Search loading...


Explore and Make use of Nationally Defined Messaging APIs (C#) Example, Client (c#) Example.


The following example shows the how to authenticate a user from an ASP.Net web application and to get some claims information about that user. Four steps are involved in getting going from scratch:

  1. You need VS 2017 and ASP.Net Core Framework set up on your computer.
  2. Create your basic ASP.NET Core application as a starting point
  3. Modify your application to defer authentication to the NHS Identity Service.

Create your basic ASP.NET Core web application

To create you new web site just create a new project in VS 2017 and choose the ASP.NET Core Web Application


Next you just pick Web Application with no authentication.


Next get the Microsoft Middleware OpenID Connect packages

Open the NPM Package Manager Console to install the packages:

# Pull down the new packages
install-package Microsoft.AspNetCore.Authentication.Cookies
install-package Microsoft.AspNetCore.Authentication.OpenIdConnect
install-package Microsoft.AspNetCore.Authentication.JwtBearer

This will add the needed packages, and you may rebuild once the package restore process has completed.

Next add the initialization code to the Startup class (in Startup.cs):

// Import the relevant namespaces at the top of the file
using System.IdentityModel.Tokens.Jwt;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;

In the Configuration method add these lines after the app.UseStaticFiles(); line. .

app.UseCookieAuthentication(new CookieAuthenticationOptions {
    AuthenticationScheme = "Cookies",
    AutomaticAuthenticate = true

var options = new OpenIdConnectOptions() {
    AuthenticationScheme = "oidc", // callback will be on /signin-oidc
    SignInScheme = "Cookies",
    ResponseType = "code",
    Authority = YOUR_DOMAIN, // e.g.: ""
    ClientId = YOUR_CLIENT_ID, // e.g  "urn:casid:aspnet-core-demo" 
    ClientSecret = YOUR_CLIENT_SECRET //e.g."0m4bGC+LO7QSBk7zf4d2Uhhlq48IRHbUC/D5yM4EROU="

// This may be modified to get the choice of authentication method from
// some other source, e.g. a dropdown in the UI
// NOT NEEDED??? for most OIDC identity proivders, such as Google, etc.
options.Events = new OpenIdConnectEvents() {
    OnRedirectToIdentityProvider = context => {
        context.ProtocolMessage.AcrValues = "urn:????????????????";
        return Task.FromResult(0);

// Wire in OIDC middelware

The options object sets the OpenID Connect middelware behaviour.

Specifically the authorisationScheme property determines the callback you must register with your OpenID Connect identity provider (see the section at the end on how to do that for easyID). In this case we set it to oidc which means the callback will be on/signin-oidc. Still, this is handled by the middelware so no need for any additional code. We are now ready to authenticate. Before trying it out we just need a protected resource that will display user information.

The protected view: Start the login and show the user info

First add a login link to the front page. Put a login link in the menu, or something to the same effect, in the _Layout.cshtml shared view where the top menu is rendered:

@if (Context.User.Identity.IsAuthenticated) 
    <li><a asp-area="" asp-controller="Home" asp-action="Logout">Logout</a></li>                        
    <li><a asp-area="" asp-controller="Home" asp-action="Protected">Login</a></li>                        

To implement the Protected view which will kick off the authentication process, add a new action to the HomeController. Notice the Authorise attribute which will start the OIDC flow.

// The Authorise attribute requires the user to be authenticated and will
// kick off the OIDC authentication flow 
public IActionResult Protected()
    return View();
public async Task<IActionResult> Logout()
    await HttpContext.Authentication.SignOutAsync("Cookies");
    return View("Index");

Now, adding a simple view, Protected.cshtml, in the Views/Home to display the claims, and we are set.

    ViewData["Title"] = "ASP.NET Core + NationalNHSID";
<h2>Welcome @User.Claims.Where( c => c.Type == "name").FirstOrDefault().Value</h2>
    @foreach (var claim in User.Claims)

Running the application

To execute an a login flow, remember to set the authorisation, the ClientID, and the ClientSecret. If you haven’t already set up an NHS Identity ID account, go to Here to do that.

Hit F5 and you’re off. Once the front page has opened up click the Login menu at the top.

All content is available under the Open Government Licence v3.0, except where otherwise stated