2

Is there a possibility to configure OAuth2 AssertionFlow with Facebook in Thinktecture Identity Server v3?

There was a post on leastprivilege.com about implementing AssertionFlow for Microsoft OAuth and AuthorizationServer but I need to integrate with Facebook and, furthermore, AuthorizationServer is marked as deprecated and it's not maintained anymore.

moody19871987
  • 81
  • 1
  • 10

2 Answers2

4

In response to @NathanAldenSr's comment, I publish some code of my working solution.

Server side - custom validator:

    public class FacebookCustomGrantValidator: ICustomGrantValidator
    {
        private readonly IUserService userService;
        private const string _FACEBOOK_PROVIDER_NAME = "facebook";
        // ...

        async Task<CustomGrantValidationResult>  ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
        {
            // check assetion type (you can have more than one in your app)
            if (request.GrantType != "assertion_fb")
                return await Task.FromResult<CustomGrantValidationResult>(null);

            // I assume that fb access token has been sent as a response form value (with 'assertion' key)
            var fbAccessToken = request.Raw.Get("assertion");
            if (string.IsNullOrWhiteSpace(assertion))
                return await Task.FromResult<CustomGrantValidationResult>(new CustomGrantValidationResult
                {
                    ErrorMessage = "Missing assertion."
                });

            AuthenticateResult authebticationResult = null;

            // if fb access token is invalid you won't be able to create Facebook client 
            var client = new Facebook.FacebookClient(fbAccessToken);
            dynamic response = client.Get("me", new { fields = "email, first_name, last_name" });

            // create idsrv identity for the user
            authebticationResult = await userService.AuthenticateExternalAsync(new ExternalIdentity()
            {
                Provider = _FACEBOOK_PROVIDER_NAME,
                ProviderId = response.id,
                Claims = new List<Claim>
                {
                    new Claim("Email", response.email),
                    new Claim("FirstName", response.first_name),
                    new Claim("LastName", response.last_name)
                    // ... and so on...
                }
            },
            new SignInMessage());

            return new CustomGrantValidationResult
            {
                Principal = authebticationResult.User
            };
        }
    }

You can easily test it with OAuth2Client that is also provided by Thinktecture (in Thinktexture.IdentityModel Client Library nuget package).

string fbAccessToken = "facebook_access_token_you_aquired_while_logging_in";
string assertionType = "assertion_fb";

var client = new OAuth2Client(
                   new Uri("your_auth_server_url"),
                   "idsrv_client_id",
                   "idsrv_client_secret");

string idsrvAccessToken = client.RequestAssertionAsync(assetionType, fbAccessToken,).Result;
moody19871987
  • 81
  • 1
  • 10
0

IdentityServer v3 also supports assertion flow. The samples wiki has two samples on that (called "Custom Grants):

https://github.com/thinktecture/Thinktecture.IdentityServer.v3.Samples/tree/master/source

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • Unfortunately I still don't know how to make it work with FB. I have the fb user access token on the native client's side and I don't know what to do with it. I can send it to the IdentityServer using custom flow but what's next? What can I do with it in the IdentityServer? Does Facebook even support assertion flow at the moment? – moody19871987 Dec 16 '14 at 14:47
  • You need to validate the FB token in idsrv - and essentially turn it into a claims principal representing the user in your system. – leastprivilege Dec 17 '14 at 07:23
  • Having facebook access token on idsrv side I check its validity (using fb api) and get fb userId. Then I can check it against my database, generate my own access token and send it to the client. Thanks for your help! – moody19871987 Dec 17 '14 at 13:23
  • @moody19871987 Do you have any code you can share? I am facing the same challenges as you. Can you post your ICustomGrantValidator implementation, perhaps? – NathanAldenSr Feb 23 '15 at 17:29