How should I implement OAuth for an application? [closed]

Question

I am creating an application for a client that needs to do the following:

• Allow users to authenticate using Google, Facebook, Twitter, and LinkedIn.
• Allow users to add additional providers after signing up. (i.e. if the user authenticated with Google then they should be able to add any or all of the other providers as well.)
• Allow users to import Google contacts, Facebook friends list, twitter followers, and Linkedin friends in order to build a custom contact list.

Where is the best place to start learning about this? Is there a standard that everybody uses for these things in .NET? I've been Googling around for a few hours and while it seems most people point to DotNetOpenAuth I can't seem to find any solid tutorials on how to use the library. The download comes with samples but it's still confusing me.

I assumed it would be as simple as:

• Configure providers' secrets.
• Begin login with provider
• Authenticate user with auth cookie
• Create user record in my database and store unique ID from provider.

But it seems like every provider has it's own set of code and it's all so different and confusing. Facebook has some graph object, twitter has some "InMemoryTokenManager" that I don't understand, and Google doesn't even have an authentication example, only a Google Address Book example. And on top of all that you have to copy bits of code out of some ApplicationBlock demo in the samples into your own app for some reason, and getting that all to compile without knowing what the heck it's trying to do is an arduous task.

I feel like I'm missing something fundamental with all this.

Even a book recommendation would be great at this point.

I believe I understand the high-level concepts of OAuth but once I try to dive into the nitty-gritty I immediately get lost.

Answer 1

First, there is really no point in using external libraries if you are on net 4.5 where the default asp.net template comes with authentication code for most of these mentioned providers.

Second, if you still need a good tutorial on some details of oauth2 authentication, take a look at this great post by Ben Foster http://ben.onfabrik.com/posts/oauth-providers

Third, unfortunately, if you need anything else than authentiation, there is no single protocol. Thus, each provider has its own way of exposing these additional data - contacts, posts etc. You can't do much about it, it has nothing to do with oauth2 but is just a way of invoking a specific api which by chance is often exposed as rest/xml web services based on oauth2 authentication. This means that if you do authentication only, the protocol is mostly the same for each provider. Anything more is specific.

Fourth, I would stick with the email address returned by a provider rather than internal id. Not all providers support the id whereas all of them can return user email. And you can trust this information as providers verify emails before they return it via oauth2.