How to achieve social authentication using only some of the features of ASP.NET Core Identity

Question

User1154721867 posted

1. What I want to know.

I am trying to plug-in external authentication function into a ASP.NET Core web application that was originally created without Identity. I installed the Identity by installing identity nuget package and modified Program.cs and Startup.cs so that the Identity works, but it does not work well. I would like to know how to achieve this.

2.Background

I am trying to embed social login functionality into an authentication system created using WebForm in ASP.NET 4.0. In order to achieve this, I have created a separate Web Service in ASP.NET Core, and made a call from the WebForm authentication system.

To realize this requirement, I created a web application in ASP.NET Core that uses Identity, and copied a part of the razor page program created by scafolding to accept the post instruction from the outside. The target razor page is ExternalLogins.cshtml and its cs source in the /Area/Pages/Identity/manager folder. I've tried it and it works as I intended.

So next, I created a plain ASP.NET Core web application without Identity and later tried to achieve the external authentication functionality by adding the Nuget package and modifying the Program and Startup class. The reason for this is that I don't need the Identity's functionality anything without external authentication. But in this case, the external authentication does not work well.

3. cause
When using the latter program, the request does not reach the SNS authentication page specified in the external authentication configuration file when performing external authentication. Specifically, the OnPostLinkLoginAsync method in ExternalLogins.cs receives the request correctly, but after the method returns the ChallengeResult, an error occurs on the authentication page on the SNS side and the page transition is interrupted.

4. What I want to know more specifically.
After all, in order to use Identity's external authentication features, do I have to specify that Identity is to be included in the first step of creating a web application?

I thought that if the Nuget Package used by the two web programs was the same and the contents of Program.cs and Startup.cs were the same, the behavior of the two programs would be the same, so I'm a little confused by this error.

5. Reference.
A sample program is available on GitHub to test this case study. If you are interested, please refer to the following URL
https://github.com/TrailRunner-MF/Samples/tree/master/MySocialLoginTrial
The application ID and Secret information of SNS and the SQL Server connection information used by Identity will need to be rewritten by the user, but it should be easy to implement if you are ready for them. Details of how to set up the program is written in Readme.txt in the "Document" folder.
Please give it a try.

Answer 1

User475983607 posted

This problem is generally solved using OAuth/OIDC.  I use IdentityServer4 for application like yours. https://identityserver4.readthedocs.io/en/latest/

The problem you are facing is the design should redirect the browser to the custom service.  The custom service redirects to the external login.  After a successful login, the external login redirects back to the custom service creates the necessary claims/roles and redirects back to the Web Forms application.

Anyway, IdentityServer4 has this flow built-in.  Set aside time to learn IdentityServer4 and OAuth/OIDC that should help your design.

Answer 2

User1154721867 posted

To mgebhard. 

Thank you for your kind reply.

You must mean Identity Server's Quick Start Documentation 'Interactive Applications with ASP.NET Core'.
(https://identityserver4.readthedocs.io/en/latest/quickstarts/2_interactive_aspnetcore.html#refexternalauthenticationquickstart)

The core part of this program is "\Quickstart\Account\ExternalController.cs". I've tried it and it works fine.

However, all I'm required to do now in my project is to get the credentials of the social network accounts and link them to the member IDs of the existing authentication system. This does not include providing the OpenIDConnect interface to existing authentication systems, much less replacing the entire authentication system with "Identity".

Thus I have to minimize the influence of technology I adopted to realize External-Authentication.

Using the Identity Server nuget package and referencing the Qucikstart program is one attractive way to accomplish this, as you recommend. And my idea will be the another option to realize the goal.

I chose to use "Identity" for now because it requires fewer code changes than "IdentityServer4" and it black boxes the implementation of OAuth.

But if there are any obvious reason that I should choose Identity Server 4's Quickstart sample, I don't think I would choose that without hesitation.

Thank you.

Answer 3

User753101303 posted

Hi,

As this is an ASP.NET 4.x application, I would perhaps start with https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on ? Not sure if adding ASP.NET Core is really needed. ASP.NET Idenity allows to log the external user and keep local profile information as well as filtering out unregistered users. Depending on what you need (ie every user having a xxx account is allowed to access the app without any prior registration you could drop part of it or maybe entirely).

ASP.NET identity comes with a default implementation but https://docs.microsoft.com/en-us/aspnet/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity allows to better understand how it works if you want to provide just what you need.

Finallly handling multiple vague problems in parallel in a forum is hard. Pick maybe what you consider your main problem and be more explicit than "it does not work well". Then once fixed move to the next problem etc...

Answer 4

User-474980206 posted

you are missing a key concept. your new core authentication website job is to create an identity and store in a cookie, which can be decoded. the fact that it redirects to social media login is just implementation. your site can not see the social media (say facebook) cookie. it must create it own where it store whatever information is required (say email, if allowed).

once you have this site working (pretty), you will need to integrate it with your current. How will you current site get the login info from this site? if you can share a domain cookie, then the old site must be able to decode and create an identity from it. otherwise, you should use oauth, and now you new site looks just like a social media login site. so what was the point.

I believe the suggestion to you, is to convert your current login site to oauth via identity server. then your current site can use any oauth library for all logins. 

a confusion with .net core, is they turned identity server into a library that supports both the oauth client code and server code. so there is just one library. for your old site you will still need an oauth client library.

 

Answer 5

User1154721867 posted

Hi PatriceSc. Thanks for the advice.

'ASP.NET Idenity allows you to log external users and keep local profile information as well as filter out unregistered users. '

I think this feature is exactly what I need.

I'll have to read the Microsoft documentation you recommended to learn how to do it in detail.

One more things, the error I mentioned as 'does not work well' is showing error message in the url 'https://localhost:44382/signin-facebook?code=AQDZH8dlbHhsb******' .
The message says 

Cannot find the localhost web page for https://localhost:44382/signin-facebook?code=AQDZH8dlbHhsbRDhD6wR2******' 

Answer 6

User1154721867 posted

Hello, bruce (sqlwork.com). Thank you for your enthusiastic advice.

As you said, the WebService of my sample code does not play the role of an authorization or authentication server for the oidc.

It simply associates the user ID of our application with the SNS account logged in on the device, which is passed as a Post parameter, and stores it in the DB and then returns it to the site.

This is just a sample code to get the SNS account information, so I don't actually implement association of the two account id and redirection to the specified page.

My goal is to eventually replace the existing authentication system with an oidc's authorization and authentication server using IdentityServer4, which I believe is in line with your sincere advice.

However, there are nearly 20 applications that use the existing authentication system, each with a different development platform. Replacing those authentication client mechanisms will be the next phase and we would greatly benefit from your advice at that time.

Thank you.