.NET has OIDC support built into it and the following is a basic example of one way to utilise it to connect to OpenAthens Keystone. Other options are available.

It is assumed that user has knowledge of developing applications using ASP.net and this example is based off the asp.net Core Web Application template. (See: http://asp.net)

Goal in this example

Authenticate a user and display all the received claims on a page. In the real world you would read the claims and feed them into your authorisation / user-session management process.

Instructions

Add the OIDC dependencies

Update the dependencies part of your project (e.g. project.json, NuGet) to include both:

Microsoft.AspNetCore.Authentication.Cookies
Microsoft.AspNetCore.Authentication.OpenIdConnect
CODE

Configure Startup.cs to use OpenID Connect

Configure Startup.cs to use OIDC. Update the ConfigureServices method, e.g:

services.AddAuthentication(options => {
 
               options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 
            })
            .AddCookie()
            // Here "oidc" is the AuthenticationScheme
            .AddOpenIdConnect("oidc", options => {
 
                options.Authority = "https://connect.openathens.net";
                options.ClientId = "{ClientID}";
                options.ClientSecret = "{ClientSecret}";
                options.GetClaimsFromUserInfoEndpoint = true;
                options.ResponseType = "code id_token";
                options.Scope.Clear();
                options.Scope.Add("openid");
                options.ClaimActions.MapUniqueJsonKey("eduPersonTargetedID", "eduPersonTargetedID");
                options.ClaimActions.MapUniqueJsonKey("eduPersonScopedAffiliation", "eduPersonScopedAffiliation");
 
           //   If you plan to map extended attributes, such as username etc:
          options.ClaimActions.MapUniqueJsonKey("username", "username");
     
                options.CallbackPath = newPathString("/redirect");


            });

CODE

Between the app.UseStaticFiles() and app.UseMVC() lines, add:

            //app.UseAuthenticatoin(); Adds the OIDC middleware
            app.UseAuthentication();
CODE

For additional settings that can be used you should refer to the Microsoft asp.net core documentation on the OpenIdConnectOptions class: https://docs.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions?view=aspnetcore-1.1&viewFallbackFrom=aspnetcore-2.1 

Add in login and view claim to _Layout.cshtml

Add the following into _Layout.cshtml which will display a Login link if a user session does not exist and will display a link to logout and view the returned claims if a user session does:

                    <ul class="nav navbar-nav navbar-right">
                        @if (User.Identity.IsAuthenticated)
                        {
                            <li><a asp-controller="Account" asp-action="Claims">Account Profile</a></li>
                        }
                        else
                        {
                            <li><a asp-controller="Account" asp-action="Login">Login</a></li>
                        }
                    </ul>
CODE

Create User portal pages

Create a new folder in Views called Account

Add a new MVC View page called Claims and paste in the following code which will display all claims that have been returned:

<div class="row">
    <div class="col-md-12">

        <h3>Claims associated with current User</h3>
        <table class="table">
            <thead>
            <tr>
                <th>
                    Claim
                </th>
                <th>
                    Value
                </th>
            </tr>
            </thead>
            <tbody>
            @foreach (var claim in User.Claims)
            {
                <tr>
                    <td>@claim.Type</td>
                    <td>@claim.Value</td>
                </tr>
            }
            </tbody>
        </table>
    </div>
</div>
CODE

Create a AccountController class and add the following:

   public class AccountController: Controller
   {
       public async Task Login(stringreturnUrl = "/")
       {
            // specifying the scheme here "oidc"
            await HttpContext.ChallengeAsync("oidc", newAuthenticationProperties() { RedirectUri = returnUrl });
 
       }
 
       [Authorize]
       public IActionResult Claims()
       {
            returnView();
       }
 
       public IActionResult AccessDenied()
       {
            returnView();
       }
    }
CODE

Example of accessing the attributes

An example of accessing the claims returned is:

Name = User.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Name)?.Value,
EmailAddress = User.Claims.FirstOrDefault(c => c.Type == "email")?.Value,
CODE