Google Sign In - Am I doing this correctly?

Question

User-478466914 posted

I can get the users google profile using the ASPSnippets DLL. (I would prefer to code it myself though, but cannot find a sample that works) Anyway...

I'll add the user's name and email address to the asp.net users and membership tables, Then use forms authentication, give them a persistent cookie and then take it from there - When they come back they will be auto logged in - This doesn't quite seem right to me. How are others doing this please?

Answer 1

User-1330468790 posted

Hi devxel,

 

devxel

When they come back they will be auto logged in - This doesn't quite seem right to me. How are others doing this please?

I think it is a feasible way to do persistence as 'remember me' function.

Actually it is what the OWIN Forms authentication do. The only difference is that they handle the persistence within the middle ware registering two cookie authentications, which separates the external sign-in from Application Sign-in, and you handle it manually with forms authentication, which only registering one cookie authentication. 

However, there is another point that you might need to associate the local user account with external identity’s ID claim (google id) when you add the user's name and email address to the asp.net users and membership tables.

 

You might want to refer to below links for OWIN Forms authentication to modify your implementation:

Understanding Application Sign in Cookie flow

Understanding External Sign in Cookie flow

Note that you don't need to focus on the implementation of it but only cares about the work flow.

 

Hope this can help you.

Best regards,

Sean

Answer 2

User-478466914 posted

Thank you Sean, for this comprehensive answer.
I'm not using MVC, just .Net webapp - but the OWIN docs showed me the flow I should consider.
In the flow, I'm still not sure about the 'middle ware' - as you say - This is the area I need look at but but all I can find is that backend sites should create a token for the user's ID as well as a 'refresh' token - I get this but as yet have not seen any coded solutions.

Anyway, I enforce only unique email addresses, so why would I even need to store the tokens when I can simply use the email address. It all seems too easy ! I'm nervous that I am missing something. 

Answer 3

User-1330468790 posted

Hi devxel,

 

In the flow, I'm still not sure about the 'middle ware'

In short, the middle ware is one of the stages that the request will be processed. You could refer to ASP.NET Core Middleware.

 

but all I can find is that backend sites should create a token for the user's ID as well as a 'refresh' token - I get this but as yet have not seen any coded solutions.

In fact, you don't need to explore too deep for the coded solutions for token stuff. You could directly use a provider to integrate the Google ID or whatever other IDs with your .NET webapp. 

For example, you could refer to Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers though it is a bit old but useful to understand how they deal with the external authentication.

However, I am not sure if I understand your problem correctly. Feel free to let me know specified problem.

 

Anyway, I enforce only unique email addresses, so why would I even need to store the tokens when I can simply use the email address

Could you please specify the condition when you want to use the unique email address?

The token is used for retrieving the user claims from external authentication side. When ID tokens are available, you can use them to securely authenticate with your app's backend, or to skip the email verification step when creating a new account.

Another reason that why people use ID token is security. However, it is a wider problem that you might be interested in this : ID Tokens

 

Best regards,

Sean

Answer 4

User-478466914 posted

Thank you for the links  Sean - Interesting and useful reading.

I'm just testing the .Net OpenAuth/OpenID and would probably use that if I can get it going, but my ASPSnippets DLL is my 'middleware', I guess. This works, and I can get the google users ID, email, name etc.

I have enforced unique email addresses in the web config 'requiresUniqueEmail="true"' in the membership > providors section

This is how I am doing it now (in testing) and it works.

1. if the email exists - look up the account and log them in.

2. If not exists then create a local account with username and email address then log them in.

3. Reject

Issue permanant (say 3 months) .Net Auth cookie
If the cookie expires or they logout then they will need to login again with Google No password is needed

From what you have shown me, I can see the process much more clearly now. 
Do you see any pitfals in my current setup?

Answer 5

User-1330468790 posted

Hi devxel,

 

Glad to see that the previous links are helpful.

Looks the flow should be working as your are using cookies to do the "Remember me" stuff which is the same as the form authentication does.

 

If you are facing anything problem, you could post a new thread here. 

Happy to discuss it with you.

 

Best regards,

Sean