I'm working on writing the basics for a new Online application, and I'm using .NET Core 3.x and OAuth2 OpenId Connect.
I've read the Security and authentication article (which uses the Implicit Grant flow).
I've also read the DevNet+Angular+OpenId+Rest example on GitHub, and the DevNet+OpenIDConnect+dotNetCore2.0 example but haven't found exactly what I'm looking for.
The essentials of my application is working. When navigating to localhost I get redirected to the SOD loginpage, and eventually get an Access Token back (using Authorization Code grant flow).
However, when I add my website as a webpanel in SuperOffice, I was hoping to get a single-signon experience, but instead I end up with the login dialog inside the webpanel. From the "Security and authentication" article I was expecting the following to just make my life easier, but alas.
The SuperOffice Login page can check its cookies (these cookies are not available to the partner domain) and see if the user is logged in. If not, then the user gets the login form again.
Here is a snippet from my ConfigureServices in startup.cs.
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.ClientId = Configuration["SuperOffice.ClientId"];
options.ClientSecret = Configuration["SuperOffice.ClientSecret"];
options.Authority = "https://sod.superoffice.com/login";
options.SaveTokens = true;
options.CallbackPath = new Microsoft.AspNetCore.Http.PathString("/api/callback");
options.ResponseMode = OpenIdConnectResponseMode.FormPost;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
Looking at the "OpenId web panel login" thread I've tried to pass the <uctx> template variable to my application, to see if I can include that into the URL to the authorization_url, but can't find a way to manipulate the URL used by .NET Core.
What am I missing here? Has anyone gotten this to work using the new OAuth2 approach?