In my ASP.NET MVC 4 I use external authentication providers - Facebook and Google. I created the app with Internet template and did not change code inside Account controller.
Now some of my users started to complain they cannot register via Facebook, while other users use it without any problems.
I succeeded to simulate the problem. With my Facebook profile everything works OK. When I created a new profile on Facebook, I experience the same problem.
In AccountController, ExternalLoginCallback method:
AuthenticationResult result = OAuthWebSecurity.VerifyAuthentication(Url.Action("ExternalLoginCallback", new { ReturnUrl = returnUrl }));
result.IsSuccessFull returns true for my profile, but false for the new Facebook profile I created.
Any ideas what could be wrong?
Thanks a lot
I forgot to switch off the sandbox mode...
Related
I am developing an ASP.NET MVC 5 Web application that allows user to authenticate using an external provider.
In Internet there are a lot of information teaching how to enable external login providers, but none teaches how to actually authenticate the user in the system when login returns to the MVC site. All information I have found assumes developer is using the default ASP.NET identity user store, so it tells nothing about what to do next.
For example, in Google, when user selects the Google account, the call returns to the site and run the method FindAsync of the custom user store, but, after that, how can I actually log the user in?
This is one my attempts to retrieve the user e-mail:
public Task<T> FindAsync(UserLoginInfo login)
{
var info = AuthenticationManager.GetExternalLoginInfoAsync().Result;
var emailClaim = externalIdentity.Result.Claims.FirstOrDefault(c => c.Type == ClaimTypes.Email);
}
But GetExternalLoginInfoAsync does not belong to AuthenticationManager object.
I have read that Microsoft.AspNet.Identity.Owin should be included, but in my case, that NuGet package is already included, and of course, the corresponding using statement is present in the code.
Any help, please?
I'm developing an MVC web application (Asp.net C# - using AngularJS in the front).
Currently, the users can log in to the site using username & password or oauth providers (such as google and Facebook).
We have developed a native mobile application that uses our asp.net web-api.
We want the users will be able to login using the same credentials to the mobile app and the website.
In order to do so, both projects (web-api & web application) are using the same DB with ASP.Net Identity. For example, if the user has created an account using username & password, he can log in on both platforms.
The problem is with external providers (Facebook, google...), when a user create an account on the web view the identity saves the users on the DB with a specific provider key (on the AspNetUserLogins table).
And when the user login (or register) using the mobile app I only have the user token, and I don't know how to log the user in.
Then I've found this post:
WebApi ASP.NET Identity Facebook login
which explains exactly what I've needed, only now I have 2 problems:
Using the user token (from the mobile login) I retrieve his user ID and save it on the AspNetUserLogins table, but when using the web application it saves a different user id, actually it calls that a Provider Key.
(Minor problem) For some reason, using the above link code, I don't get the user email but only his Facebook token and Facebook user id.
Please note,
* I want to use the native approach and can't use a web view on the mobile app because I want the app to use the user Facebook/google native application.
* Also read this: ASP.NET Identity in Microservice Architecture it didn't work.
Thanks in advance!
Shaul
OK, I figured out the answers:
Turns out that the provider key is actually the app specific user id, i.e the user has a specific user id for each Facebook app.
In order to get the Email you should add a specific request for it in the scope in the startup.auth.cs:
var facebookAuthenticationOptions = new FacebookAuthenticationOptions()
{
AppId = DEFINITIONS.FACEBOOK_ID,
AppSecret = DEFINITIONS.FACEBOOK_SECRET,
Provider = new Microsoft.Owin.Security.Facebook.FacebookAuthenticationProvider()
{
// This is for saving the data as user claims
OnAuthenticated = (context) =>
{
context.Identity.AddClaim(new System.Security.Claims.Claim("urn:facebook:access_token", context.AccessToken, null, "Facebook"));
context.Identity.AddClaim(new System.Security.Claims.Claim("urn:facebook:email", context.Email, null, "Facebook"));
return Task.FromResult(0);
}
}
};
// This will help you get the Email
facebookAuthenticationOptions.Scope.Add("email");
app.UseFacebookAuthentication(facebookAuthenticationOptions);
I am new to web development so, do i need to implement sessions while i am using SimpleMembership
as i was having problem with back button after logs out. It goes to the previous page instead of login. So I added code below in global.ascx. It works perfect now!!
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetExpires(DateTime.UtcNow.AddHours(-1));
Response.Cache.SetNoStore();
So my query is, can i run my application without sessions in which there is Authentication of users i.e. there are user accounts and login and logout functionality is there.
You can login and logout by using default SimpleMembership functions:
For Login:
bool success = WebSecurity.Login(form["username"], form["password"], false);
For Logout:
WebSecurity.Logout();
For details refer MSDN link here
Starting with a fresh, new MVC5 Project I hooked up External OAuth Login with Google, Facebook Twitter, Microsoft etc. All is working as expected.
I then added the new ASP.NET Session State Provider for Redis Preview Release and have it working. Yeah!
I soon noticed that attempting to login using any of the OAuth providers no longer works properly. The Google & Facebook login buttons calls the ExternalLoginCallback(string returnUrl) on the Accont controller but goes nowhere. The login page simply refreshes.
The LinkedIn, Twitter, and Microsoft buttons all direct the user to those login pages but when returned back to my application they return to the login page and no user is added to the system.
Commenting out the custom sessionState entry in my web.config returns the external login back to normal.
Considering both frameworks are black-boxes to me I am not sure how to go about geting these two to play together.
this helped me with the exact issue.
http://www.nsilverbullet.net/2014/06/24/tough-mvc-5-owin-external-authentication-issue/
basically:
Must Have Session State? in AccountController modify:
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
//Ensure Session has at least one value
Session["EnableExternalAuth"] = true; // <--------- This helped
ViewBag.ReturnUrl = returnUrl;
return View();
}
There seem to be an issue with sessions and external login providers
I have an MVC 5 web app that has facebook authentication set up and working nicely. User clicks "Facebook" on the login page, signs in to Facebook and that authenticates with our web site. If the user logs out, the call to AuthenticationManager.SignOut() logs out of the web site correctly, but if the user then goes back to the login page and clicks "Facebook" again they are immediately signed in without having to sign in to facebook.
So my question is, how do I configure MVC 5 OWIN facebook login so that the user is signed out of facebook when they sign out of the web site, or to put it another way, prevent caching of the authentication for the next sign in. I don't want a users facebook login to be silently cached in case they are sharing a browser with other users.
The only way that I know to do this would be to tie an event to your log out button or link and use the Facebook Javascript SDK to actually perform the Facebook logout for you.
LogOut
<script type="text/javascript">
$(function(){
$("#Logout").on("click", function(e){
if(confirm("This will also log you out of Facebook. Proceed?")){
FB.logout(function(response) {
// Person is now logged out
});
}else{
//do not allow the link to continue and sign our of your site.
//This is optional and allows you to provide options
e.PreventDefault();
}
});
});
</script>
You could actually use the confirm dialog to ask if they want to be signed out of Facebook as well. A confirm would mean yes, a not confirm would mean no, just sign me out of your site. Again, using the SDK and a little bit of control logic should provide the results you need.
You can't. To do so would require being able to access cookies set by facebook.com which is explicitly forbidden for security reasons: you can only access cookies on your own domain. The login with Facebook is separate from your application. The user isn't truly logging into your site. They're logging into Facebook and Facebook is simply verifying the user identity with your site. If you're truly concerned you can put a message on your sign out page reminding them to sign out of Facebook as well.
You could try recreating Facebook's log out code (doing a post to the same action they use with the same data they send). But, I'm almost positive they'll be employing some sort of CSRF protection on that, so it probably won't work.
Saw this thread and wanted to add to it, to help the masses.
In the guidance, "Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on" from Microsoft, it has the following section buried in it:
Logging off your App and Logging in With Another Account
If you log on to your app with Facebook, , and then log out and try to log in again with a different Facebook account (using the same browser), you will be immediately logged in to the previous Facebook account you used. In order to use another account, you need to navigate to Facebook and log out at Facebook. The same rule applies to any other 3rd party authentication provider. Alternatively, you can log in with another account by using a different browser.
So this behavior is by design.
To learn more about OWIN, hear is some good reading:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://brockallen.com/2014/01/09/a-primer-on-external-login-providers-social-logins-with-owinkatana-authentication-middleware/
Have more links to share, but drats, reputation is not high enough yet. :)
Its been two years and If OpenID Connect is used, then a solution exists as
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
Request.GetOwinContext().Authentication.SignOut();
return Redirect("/");
//AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
//return RedirectToAction("Index", "Home");
}