Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does SignInAsAuthenticationType allow me to get an OAuth token without overwriting existing claims?

Tags:

c#

asp.net-web-api

oauth

owin

asp.net-identity-3

I need a user to login to a website using out of the box authentication to Facebook. I now need to link to the users drive in Google (and other services). I want to use ASP.Net Identity OAuth Identity providers to handle the token exchange, BUT I don't want it to touch an existing UserCredential or use it for SignIn of the UserPrincipal

My goal is to prevent

  • AuthenticateCoreAsync from returning a AuthenticationTicket that results in modifications to the current logged in user identity
  • A user shortcutting the authentication system using claims obtained from Google. (I should already have the user logged in via other means)
  • Prevent an unexpected token/cookie from being used to create a valid session, creating a privilege escalation scenario?

Question

  1. What effect does setting a custom grantIdentity have on IOwinContext.Authentication.SignIn()?

  2. Does SignInAsAuthenticationType solve my need?

  3. If not, when would this be used?

Theoretical code using Google provider

// The cookie needs to be First in the chain.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "CustomExternal",
    AuthenticationMode = AuthenticationMode.Passive,
    CookieName = "MyAwesomeCookie",
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    //Additional custom cookie options....
});

//Note that SignInAsAuthenticationType == AuthenticationType
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
    AuthenticationType = "GoogleBackOffice",
    ClientId = "abcdef...",
    ClientSecret = "zyxwv....",
    SignInAsAuthenticationType = "CustomExternal"
});
like image 961
makerofthings7 Avatar asked Jan 27 '17 01:01

makerofthings7

People also ask

What is an Oauth claim?

Claims are name/value pairs that contain information about a user. So an example of a good scope would be "read_only". Whilst an example of a claim would be "email": "[email protected]".

Where are user claims stored?

By default, a user's claims are stored in the authentication cookie. If the authentication cookie is too large, it can cause the app to fail because: The browser detects that the cookie header is too long.

1 Answers

The Visual Studio 2015 MVC Individual User Accounts template does something like this. You create your first account (with a local username and password or a remote provider), and then you can link other identities to that one. It does this linking by maintaining two cookies during the login, one for the app and one for the external identity.

If you look in the ManageController under LinkLoginCallback, you should be able to tweak the logic at that point to store the external identity tokens, but not grant it login access to your application.

In other words, logic like this should be managed at the authorization layer in your controller logic, not at the authentication layer in the auth middleware.

like image 195
Tratcher Avatar answered Oct 18 '22 00:10

Tratcher
Sign in to Comment

Related questions

Too Many Left Outer Joins in Entity Framework 4? [duplicate]
How to use custom binding in WCF and keep message security mode with username client credentials?
Configuration evaluation context not found warning on WCF trace
.net config file AppSettings: NameValueCollection vs. KeyValueConfigurationCollection
Prevent MSTest from copying / deploying every dll
Get all strings from resourcemanager
Windows 8 - How to Dismiss Touch Keyboard?
How do I compare two lambda expressions? [duplicate]
How do you view ETW events created by EventSource using Windows Performance Analyzer?
How do you find the TxnLineID of a payment line from a Quickbooks transaction if it is part of a Sales Receipt?
usb devices android, c# Xamarin
Is Visual Studio optimizing transitive references?
Purpose of PureAttribute on parameter
System.data.Sqlite with EF6
How do I use a geospatial query in the 2.1 MongoDB C# driver?
Prerendering/hiding on load with WPF MVVM?
Define own keywords and meanings
Change the TextBox highlight color when a user selects text?
VS Crashing after 'Set As StartUp Project'
Using JSON Patch to add values to a dictionary

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!