.Net-Core built in Authorization Code Flow

Question

I'm working on simplifying my Login Process for my application. preemptively used IdentityServer for logins, but I don't need an entire token server so I'm now in the process of downgrading to just use Asp.Net Identity.

Prior I use to be able to login through third parties by doing this:

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
    // Request a redirect to the external login provider.
    var redirectUrl = Url.Action(nameof(ExternalLoginCallback), "Account", new { returnUrl });
    var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    return Challenge(properties, provider);
}

This allowed me to login with third parties such as (Coinbase) but I'm confused on how this worked, because I don't see a place where they receive the authorization code.

I've obtained an authorization code from my oauth provider, and now I need to obtain the access tokens. I can easily do so by manually making a request eg

POST /oauth/token HTTP/1.1
Host: authorization-server.com

grant_type=authorization_code
&code=xxxxxxxxxxx
&redirect_uri=https://example-app.com/redirect
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

But I feel like there is some built in functionality in .net to execute this request and store the tokens in a the user manager. Does anyone know of a built in way to do so?

Answer 1

I would recommend sticking to the Identity Server Nuget package for client authentication, even if you don't need the server.

It provides the functionality you are referring to under the hood to handle the various OATH flows so you don't have to implement them yourself.

Otherwise, you will have to manually requests between your your client, your server side application and the service you are authenticating against. This can get quite complex depending on your needs.

Using the Nuget Package, you can wire up an external authentication provider using OpenID Connect, be it Coinbase or some other service, with just a few lines of code via dependency injection.

From there you can handle the callback and sign the user in .

For more info, check out the Sign-in with External Identity Providers and Adding Support for External Authentication pages in the official Identity Server docs.

By default, Asp.Net identity will handle the call back under at the local endpoint '/account/ExternalLogin'. If you need to custom functionality, you can scaffold that page from the base RCL and customize it.

Answer 2

Turns out I was over thinking things. I can use the same OAuth Providers that I've configured in Identity Server and port them to my .Net-Core Project then I can use the same login methods

[HttpPost]
[AllowAnonymous]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{
    // Request a redirect to the external login provider.
    var redirectUrl = Url.Action(nameof(ExternalLoginCallback), "Account", new { returnUrl });
    var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    return Challenge(properties, provider);
}

To challenge the only thing I needed to do in angular is provide a form which will call my external login method:

<form #form method="post" class="form-horizontal" action="https://localhost:44370/Account/ExternalLogin">
    <div>
        <p>
            <button ion-button block [disabled]="isDisabled" (click)="form.submit()" type="submit" title="Log in using your Coinbase account">
                Coinbase
            </button>
            <input type="hidden" name="provider" value="Coinbase">
        </p>
    </div>
</form>