It uses OpenID Connect which extends the OAuth 2.0 authorization protocol to use it as an authentication protocol, allowing you to perform single sign-on using OAuth.

In the application, the authentication mechanism is implemented based on:

• a cookie manager (to store user session information)
• and an OpenID Connect authentication manager.

These handlers are referenced in the application by the packages:

• Microsoft.AspNetCore.Authentication.Cookies
• Microsoft.AspNetCore.Authentication.OpenIdConnect

The source code of the authentication part is inspired by the example available on the site Auth0.

In this example, the configuration has been adapted in order to specify the parameters specific to SageID authentication that Sage Active Public API V2 needs to authorize the execution of the various requests (bearer token passed in the header of each http call).

As in the case of authentication from Postman, the connection parameters defined in the application are as follows:

• Authorization URL
• ClientId and Secret
• redirect url
• Authorized scopes
• Hearing

The application also allows the user to be disconnected from their Sage Id session. Thus, a logout url is also defined.

1. Authorization Url

   const string AUTHORITY = "stg-sbcauth.sage.fr";  //stage
   const string AUTHORITY = "sbcauth.sage.fr";  //prod
   ...
   options.Authority = $"https://{AUTHORITY}";
   

2. ClientId and Secret

    options.ClientId = ApplicationSettings.client_id;
    options.ClientSecret = ApplicationSettings.client_secret;
   

3. Redirect URL

    if (!String.IsNullOrEmpty(ApplicationSettings.callback_url))
    {
           var uri = new UriBuilder(ApplicationSettings.callback_url);
           options.CallbackPath = new PathString(uri.Path);
    }
   

4. Authorized scopes

    options.Scope.Add("RDSA");
    options.Scope.Add("WDSA");
    ...
   

5. Audience

    const string AUDIENCE = "SAGEACTIVE";
    ...
    OnRedirectToIdentityProvider = (context) =>
    {
        context.ProtocolMessage.SetParameter("audience", AUDIENCE);
   
        return Task.FromResult(0);
    }
   
   

6. Logout URL

    OnRedirectToIdentityProviderForSignOut = (context) =>
    {
      var logoutUri = $"https://{AUTHORITY}/v2/logout?client_id={options.ClientId}";
      var postLogoutUri = context.Properties.RedirectUri;
      if (!string.IsNullOrEmpty(postLogoutUri))
      {
          if (postLogoutUri.StartsWith("/"))
          {
              // transform to absolute
              var request = context.Request;
              postLogoutUri = request.Scheme + "://" + request.Host + request.PathBase + postLogoutUri;
          }
          logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";
      }
   
      context.Response.Redirect(logoutUri);
      context.HandleResponse();
   
      return Task.CompletedTask;
   },
   

   Note: Audience and logout url are defined in OpenIdConnect events.
   These events are respectively called by the SageID account login and logout methods. These methods are defined in the controller AuthenticationController

7. Connection

   public async Task Login()
   {
       if (!User.Identity.IsAuthenticated)
       {
           await HttpContext.ChallengeAsync("Auth0", new AuthenticationProperties() { RedirectUri = Url.Action("Index", "Home") });
       }
   }
   

8. Logout

    public async Task Logout()
    {
        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        await HttpContext.SignOutAsync("Auth0", new AuthenticationProperties());
    }
   

   Note that in the case of disconnection, it is a request parameter that allows the disconnection to be redirected to the home page of the application:
   logoutUri += $"&returnTo={ Uri.EscapeDataString(postLogoutUri)}";