Most web applications nowadays need some authentication mechanism to differentiate their users for various levels of personalization. However, user authentication tends to get more sophisticated due to the variety of client platforms as well as the susceptibility to attacks.
As a user, I no longer want to create a new credential for each site I am visiting. Giving my password to a site requires a certain amount of trust in the site’s security since not all sites implements proper amount of protection to password (or credential in general) with standard mechanisms of password hashing or 2FA.
As a system developer, protecting users’ passwords and users’ credentials in general becomes a big burden due to the growing list of attack techniques. This is also a source of distraction when signing in is certainly not the focus of most web application.
A better way to tackle authentication would be to leave this part to the “professional,” or in other words, to delegate user authentication to popular identity services such as Google Account or Microsoft Account. Our web application now only needs to take care of authorization and managing users’ data. This has become a major trend thanks to the introduction of JWT and OIDC protocol.
In this post, I’ll go through what I have done to incorporate Signing in with Microsoft Account into my ASP.NET 5 web applications. This should be directly applicable for ASP.NET Core 3 thanks to similar authentication setup. Authentication mechanism in this post is using open standards such as JWT and OIDC, so it should be able to extend to many other identity providers such as Google Account.