Supporting Third Party Clients using OAuth 2.0

[danroth27]

ASP.NET 5 -> Security -> Supporting Third Party Clients using OAuth 2.0

[Edit Tom Dykstra] commit with deleted article stub

[Edit Rick-Anderson]

per @Tratcher

• A walk-through for Google, MicrosoftAccount, and Twitter that highlights some of their eccentricities.
• A reference to https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers for additional providers
• Requesting more data with Scopes (general oauth) and Fields (Facebook specific).
• Using the OnCreatingTicket event or ClaimsActions to map additional data into claims (Document the claims actions #5106)
• How to map provider claims into the Identity database (Persisting additional claims and tokens from external providers #3744)

[ghost]

Ended up here after looking at https://github.com/aspnet/Security/blob/1a59b385a012ac0873fb599fbe6c648b10088fd5/samples/SocialSample/Startup.cs - how can I help?

[ghost]

http://www.jerriepelser.com/blog/introduction-to-aspnet5-generic-oauth-provider is good but appears to be out of date (ExternalAuthenticationOptions doesn't exist)

[tedzhao]

How to implement the OAuth 2 server in ASP.NET Core web application(.net core)? any suggestion or comments.

[Tratcher]

https://docs.asp.net/en/latest/security/authentication/sociallogins.html

[Tratcher]

The social logins writeup is a good start for Facebook. Here are some things we should add to this or related docs:

• A walk-through for Google, MicrosoftAccount, and Twitter that highlights some of their eccentricities.
• A reference to https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers for additional providers
• Requesting more data with Scopes (general oauth) and Fields (Facebook specific).
• Using the OnCreatingTicket event or ClaimsActions to map additional data into claims (Document the claims actions #5106)
• How to map provider claims into the Identity database (Persisting additional claims and tokens from external providers #3744)

[markadrake]

Hi @Tratcher - is there any documentation in the works? I've actually managed to stumble through creating my own middleware by using multiple examples I've found online. But one of the last things I need to do is go from identity.AddClaim (which stores claims in a cookie) and change it to store this information in the database.

Thanks for all the hard work everyone's put into asp.net and it's documentation!

Mark

[Tratcher]

@HaoK @blowdart ?

[Tratcher]

@rustd ?

[HaoK]

@Rick-Anderson might know

[Rick-Anderson]

We don't have anything scheduled. If one of you guys wants to write it (in word, notpad or anything I can read), I'll get it published.

[Rick-Anderson]

#1470 copied @Tratcher issues

[tmm360]

Is this scenario actually supported? Because I'm having issues configuring a login with FB from my app. See dotnet/aspnetcore#1871

[danroth27]

We don't have built-in support for building an authorization server with ASP.NET Core, but you can integrate with an existing service like Azure AD B2C or use a community package like IdentityServer4

[danroth27]

@tmm360 Note, to specifically configure login with FB see https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins.

[tmm360]

Thank you @danroth27, I'm trying to explore the OAuth world, but it's a bit complex. Anyway I should have found a solution to my problem...
I don't need an OAuth server, but I need to pass through an initialization call on my service for generate the state parameter, and so go to FB for login. I was directly pointing to Facebook from app, and on redirect to my server I was missing the state parameter.

[Ponant]

@Tratcher , I think your bullet points will be a great addition. I had to switch back and forth between a @rustd video on youtube and Adam Tulliper on MVA to see how you can add scope to retrieve stuff (friends pictures etc) to your app or db. But these videos go back to a few years ago and they were using a FacebookClient with using statements whereas we could go through DI to fit the .Net Core design.
It will be great to have a working prototype going beyond @danroth27's link above.

[Rick-Anderson]

@voltagex would you be able to work on this doc?

[isaacrlevin]

@Rick-Anderson @danroth27 is this still valid? From what I gather is that the original request was how to build an OWIN middleware to use OAuth2, is that correct?

[Rick-Anderson]

@isaac2004 look at what @Tratcher posted.

[isaacrlevin]

@Rick-Anderson @Tratcher it seems like some of this checklist is done, so is this what is needed

• A walk-through for Google, MicrosoftAccount, and Twitter that highlights some of their eccentricities.
• A reference to https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers for additional providers
• Requesting more data with Scopes (general oauth) and Fields (Facebook specific).
• Using the OnCreatingTicket event or ClaimsActions to map additional data into claims (Document the claims actions #5106)
• How to map provider claims into the Identity database (Persisting additional claims and tokens from external providers #3744)

Does that seem right? Plus it seems like the issues for this got moved into #1470, so is this still needed?

[Rick-Anderson]

Moved to #1470