Menu
What solutions are out there for combining a Form auth with a OAuth auth ?
There is an website where a user would login with a username and password and after he is auth a token will be provided, which enables access to different resources in the app for a period of time.
Now the Product Owner want's Facebook/Twitter/... Auth.
edit sequence diagram
559
OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data. OAuth 2.0 uses Access Tokens.
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
We're actually doing this on our project. The solution was really simple. Here were the major points
Other things to consider:
Now, I think this is an important point: Typically, with providers like facebook and twitter, you use the authorization flow which means you have to use their form to login. They handle it, not you. There is a username/password "option" (grant_type: password) with OAuth 2.0 but I don't know if those providers allow it because that flow doesn't require the application to identify itself.
I think you pretty much got it. The authorization grant flow would be something like this:
The password grant flow would be pretty much the same, but with out the redirect and authorization steps. You would just login with your own form and have the server make the auth request to the provider using the password grant type.
If you're just using it for authentication only, then you wouldn't be making a request with that particular access token to their resource server. I'd need to know more about your architecture to say more. However, generally, if you have an internal identity provider that handles roles and identity, you might consider a federated identity provider that can transform 3rd party tokens into your internal format and store that along with the 3rd party token. That way you can still make requests to the 3rd party if needed and still have what you need to move around internally if that makes sense. If that's even a concern, let me know and I'll explain that leg too.
121
Forms auth usually puts a cookie to the authenticated user, so what you can do is do the same, and send the exact same cookie that forms auth would have sent.
So, on sucessfull OAuth callback from the provider, you can just do something like this:
// here, we are called on a successful OAuth auth, so
// let's do Forms login by ourselves
HttpCookie authCookie = GetFormsAuthCookie(email, true, true);
context.Response.Cookies.Add(authCookie);
With the GetFormsAuthCookie method defined like this:
private static HttpCookie GetAuthCookie(string userName, bool createPersistentCookie, bool httpOnly)
{
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(2, userName, DateTime.Now, DateTime.Now.Add(FormsAuthentication.Timeout), createPersistentCookie, "SocialEmailLogin", FormsAuthentication.FormsCookiePath);
string encryptedTicket = FormsAuthentication.Encrypt(ticket);
if (encryptedTicket == null)
throw new Exception("Obviously, something went wrong here. That shouldn't happen.");
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
cookie.HttpOnly = httpOnly;
cookie.Path = FormsAuthentication.FormsCookiePath;
if (FormsAuthentication.RequireSSL)
{
cookie.Secure = true;
}
if (FormsAuthentication.CookieDomain != null)
{
cookie.Domain = FormsAuthentication.CookieDomain;
}
if (ticket.IsPersistent)
{
cookie.Expires = ticket.Expiration;
}
return cookie;
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
