ASP.NET Web API 2: How do I log in with external authentication services?

asp.net .net asp.net-web-api oauth-2.0 asp.net-identity

I had the same problem today and found the following solution:

At first get all available providers

GET /api/Account/ExternalLogins?returnUrl=%2F&generateState=true

The response message is a list in json format

[{"name":"Facebook",
  "url":"/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1",
  "state":"QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1"}]

Now send a GET request to the url of the provider you want to use. You will be redirected to the login page of the external provider. Fill in your credentials and the you will be redirected back to your site. Now parse the access_token from the url.

http://localhost:15359/#access_token=[..]&token_type=bearer&expires_in=[..]&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1

If the user already has a local account, the .AspNet.Cookies cookie is set and you are done. If not, only the .AspNet.ExternalCookie cookie is set and you have to register a local account.

There is an api to find out if the user is registered:

GET /api/Account/UserInfo

The response is

{"userName":"xxx","hasRegistered":false,"loginProvider":"Facebook"}

To create a local account for the user, call

POST /api/Account/RegisterExternal
Authorization: Bearer VPcd1RQ4X... (access_token from url)
Content-Type: application/json
{"UserName":"myusername"}

Now send the same request with the provider url as before

GET /api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1

But this time the user already has an account and gets authenticated. You can verify this by calling /api/Account/UserInfo again.

Now extract the access_token from the url. You have to add the Authorization: Bearer [access_token] header to every request you make.


I found another post showing pretty details how this external authentication works. The client is WPF and server uses ASP.NET Identity.

Related

XSL xsl:template match="/"
Specific difference between bufferedreader and filereader
Using ANTLR 3.3?
Is there a way to restore the original sorting in a Numbers table?
How to add padding to a word in Pages?
iPhone FaceID stopped working after 13.5 update––is this a bug or hdw failure?
Is it possible to automate changing some security settings in Catalina?
What is the difference between "App Store" and "App Store Connect"
What is this blue half on my screen?
How do I upload verification photos to Apple's Maps Connect?
How do I encrypt an external HFS+ drive without erasing it on Big Sur?
macOS does not browse folder on SMB share (folder displayed as light-blue folder)