Scenario: Web app that signs in users
Learn all you need to build a web app that uses the Microsoft identity platform to sign in users.
Before reading this article, you should be familiar with the following concepts:
- Microsoft identity platform overview
- Authentication basics
- Application and service principals
- Permissions and consent
- ID tokens and access tokens
If you want to create your first portable (ASP.NET Core) web app that signs in users, follow this quickstart:
You add authentication to your web app so that it can sign in users. Adding authentication enables your web app to access limited profile information in order to customize the experience for users.
Web apps authenticate a user in a web browser. In this scenario, the web app directs the user's browser to sign them in to Azure Active Directory (Azure AD). Azure AD returns a sign-in response through the user's browser, which contains claims about the user in a security token. Signing in users takes advantage of the Open ID Connect standard protocol, simplified by the use of middleware libraries.
As a second phase, you can enable your application to call web APIs on behalf of the signed-in user. This next phase is a different scenario, which you'll find in Web app that calls web APIs.
Adding sign-in to a web app is about protecting the web app and validating a user token, which is what middleware libraries do. In the case of .NET, this scenario does not yet require the Microsoft Authentication Library (MSAL), which is about acquiring a token to call protected APIs. Authentication libraries will be introduced in the follow-up scenario, when the web app needs to call web APIs.
- During the application registration, you'll need to provide one or several (if you deploy your app to several locations) reply URIs. In some cases (ASP.NET and ASP.NET Core), you'll need to enable the ID token. Finally, you'll want to set up a sign-out URI so that your application reacts to users signing out.
- In the code for your application, you'll need to provide the authority to which your web app delegates sign-in. You might want to customize token validation (in particular, in partner scenarios).
- Web applications support any account types. For more information, see Supported account types.