Document how to create custom external provider authentication

[travbeamo]

How can a custom external authentication provider (for example called MyCustomAuth) be implemented (from start to finish) like:

• Your existing providers (Facebook/Google/Microsoft/etc..)
• 3rd-party providers (GitHub/LinkedIn/Yahoo/etc..)

I am able to setup the WebApp side & get an external login button, but cannot get the external provider side working with how the endpoints (authorize, token & user information) work and interact back to the WebApp.

I have attempted using an OAuthHandler, but if this is overkill and and a RemoteAuthenticationHandler or AuthenticationHandler could be used instead, please let me know.

Is there a basic example project to show how both sides work together OR in one that particularly demonstrates how the endpoints work with the authentication middleware and gets from:

• page /Identity/Account/Login, where a user then clicks on MyCustomAuth button under "Use another service to log in"
  
• to page /Identity/Account/ExternalLogin, where user enters their email and clicks Register under "Associate your account".
  

I think this documentation & example project would be very helpful.

Thanks in advance.

[Tratcher]

We could certainly cover some high level scenarios and and common protocols like OAuth, but the details depend a lot on the kind of authentation you're trying to implement.

Can you summarize the expected flow for said custom auth?

[tb-mtg]

Expectations are:

1. On page /Identity/Account/Login, user is redirected to another external login page after on clicking MyCustomAuth button
2. User accept that it is with an external provider, then submits form with username & password
3. Externally validate username & password (which I have working method for doing).
   a. Failed attempts are returned back to external login.
   b. Successful attempts returns a id/key/code for that is unique for that user in the external login provider. This id/key/code is to be used as the ProviderKey value in the AspNetUserLogins table

--This is where I'm stuck--

4. Somehow user is returned to /Identity/Account/ExternalLogin on WebApp and process continues as it would when existing implementations (Facebook,Goggle, etc.) where the ProviderKey has been added to the AspNetUserLogins table.
   a. New users must submit form with email to complete creating a local WebApp account.
5. Existing users are now signed-in and redirected to the ReturnUrl on WebApp.

That is the minimal basic expectation.

Ideally additional claims would also be returned from external provider as part of the process.
For example an email address could be returned removing the need to prompt user for one in order to register. However the main priority for now is just a working custom authentication flow using AspNetCore Identity.

[Tratcher]

That flow as you describe it is indistinguishable from OAuth2.

Step 4 triggers here:

aspnetcore/src/Security/Authentication/Core/src/RemoteAuthenticationHandler.cs

Lines 140 to 148 in 55ce868

	await Context.SignInAsync(SignInScheme, ticketContext.Principal!, ticketContext.Properties);
	// Default redirect path is the base path
	if (string.IsNullOrEmpty(ticketContext.ReturnUri))
	{
	ticketContext.ReturnUri = "/";
	}
	Response.Redirect(ticketContext.ReturnUri);

The user is stored in a temp cookie and the app is redirected back to the original challenge url (/Identity/Account/ExternalLogin in this example).

[travbeamo]

@Tratcher Thanks for your help, much appreciated. However as that’s where I’m stuck, could you please provide a basic example of the endpoint(s) required to get to that trigger point you referred to where the temp cookie is created.

The validation of username/password part in example can be trivial, I just need to see a working flow example so I can see where I’m going wrong.

[Tratcher]

Ok, I'm a little confused. You said you were sending them to an external login page, but then you're validating the username and password directly in the app? That's not auth middleware at all, that's just a separate page/action on your login controller that looks a lot like the existing one for Identity that accepts a username and password.

aspnetcore/src/Identity/UI/src/Areas/Identity/Pages/V4/Account/Login.cshtml.cs

Lines 122 to 132 in 36d887f

	public override async Task<IActionResult> OnPostAsync(string returnUrl = null)
	{
	returnUrl ??= Url.Content("~/");
	ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
	if (ModelState.IsValid)
	{
	// This doesn't count login failures towards account lockout
	// To enable password failures to trigger account lockout, set lockoutOnFailure: true
	var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: false);

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!