How to use google authencticaion in asp.net core web app and web api that uses JWT

Question

I am working on a Web Application in asp.net core 2.2. Web API serves every request coming from Web Application. I am using JWT Token Authentication in Web API. That token goes in every request from web application.

Web APP -----> Web API ----> Data Layer----> EF Core ---->DB

In the login, the user enters email and password on the web interface and hit on login button. The request goes to Web API than to DB passing from all other layers. If the user is valid then in Web API a token is generated and pass it in the response to Web App. Now, in every further request from Web App to Web API, Web-APP sends this token in the header.

Now, I want to add an external authentication provider like Google. Problem is that I am not sure how to handle the flow of my application? Because Google Authentication is just for web application and not affects the functionality of Web API.

Any suggestion?

Answer 1

What you need to do is to delegate user authentication to an external Identity Provider (IdP). In the login screen, you would typically allow users to choose between using email/password or external IdP (eg Google, Facebook, etc ...). If a user choose the latter, the "identity verification" step will be taken care by the IdP and then HTTP redirected to you (to a URL that you define) along with an ID token that is digitally signed and contains some user's information (name, email, ...)

The change to the application flow in that case would be as follow:

Web APP -----> Web API ----> Data Layer----> EF Core ---->DB

   | ^
   v |

Identity Provider (e.g. Google)

Note that the redirection to and from the IdP are generally based on HTTP redirect. In the simple nominal case, you don't need to call the IdP from the Web API layer, although you must define each supported one as a trusted issuer of ID Tokens (required for signature verification)

Step-by-step instructions are generally provided by the IdP, rf Google Sign-In and Facebook login

Answer 2

I would suggest you use Identity server 4 as your identity provider .

Your web api will be a resource which protected by Identity server . In your client app, when starting the authentication process , according to authentication flow , user will be redirected to identity server for authentication , user could choose local db user login or external login via Google authentication . If user choose local db , user will enter his credential on identity server's login page and validate the credential in your local db. if credential is correct , then identity server will issue a token and redirect back with token to client app . If user choose external login , user will be redirect to Google's login page for sign in , identity server will issue token after redirecting from Google(get claims from token issued by Google) and redirect back with token to client app .

During the authentication flow , client could set which api resource he want to access , after user consent the permission for accessing the api resource(your web api ) , the issued access token could be used to access your web api .

Identity Server document : http://docs.identityserver.io/en/latest & Code samples .