TL;DR : Is there any way to use the auth=CREDENTIALS with the Simple Login (Email/Password) in Firebase?
I am trying to connect my C# Application's users to my Firebase. I could set up pretty much all calls using my Secret Token, but now I need to be able to, at least, get the current user UID so I know where the data should be sent to.
The way I went with my PUSH, PUT, GET request was something like this, using my secret token as login:
var authToken = "SECRET";
url = "https://MyLocation.firebaseio.com/" + url + ".json?auth=" + authToken;
return WebRequest.Create(url);
But now I'd like to get something supporting the Email/Password simple login, something like this:
var authToken = "{email:an#email.com, password:thePassword}";
url = "https://MyLocation.firebaseio.com/" + url + ".json?auth=" + authToken;
return WebRequest.Create(url);
My tries using CURL weren't successful... Maybe there's no way to do that? or any suggestions?
Thanks for the help!
I spoke with the support at Firebase and found a temporary solution, and a real solution.
Real solution: Manage the user and their password manually in all environments, using Firebase as "Database". That was basically what I was trying to do with my question. That resolve in using Firebase custom auth.
Temporary solution: (And what I did as I do not need as much security as the real solution offers)
Get something that identify the current user. Here I can get the current user email without even asking him.
Base64 the identifier:
byte[] result = System.Text.Encoding.UTF8.GetBytes(email);
email = Convert.ToBase64String(result);
Put, push, patch the required information via REST to firebaseio.com/Base64
In the user interface, that uses JavaScript, do the same process to read/write data at the user, using something like base64.min.js
var ref = new Firebase("https://aFirebase.firebaseio.com");
//Things happen
...
//We register a user
function createUser(email, password){
//Allows us to create a user within firebase
ref.createUser({
email : email,
password : password
}, function(error, userData){
if (error) {
//The creation of the user failed
alert(error);
} else {
//The creation of the user succeeded
console.log("Successfully created user account with uid:", userData.uid);
//We make sure we are at the correct position in our firebase
ref = ref.root().child(base64.encode(email));
//We check if the child exist
if(ref == ref.root()){
//The child doesn't exist
//We have to create it
user = {};
//Set the child with a value for the UID, that will fit with the rules
user[base64.encode(email)] = {uid:userData.uid};
//We set the new child with his value in firebase
ref.set(user);
}else{
//The child exist, we can update his information to go accordingly with our rules
ref.update({uid:userData.uid});
}
//Who wants to register and then not be logged in?
//We can add something upon login if his email is not validated...
login(email, password);
}
}
);
}
Now we have to update our rules in Firebase:
{
"rules": {
"$uid":{
".read":"!(data.child('uid').exists() == true) || data.child('uid').val() == auth.uid",
".write":"!(data.child('uid').exists() == true) || data.child('uid').val() == auth.uid"
}
}
}
With this, the application is somehow secure (as long as the user use the C# application and the JS application, where the rules will be set).
In case of a WebApi application a JWT token could be used along with OWIN pipeline.
app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { FirebaseValidAudience },
Provider = new OAuthBearerAuthenticationProvider
{
OnValidateIdentity = OnValidateIdentity
},
TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKeys = issuerSigningKeys,
ValidAudience = FirebaseValidAudience,
ValidIssuer = FirebaseValidIssuer,
IssuerSigningKeyResolver = (arbitrarily, declaring, these, parameters) => issuerSigningKeys
}
});
Here is the sample of Firebase ASP.NET WebApi Authentication application: https://github.com/PavelDumin/firebase-webapi-auth
Related
I am trying to get a CUSTOM_AUTH flow with AWS Cognito in the following setup:
Angular TS client app
.NET 3.1 WebAPI
Login is handled serverside, UserName + Password check works correctly. Business requires to add email based MFA.
I struggle to understand how to implement CUSTOM_AUTH flow from Server-side. All samples and documentation are restricted to Client flow, which includes SRP values.
The desired flow would be:
User enters username + password
API send them to Cognito, which triggers the CUSTOM AUTH Flow
Custom flow triggers, code being generated and an email sent out to the user email address with a generated code
Client app renders an input field for the code generated
user submits the code received via email
API calls Cognito with the generated code
Cognito confirms if the provided code match the generated one and generates the AuthToken to be used
The current login flow looks as:
user inputs username and password in the Angular App
inputs are sent to the backend API
Backend Initiates the authentication flow with Cognito through SDK
public async Task<AdminInitiateAuthResponse> AuthenticateUser(string username, string password) {
var authRequest = new AdminInitiateAuthRequest
{
UserPoolId = this._poolId,
ClientId = this._clientId,
AuthFlow = AuthFlowType.ADMIN_NO_SRP_AUTH
};
authRequest.AuthParameters.Add("USERNAME", username);
authRequest.AuthParameters.Add("PASSWORD", password);
return await this._client.AdminInitiateAuthAsync(authRequest);
}
Cognito validates the username and password. From the return value we generate a token.
public CognitoUserDto CreateUserToken(AuthenticationResultType authRes) {
var tokenHandler = new System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler();
var awsIdToken = tokenHandler.ReadJwtToken(authRes.IdToken);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = creds
};
return new CognitoUserDto
{
Email = awsIdToken.Claims.Single(e => e.Type == "email").Value,
Token = CreateToken(awsIdToken, authRes.AccessToken)
};
}
public string CreateToken(JwtSecurityToken awsToken, string accessToken) {
var claims = new List<Claim>
{
new Claim(JwtRegisteredClaimNames.Email, awsToken.Claims.Single(e => e.Type == "email").Value),
new Claim("accessToken", accessToken)
};
var creds = new SigningCredentials(_key, SecurityAlgorithms.HmacSha512Signature);
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(claims),
Expires = DateTime.UtcNow.AddHours(1),
SigningCredentials = creds
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
As for Custom Auth mode with email the sample here was followed (even though its an app flow). Since I failed to find samples/documentation with server side custom auth flow attempts are pretty much restricted to trial and error.
If possible I would like to avoid the need to refactor the whole process to client side flow.
What has been done so far:
Replaced AuthFlow in AuthenticateUser method to AuthFlowType.CUSTOM_AUTH
User Pool signin experience is set to Optional MFA
Created the lambda triggers in AWS Cognito
Issues faced:
keeping the ADMIN_NO_SRP_AUTH mode does not trigger the CUSTOM AUTH flow. (somewhat expected)
changing the AuthFlow to CUSTOM_AUTH throws an exception. First sentence in AWS Docs state here states "The request for this Lambda trigger contains session", yet the Lambda expression stops with an exception that session is null. Yet, this may be right, since according to step 1 one shall include value for SRP_A, which is kinda obscure how, given no SRP is available.
reworked the defaultAuthChallenge Lambda expression to handle if session is null. In this case Lambda was executed without exception, however challengeName and session are not returned, so kinda blocked how to call AdminRespondToAuthChallengeAsync() method
public async Task<AdminRespondToAuthChallengeResponse> RespondToCognitoChallenge(string token, string session) {
return await this._client.AdminRespondToAuthChallengeAsync(new AdminRespondToAuthChallengeRequest() {
ChallengeName = ChallengeNameType.CUSTOM_CHALLENGE,
CientId = this._clientId,
UserPoolId = this._poolId,
ChallengeResponses = new Dicitonary<string, string> {{ "token", token }},
Session = session
});
}
The reworked defaultAuthChallenge Lambda look like:
export const handler = async (event) => {
if (event.request?.session === null || event.request.session.length === 0) {
//SRP_A is the first challenge, this will be implemented by cognito. Set next challenge as PASSWORD_VERIFIER.
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'PASSWORD_VERIFIER';
} else if (event.request.session && event.request.session.length === 1
&& event.request.session[1].challengeName === 'PASSWORD_VERIFIER'
&& event.request.session[1].challengeResult === true) {
//If password verification is successful then set next challenge as CUSTOM_CHALLENGE.
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
} else if (event.request.session && event.request.session.length >= 5
&& event.request.session.slice(-1)[0].challengeName === 'CUSTOM_CHALLENGE'
&& event.request.session.slice(-1)[0].challengeResult === false) {
//The user has exhausted 3 attempts to enter correct otp.
event.response.issueTokens = false;
event.response.failAuthentication = true;
} else if (event.request.session && event.request.session.slice(-1)[0].challengeName === 'CUSTOM_CHALLENGE'
&& event.request.session.slice(-1)[0].challengeResult === true) {
//User entered the correct OTP. Issue tokens.
event.response.issueTokens = true;
event.response.failAuthentication = false;
} else {
//user did not provide a correct answer yet.
event.response.issueTokens = false;
event.response.failAuthentication = false;
event.response.challengeName = 'CUSTOM_CHALLENGE';
}
return event;
};
Your kind help is apprecaited!
I'm trying to build an API (using ASP.NET WebApi) that will be consumed by a native mobile app for a school project. (I'm not concerned about/developing the mobile app, this responsibility falls on a different member)
I'm at a point where I need to implement a token based Facebook login. There are a lot of tutorials available for how to implement this feature for browser based apps (this is pretty straight forward and most of it comes inbuilt), but I don't think I follow how this would work with native apps. What I don't understand is how the redirects would work?
According to this link, nothing needs to be handled specifically by my server. And I don't think I understand how this would work? How would the tokens from Facebook be handled?
Also, what part of token handling should I implement, I couldn't really find good documentation for WebApi external login authentication.
Anyway, if someone could point me to the exact flow of token exchanges that happen and what is implemented by default by ASP.NET, that would be super helpful.
Also, the biggest point of confusion for me is I don't understand how the token returned by Facebook will be handled.
I assume the token will be returned to the client (mobile app), how do I get access to it on my server?
How do I create a local token from facebook's token?
Is this all done internally/auto-magically by ASP.NET?
I'm sorry if this is something I should've been able to figure out. I did do quite a bit of research and I found myself drowning in (related & unrelated) information. I don't think I even know how to search for the information I need.
Some links I've read:
Claims And Token Based Authentication (ASP.NET Web API)
Token Based Authentication using ASP.NET Web API 2, Owin, and Identity
ASP.NET Web API 2 external logins with Facebook and Google in AngularJS app
I had to do pretty much the same thing for an application I was working on. I also had a lot of trouble finding information about it. It seemed like everything I found was close to what I needed, but not exactly the solution. I ended up taking bits and pieces from a bunch of different blog posts, articles, etc. and putting them all together to get it to work.
I remember two of the links you posted "Claims and Token Based Authentication" and "ASP.NET Web API 2 external logins with Facebook and Google in AngularJS app" as being ones that had useful information.
I can't give you a comprehensive answer since I don't remember everything I had to do, nor did I even understand everything I was doing at the time, but I can give you the general idea. You are on the right track.
Essentially I ended up using the token granted by Facebook to confirm that they were logged into their Facebook account, created a user based on their Facebook user ID, and granted them my own bearer token that they could use to access my API.
The flow looks something like this:
Client authenticates with Facebook via whatever method (we used oauth.io)
Facebook returns them a token
Client sends token information to the registration endpoint of my WebApi controller
The token is validated using Facebook's Graph API, which returns user info
A user is created in the database via ASP.NET Identity with their Facebook user ID as the key
Client sends token information to the authentication endpoint of my WebApi controller
The token is validated using Facebook's Graph API, which returns user info
The user info is used to look up the user in the database, confirm they have previously registered
ASP.NET Identity is used to generate a new token for that user
That token is returned to the client
Client includes an Authorization header in all future HTTP requests with the new token granted by my service (ex. "Authorization: Bearer TOKEN")
If the WebApi endpoint has the [Authorize] attribute, ASP.NET Identity will automatically validate the bearer token and refuse access if it is not valid
There ended up being a lot of custom code for implementing the OAuth stuff with ASP.NET Identity, and those links you included show you some of that. Hopefully this information will help you a little bit, sorry I couldn't help more.
I followed this article. The flow is basically this
The server has the facebook keys just like with web login
The app asks for available social logins and displays buttons (you can hardcode this I guess)
When a button is pressed the app opens a browser and sets the URL to the one related to the specified social login. The ASP.NET then redirects the browser to facebook/google/whatever with the appropriate Challenge
The user might be logged in or not and might have given permission to your app or not. After he gives the permissions facebook redirects back to the provided callback URL
At that point you can get the external login info from the SignInManager and check if the user already exists and if you should create a new account
Finally a token is generated and the browser is redirected to a URL in which the token is placed. The app gets the token from the URL and closes the browser. Uses the token to proceed with API requests.
Honestly I have no idea if this approach is legit...
The code of the action buttons should redirect to:
public async Task<IEnumerable<ExternalLoginDto>> GetExternalLogins(string returnUrl, bool generateState = false)
{
IEnumerable<AuthenticationScheme> loginProviders = await SignInManager.GetExternalAuthenticationSchemesAsync();
var logins = new List<ExternalLoginDto>();
string state;
if (generateState)
{
const int strengthInBits = 256;
state = RandomOAuthStateGenerator.Generate(strengthInBits);
}
else
{
state = null;
}
foreach (AuthenticationScheme authenticationScheme in loginProviders)
{
var routeValues = new
{
provider = authenticationScheme.Name,
response_type = "token",
client_id = Configuration["Jwt:Issuer"],
redirect_uri = $"{Request.Scheme}//{Request.Host}{returnUrl}",
state = state
};
var login = new ExternalLoginDto
{
Name = authenticationScheme.DisplayName,
Url = Url.RouteUrl("ExternalLogin", routeValues),
State = state
};
logins.Add(login);
}
return logins;
}
The code for the callback action:
[Authorize(AuthenticationSchemes = "Identity.External")]
[Route("ExternalLogin", Name = "ExternalLogin")]
public async Task<IActionResult> GetExternalLogin(string provider, string state = null, string client_id = null, string error = null)
{
if (error != null)
{
ThrowBadRequest(error);
}
if (!User.Identity.IsAuthenticated)
{
return new ChallengeResult(provider);
}
string providerKey = User.FindFirstValue(ClaimTypes.NameIdentifier);
var externalLoginInfo = new ExternalLoginInfo(User, User.Identity.AuthenticationType, providerKey, User.Identity.AuthenticationType);
if (externalLoginInfo.LoginProvider != provider)
{
await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
return new ChallengeResult(provider);
}
var userLoginInfo = new UserLoginInfo(externalLoginInfo.LoginProvider, externalLoginInfo.ProviderKey, externalLoginInfo.ProviderDisplayName);
User user = await UserManager.FindByLoginAsync(externalLoginInfo.LoginProvider, externalLoginInfo.ProviderKey);
if (client_id != Configuration["Jwt:Issuer"])
{
return Redirect($"/#error=invalid_client_id_{client_id}");
}
if (user != null)
{
return await LoginWithLocalUser(user, state);
}
else
{
string email = null;
string firstName = null;
string lastName = null;
IEnumerable<Claim> claims = externalLoginInfo.Principal.Claims;
if (externalLoginInfo.LoginProvider == "Google")
{
email = claims.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value;
firstName = claims.FirstOrDefault(c => c.Type == ClaimTypes.GivenName)?.Value;
lastName = claims.FirstOrDefault(c => c.Type == ClaimTypes.Surname)?.Value;
}
else if (externalLoginInfo.LoginProvider == "Facebook")
{
email = claims.FirstOrDefault(c => c.Type == ClaimTypes.Email)?.Value;
string[] nameParts = claims.First(c => c.Type == ClaimTypes.Name)?.Value.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
firstName = nameParts?.First();
lastName = nameParts?.Last();
}
//some fallback just in case
firstName ??= externalLoginInfo.Principal.Identity.Name;
lastName ??= externalLoginInfo.Principal.Identity.Name;
user = new User
{
UserName = email,
Email = email,
FirstName = firstName,
LastName = lastName,
EmailConfirmed = true //if the user logs in with Facebook consider the e-mail confirmed
};
IdentityResult userCreationResult = await UserManager.CreateAsync(user);
if (userCreationResult.Succeeded)
{
userCreationResult = await UserManager.AddLoginAsync(user, userLoginInfo);
if (userCreationResult.Succeeded)
{
return await LoginWithLocalUser(user, state);
}
}
string identityErrrors = String.Join(" ", userCreationResult.Errors.Select(ie => ie.Description));
Logger.LogWarning($"Error registering user with external login. Email:{email}, Errors:" + Environment.NewLine + identityErrrors);
return Redirect($"/#error={identityErrrors}");
}
}
private async Task<RedirectResult> LoginWithLocalUser(User user, string state)
{
await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
DateTime expirationDate = DateTime.UtcNow.AddDays(365);
string token = user.GenerateJwtToken(Configuration["Jwt:Key"], Configuration["Jwt:Issuer"], expirationDate);
return Redirect($"/#access_token={token}&token_type=bearer&expires_in={(int)(expirationDate - DateTime.UtcNow).TotalSeconds}&state={state}");
}
We have a mobile app that wants to access a view on our ASP.NET MVC4 website. In order to do so, the app needs to authenticate by different means than our ADFS login process. The mobile app makes a request to the service and passes in the username and password as Request headers. In the ASP.NET application global.asax file, we have the following:
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
string username = HttpContext.Current.Request.Headers[Mobile.Configuration.iPadUsername];
string password = HttpContext.Current.Request.Headers[Mobile.Configuration.iPadPassword];
string acctID = HttpContext.Current.Request.Headers[Mobile.Configuration.iPadAcctStr];
//bypass adfs
if (!string.IsNullOrEmpty(username)
&& !string.IsNullOrEmpty(password)
&& !HttpContext.Current.Request.IsAuthenticated)
{
//web service call to authenticate the user
if (success)
{
var genIden = new GenericIdentity(usrnm);
var genClaim = new GenericPrincipal(genIden, new string[] { });
HttpContext.Current.User = genClaim;
var token = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(genClaim, "test mobile", DateTime.UtcNow, DateTime.UtcNow.AddDays(1), true);
FederatedAuthentication.SessionAuthenticationModule.AuthenticateSessionSecurityToken(token, true);
Response.Clear();
Response.Status = "301 Moved Permanently";
Response.AddHeader("Location", "/Default/IndexRedirectFromMobile");
Response.End();
}
}
}
What ends up happening is when setting the user to the GeneralPrincipal above, we have HttpContext.Current.Request.IsAuthenticated set to true. However, after we try to redirect the user to the correct landing page, the request is no longer authenticated and they get caught in an infinite loop.
What can we do to prevent this from happening?
A simplest way would be to write the token to a cookie
var token = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(genClaim, "test mobile", DateTime.UtcNow, DateTime.UtcNow.AddDays(1), true);
FederatedAuthentication.SessionAuthenticationModule.WriteSessonTokenToCookie( token );
You need to remember that the client must support cookies. Depending on the actual client technology you use, this can be easier or harder.
However, you don't need to use the SAM module to retain the session. You can use Forms Authentication, a custom authentication header or anything else.
I have inherited an existing application. This application uses ASP.NET MVC 3. It has some APIs. Those APIs look like the following:
[AcceptVerbs(HttpVerbs.Post)]
[Endpoint]
public ActionResult AuthenticatePlayer(string username, string password)
{
// Ensure that the user entered valid credentials
if (Membership.ValidateUser(username, password) == false)
return Json(new { statusCode = StatusCodes.INVALID_CREDENTIALS, message = "You entered an invalid username or password. Please try again." });
// Get the profile of the person that just logged in.
ProfileCommon userProfile = (ProfileCommon)(ProfileCommon.Create(username));
if (userProfile != null)
{
string name = username;
if (String.IsNullOrEmpty(userProfile.FirstName) == false)
name = userProfile.FirstName;
return Json(new {
statusCode = StatusCodes.SUCCESS,
payload = name,
username = username.ToLower(),
});
}
}
[AcceptVerbs(HttpVerbs.Get)]
[Endpoint]
public ActionResult SomeUserAction(string q)
{
// TODO: Ensure the user is authorized to perform this action via a token
// Do something
return Json(new { original = q, response = DateTime.UtcNow.Millisecond }, JsonRequestBehavior.AllowGet);
}
I'm trying to figure out how to integrate a token-based authorization schema into this process. From my understanding, a token-based system would return a short-lived token and a refresh token to a user if they successfully login. Then, each method can check to see if a user is authorized to perform the action by looking at the token. I'm trying to learn if this is built-in to ASP.NET MVC or if there is a library I can use. I need to figure out the shortest way to get this done.
Thank you so much!
I've built a WebAPI Token Authentication library a year ago, providing Token based authentication:
WebAPI Token Auth Bootstrap is out of the box Token based User Auth for WebAPI applications, Provides ready to use 'TokenAuthorize'
Attribute and 'TokenAuthApiController' Controller.
Among its features - Token Based User Authentication User Property inside the
TokenAuthApiController (Id, Username, Role, LastAccess).
Token Based User Authorization TokenAuthorizeAttribute with Access
Level - Public, User, Admin or Anonymous.
Built-in Functionality Login(), Logoff(), Error(), Unauthorized()
Responses with various overloads.
You can read more about here and in its own wiki in GitHub.
Nowadays I am working on a Node.js application and I am using Json Web Tokens (JWT) using Node.js library and it is very easy and straightforward.. its Node.js after all ;)
I saw there is a .NET implementation of JWT explained on this article which I recommend you to look at.
You can use Owin ... i.e. Microsoft.owin.security
I haven't tried this implementation but this is just to give you an idea:
var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
var currentUtc = new SystemClock().UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));
DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
return Json(new {
statusCode = StatusCodes.SUCCESS,
payload = name,
username = username.ToLower(),
accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket)
});
I want to use DotNetOpenAuth in my website for authentication + authorization (gmail).
However, I would like to ask: What should I persist?
I thought:
In the DB: for each user save a Guid and his gmail (fetched)
In formAuthentication cookie the Guid I have assigned to that user.
Any other suggestions?
public bool Login()
{
IAuthenticationResponse authResponse = GoogleConsumerHandler.RelyingParty.GetResponse();
if (authResponse != null)
{
HandleAuthResponse(authResponse);
}
else
{
HandleAuthNullResponse(authResponse);
}
return false;
}
#region private methods
private void HandleAuthResponse(IAuthenticationResponse authResponse)
{
switch (authResponse.Status)
{
case AuthenticationStatus.Authenticated:
State.FetchResponse = authResponse.GetExtension<FetchResponse>();
var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager);
AuthorizedTokenResponse accessToken = consumer.ProcessUserAuthorization(authResponse);
if (accessToken != null)
{
var email = authResponse.ClaimedIdentifier;
//existing or new
Guid userId = mCRMService.GetUserId(email, accessToken.AccessToken);
State.GoogleAccessToken = accessToken.AccessToken;
FormsAuthentication.SetAuthCookie(userId.ToString(), false);
//authenticat and authorized
//Response.Redirect("~/Browser.htm");
}
else
{
//authenticated and not authorized
//MultiView1.SetActiveView(AuthorizationDenied);
}
break;
case AuthenticationStatus.Canceled:
break;
case AuthenticationStatus.Failed:
break;
default:
//not authenticated
//this.MultiView1.SetActiveView(this.AuthenticationFailed);
break;
}
}
private void HandleAuthNullResponse(IAuthenticationResponse authResponse)
{
// Google requires that the realm and consumer key be equal,
// so we constrain the realm to match the realm in the web.config file.
// This does mean that the return_to URL must also fall under the key,
// which means this sample will only work on a public web site
// that is properly registered with Google.
// We will customize the realm to use http or https based on what the
// return_to URL will be (which will be this page).
var consumer = new WebConsumer(GoogleConsumerHandler.ServiceDescription, mConsumerTokenManager);
//Realm realm = "http://localhost:8976/";
Realm realm = System.Web.HttpContext.Current.Request.Url.Scheme + Uri.SchemeDelimiter + consumer.ConsumerKey + "/";
IAuthenticationRequest authReq = GoogleConsumerHandler.RelyingParty.CreateRequest(GoogleConsumerHandler.GoogleOPIdentifier, realm);
// Prepare the OAuth extension
string scope = GoogleConsumerHandler.GetScopeUri(GoogleConsumerHandler.Applications.Gmail);
consumer.AttachAuthorizationRequest(authReq, scope);
// We also want the user's email address
var fetch = new FetchRequest();
fetch.Attributes.AddRequired(WellKnownAttributes.Contact.Email);
authReq.AddExtension(fetch);
authReq.RedirectToProvider();
}
For authentication purposes you should store the OpenID ClaimedIdentifier you get back in the IAuthenticationResponse object. That serves as the "primary key" for your users so you can recognize them when they return. I suggest you use the claimed_id as the FormsAuthentication username instead of a random GUID as well. Also storing the email address you collect is fine, but it's inadvisable to use that as the means to recognize a returning user.
Remember that you can't log in "gmail users". You can log in OpenID users, that may use any Provider. You can limit that to "Google" users by filtering on the IAuthenticationResponse.Provider.Uri for the Google OP Endpoint, but even then you're not guaranteed that those accounts use Gmail (their email address might be foo#bar.com anyway).
Finally, if all you need is their authentication and email address (whatever email that is) you can do so using the OpenID AX extension (built into DNOA) and you don't need "authorization", which might greatly simplify your code.