locked
GoogleOAuth2AuthenticationProvider AccessToken not getting validated RRS feed

  • Question

  • User-1939321229 posted

    I am using the GoogleOAuth2AuthenticationOptions class for authentication in my MVC5 Web App (SPA Template).  Given below is the code

    var g = new GoogleOAuth2AuthenticationOptions
                {
                    ClientId = "clientid",
                    ClientSecret = "secret",
                    //CallbackPath="",
                    Provider = new GoogleOAuth2AuthenticationProvider
                    {
                        OnAuthenticated = async ctx =>
                            {
                                ctx.Identity.AddClaim(new Claim("urn:tokens:google:accesstoken", ctx.AccessToken));
                            }
                    }
                };
                // restrict the retrieved information to just signin information
                g.Scope.Add("openid");
                app.UseGoogleAuthentication(g);

    The token I get is something like this

    ya29.LgAibra6cNLEKCEAAADLJxUOviZRgv9JSm-jrB-lNp16nomUijNrVAbcdDkI60Vg-A9yjFN4abcd_C8b4

    I am using this token in subsequent calls to a MVC WebAPI which uses OAuthBearerTokens for security.  I send the access token through the header in my WebAPI call from my MVC Web app

    app.UseOAuthBearerTokens(OAuthOptions);       

    The javascript generated on the client contains a much larger token which works with my MVC WebAPI.  Does anyone know how to fix this?

    Tuesday, June 10, 2014 4:34 AM

Answers

  • User1779161005 posted

    The access token you get for google is only good for google's APIs. Google doesn't know about your APIs, and as such the access token you get back from google is no good for your APIs. If you want an access token for your own APIs, you need your own OAuth2 authorization server to issue them.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 10, 2014 6:56 PM
  • User1779161005 posted

    The SPA temlate (last time I looked) uses the Katana OAuth2 authorization server middleware internally. So in short, the app is its own authorization server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 11, 2014 7:45 AM
  • User1779161005 posted

    IIRC, the last place you have access to it is in the OnAuthenticvated callback on the provider propery on the options class. So you'd add it to the claims collection on the identity and then that'd be available in your external callback in your controller.

    The templates from VS really stink in this regard -- far too complex and trying to hide too many things.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 13, 2014 11:40 AM

All replies

  • User1779161005 posted

    The access token you get for google is only good for google's APIs. Google doesn't know about your APIs, and as such the access token you get back from google is no good for your APIs. If you want an access token for your own APIs, you need your own OAuth2 authorization server to issue them.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 10, 2014 6:56 PM
  • User-1939321229 posted

    Thanks for this information, so at what stage does the MVC (SPA) template in Visual Studio generate its internal token? and how do I get access to this token from the controllers.  I can access this token from the javascript pages with the following javascript code

    sessionStorage["accessToken"] || localStorage["accessToken"]

    I always thought this was the token generated by Google, but after reading your reply I assume this is something generated internally from within ASP.NET itself.

    Wednesday, June 11, 2014 2:22 AM
  • User1779161005 posted

    The SPA temlate (last time I looked) uses the Katana OAuth2 authorization server middleware internally. So in short, the app is its own authorization server.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 11, 2014 7:45 AM
  • User-1939321229 posted

    Is it possible to read this token in the GetExternalLogin method of the AccountController class?

    Friday, June 13, 2014 1:43 AM
  • User1779161005 posted

    IIRC, the last place you have access to it is in the OnAuthenticvated callback on the provider propery on the options class. So you'd add it to the claims collection on the identity and then that'd be available in your external callback in your controller.

    The templates from VS really stink in this regard -- far too complex and trying to hide too many things.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, June 13, 2014 11:40 AM
  • User-1939321229 posted

    If its not too much of trouble can you please give me the exact code sample please on how to get this.  I checked the AuthorizeEndpoint method on the OAuthAuthorizationServerProvider derieved class but could not figure out how to get the token.

    Monday, June 16, 2014 6:09 AM
  • User1779161005 posted

    Sorry, I don't have the code. You'll have to look into the docs on the Provider propery on the GoogleOAuth2Options class.

    Monday, June 16, 2014 2:47 PM