Last post Aug 21, 2020 08:33 AM by Sean Fang
Aug 12, 2020 02:56 AM|devxel|LINK
I can get the users google profile using the ASPSnippets DLL. (I would prefer to code it myself though, but cannot find a sample that works) Anyway...
I'll add the user's name and email address to the asp.net users and membership tables, Then use forms authentication, give them a persistent cookie and then take it from there - When they come back they will be auto logged in - This doesn't quite seem right
to me. How are others doing this please?
Aug 13, 2020 07:52 AM|Sean Fang|LINK
When they come back they will be auto logged in - This doesn't quite seem right to me. How are others doing this please?
I think it is a feasible way to do persistence as 'remember me' function.
Actually it is what the OWIN Forms authentication do. The only difference is that they handle the persistence within the middle ware
registering two cookie authentications, which separates the
external sign-in from Application Sign-in, and you handle it manually with forms authentication, which only registering
one cookie authentication.
However, there is another point that you might need to associate the local user account
with external identity’s ID claim (google id) when you add the user's name and email address to the
asp.net users and membership tables.
You might want to refer to below links for OWIN Forms authentication to modify your implementation:
Understanding Application Sign in Cookie flow
Understanding External Sign in Cookie flow
Note that you don't need to focus on the implementation of it but only cares about the work flow.
Hope this can help you.
Aug 14, 2020 03:04 AM|devxel|LINK
Thank you Sean, for this comprehensive answer.
I'm not using MVC, just .Net webapp - but the OWIN docs showed me the flow I should consider.
In the flow, I'm still not sure about the 'middle ware' - as you say - This is the area I need look at but but all I can find is that backend sites should create a token for the user's ID as well as a 'refresh' token - I get this but as yet have not seen any
Anyway, I enforce only unique email addresses, so why would I even need to store the tokens when I can simply use the email address. It all seems too easy ! I'm nervous that I am missing something.
Aug 18, 2020 10:03 AM|Sean Fang|LINK
In the flow, I'm still not sure about the 'middle ware'
In short, the middle ware is one of the stages that the request will be processed. You could refer to ASP.NET Core Middleware.
but all I can find is that backend sites should create a token for the user's ID as well as a 'refresh' token - I get this but as yet have not seen any coded solutions.
In fact, you don't need to explore too deep for the coded solutions for token stuff. You could directly use a provider to integrate the Google ID or whatever other IDs with your
For example, you could refer to Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal
Providers though it is a bit old but useful to understand how they deal with the external authentication.
However, I am not sure if I understand your problem correctly. Feel free to let me know specified problem.
Anyway, I enforce only unique email addresses, so why would I even need to store the tokens when I can simply use the email address
Could you please specify the condition when you want to use the unique email address?
The token is used for retrieving the user claims from external authentication side. When ID tokens are available, you can use them to securely authenticate with your app's backend, or to skip the email verification step when creating a new account.
Another reason that why people use ID token is security. However, it is a wider problem that you might be interested in this : ID Tokens
Aug 20, 2020 12:02 AM|devxel|LINK
Thank you for the links Sean - Interesting and useful reading.
I'm just testing the .Net OpenAuth/OpenID and would probably use that if I can get it going, but my ASPSnippets DLL is my 'middleware', I guess. This works, and I can get the google users ID, email, name etc.
I have enforced unique email addresses in the web config 'requiresUniqueEmail="true"' in the membership > providors section
This is how I am doing it now (in testing) and it works.
1. if the email exists - look up the account and log them in.
2. If not exists then create a local account with username and email address then log them in.
Issue permanant (say 3 months) .Net Auth cookie
If the cookie expires or they logout then they will need to login again with Google No password is needed
From what you have shown me, I can see the process much more clearly now.
Do you see any pitfals in my current setup?
Aug 21, 2020 08:33 AM|Sean Fang|LINK
Glad to see that the previous links are helpful.
Looks the flow should be working as your are using cookies to do the "Remember me" stuff which is the same as the form authentication does.
If you are facing anything problem, you could post a new thread here.
Happy to discuss it with you.