Why use Microsoft.Identity.Web

Microsoft Identity Web provides the glue between the ASP.NET Core middleware and MSAL .NET to bring a clearer, more robust developer experience, which also leverages the power of the Microsoft identity platform (formerly Azure AD v2.0 endpoint), and leverages OpenId Connect middleware, which means developers can develop applications which allow several identity providers, including integration with Azure AD B2C.

Microsoft Identity Web leverages Microsoft Authentication Library (MSAL), which will fetch the tokens and provides token cache extensibility.

Today, with ASP.NET Core 3.1, without Microsoft Identity Web, when running:

dotnet new --auth

and creating a web app from an ASP.NET core template, the application is targeting the Azure AD v1.0 endpoint, which means sign-in with a work or school account is the only option for customers. There is also no issuer validation happening in multi-tenant applications. The web apps and web APIs that are created do not call downstream web APIs, if a developer wanted to call a downstream web API, they would need to leverage MSAL on their own.

Microsoft.Identity.Web is a simpler way to use Azure AD in ASP.NET Core web apps and web APIs. It doesn't replace ASP.NET Identity in any way, it doesn't replace AddOpenIdConnect, AddJwtBearer or AddCookie or any of the lower level primitives, but it does use and configure them correctly for Azure AD. It doesn't work with non-Azure identity providers. It replaces AzureAD.UI and AzureADB2C.UI which are obsolete in .NET 5.0

Microsoft.Identity.Web provides project templates

Microsoft.Identity.Web project templates bring many features that were not available in ASP.NET Core 3.1 project templates

Here are the available project templates:

High level architecture

Microsoft identity web is a library that provides a higher-level API and coordinates:

• ASP.Net Core and its authentication and authorization middleware,
• Identity.Model (validates tokens),
• MSAL.NET (acquires tokens),
• The Azure SDK (used to fetch certificates from KeyVault using Managed Identity when deployed to Azure, or your developer credentials when run on your local dev box)