0

I am building WebAPI on OWIN that needs authorization. I implemented OAuth 2.0 and I am really happy with it. For now, there is a grant_type "password" authentication implemented and now I need a way to use external authentication systems, i.e. Facebook, Google, etc.

The scenario I am trying to figure out is this:

  1. iOS/Android app authorizes user with Facebook using native libraries and get Facebook access_key
  2. I should get that access_key to my OAuth OWIN backend
  3. Test the access key with Facebook API
  4. Get user_id
  5. Then map the user_id with a user in my system
  6. Issue Identity Token for that particular user

Am I conceptually right and if so, how should I implement this in OAuth pipeline?

Dovydas Navickas
  • 3,533
  • 1
  • 32
  • 48

1 Answers1

0

That is how I would do it. To implement it, you will need the Microsoft.Owin.Security.Facebook nuget package.

Here is a nice article that explains how to use the package. http://blogs.msdn.com/b/webdev/archive/2013/10/16/get-more-information-from-social-providers-used-in-the-vs-2013-project-templates.aspx?PageIndex=2

Basically, in your owin startup class, you add a call to app.UseFacebookAuthentication();

Then get the IPrincipal from HttpContext and configure it.

DavidEdwards
  • 593
  • 3
  • 12
  • I took a different approach and FYI, I've checked Microsoft.Owin.Security.Facebook before posting the question here :) It was not the proper way to go for me, because it goes out of OAuth pipeline by using controllers and redirects. – Dovydas Navickas Jul 26 '14 at 11:21
  • @DovydasNavickas - I'm with you. I want to do exactly the same thing. How did you end up accomplishing this? Is there an OAuth grant_type that would be appropriate for passing an external auth_token like the one you get from Facebook? – Chris Swain Feb 06 '15 at 23:23
  • @ChrisSwain I ended up transferring auth_token from Facebook in the OAuth password field and adding another field that is not in OAuth specification called Provider. That way I can serve different providers, e.g. Facebook, Google, Twitter in a different way and it still kind of falls under the OAuth standard except for Provider field. – Dovydas Navickas Feb 07 '15 at 10:08
  • I'm looking into the OAuth 2 "Assertion" flow with a custom grant_type. I believe this may be the OAuth process that will allow the flexibility needed to handle this scenario. Reference: http://tools.ietf.org/html/rfc6749#section-4.5 – Chris Swain Feb 07 '15 at 15:06
  • Looking at the documentation now, I recall why I discredited the section 4.5. It is a good use case for a traditional "reloading" browser app, but not so good for a single page "non-reloading" app that I am developing, because it expects grant_type to be an absolute URL gotten from Authorization server and I do not need that in my case. I get the access_token from Facebook already and I need to authenticate with my API as a second step. That is why I use the grant_type=password&password={access_token}&provider=facebook. Also, I can support username/password scenario quite easily this way. – Dovydas Navickas Feb 09 '15 at 18:41