendered.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needed unfortunately because of their funky method signature.

displayName: "Google",
configureOptions: options =>
{
options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;

options.ClientId = "" builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = ""builder.Configuration["Authentication:Google:ClientSecret"];
});
```

:::note
Note that the `authenticationScheme` and `displayName` parameters are optional. They are added here to make the login
button display a short and concise "Google" instad of the default "Google OpenIdConnect".
:::

When authenticating with Google, there are again two [authentication schemes](https://docs.microsoft.com/en-us/aspnet/core/security/authentication/#authentication-scheme).
`AddGoogleOpenIdConnect` adds the `GoogleOpenIdConnect` scheme, which handles the protocol flow back and forth with Google.
After successful login, the application needs to sign in to an additional scheme that can authenticate future requests without
needing a roundtrip to Google - typically by issuing a local cookie. The `SignInScheme` tells the Google handler to use
the scheme named `IdentityServerConstants.ExternalCookieAuthenticationScheme`, which is a cookie authentication handler
automatically created by IdentityServer that is intended for external logins.

Now run `IdentityServer` and `WebClient` and try to authenticate (you may need to log out and log back in)
You will see a *Google* button on the login page.

![IdentityServer login page showing Google as an external login option](./images/2_google_login.png)

Click on *Google* and authenticate with a Google account. You should land back on
the `WebClient` home page, showing that the user is now coming from Google with
claims sourced from Google's data.

:::note
The Google button is rendered by the login page automatically when there are external providers registered as
authentication schemes. See the `BuildModelAsync` method in `src/IdentityServer/Pages/Account/Login/Index.cshtml.cs` and
the corresponding Razor template for more details.
:::
32 changes: 17 additions & 15 deletions src/content/docs/identityserver/ui/login/external.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -329,18 +329,20 @@ authentication and configuring it.

In this section, find a non-exhaustive list of first-party and third-party ASP.NET authentication handlers that you can use in any ASP.NET Core application.

| Authentication handler / Service | Type |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| [Cookie authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie) | Part of .NET |
| [OpenID Connect](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-oidc-web-authentication) | Part of .NET |
| [JWT Bearer authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-jwt-bearer-authentication) | Part of .NET |
| [Certificate authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth) | Part of .NET |
| [Windows authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth) | Part of .NET |
| [WS-Federation](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation) | Part of .NET |
| [Facebook / Meta](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins) | Part of .NET |
| [Microsoft Account](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins) | Part of .NET |
| [Twitter / X](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins) | Part of .NET |
| [Sustainsys Saml2](https://sustainsys.com/sustainsyssaml2-libraries) | Open-source |
| Many social providers in [AspNet.Security.OAuth.Providers](https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers)<br /><em><small>Airtable, Apple ID, GitHub, Hubspot, Instagram, Okta, Slack, ...</small></em> | Open-source |
| [Rock Solid Knowledge SAML2P](https://www.identityserver.com/products/saml2p) | Commercial |
| [Rock Solid Knowledge WS-Federation](https://www.identityserver.com/products/ws-federation) | Commercial |
| Authentication handler / Service | Vendor |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
| [Cookie authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie) | Part of .NET |
| [OpenID Connect](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-oidc-web-authentication) | Part of .NET |
| [JWT Bearer authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-jwt-bearer-authentication) | Part of .NET |
| [Certificate authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth) | Part of .NET |
| [Windows authentication](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth) | Part of .NET |
| [WS-Federation](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation) | Part of .NET |
| [Facebook / Meta](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins) | Part of .NET |
| [Microsoft Account](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins) | Part of .NET |
| [Twitter / X](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/twitter-logins) | Part of .NET |
| [Entra ID / Microsoft Account / ...](https://www.nuget.org/packages/Microsoft.Identity.Web) | Microsoft |
| [Google](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins) | Google |
| [Sustainsys Saml2](https://sustainsys.com/sustainsyssaml2-libraries) | Open-source |
| Many social providers in [AspNet.Security.OAuth.Providers](https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers)<br /><em><small>Airtable, Apple ID, GitHub, Hubspot, Instagram, Okta, Slack, ...</small></em> | Open-source |
| [Rock Solid Knowledge SAML2P](https://www.identityserver.com/products/saml2p) | Rock Solid Knowledge |
| [Rock Solid Knowledge WS-Federation](https://www.identityserver.com/products/ws-federation) | Rock Solid Knowledge |