9

Reading this question, @Pinpoint's answer and the further discussion on comments, I'm well aware that natively we can't add an identity provider to our apps developed with ASP.NET 5. One possible replacement for the legacy OAuthAuthorizationServerMiddleware is then provided by the AspNet.Security.OpenIdConnect.Server as I've found in many places.

Now, there is one point that I'm still unsure about all this because I'm really not an expert in security, so my knowledge about OAuth is not very deep. My doubt is the following: is it possible to use an external identity provider when using OAuth to protect one RESTful API?

Notice that I'm not talking about adding social login to one website, I'm talking about using one external identity provider in one RESTful API.

My point is, this makes me a little confused yet, because I always thought this should be a concern of my app.

So my question here is: when using OAuth and ASP.NET 5, is it possible to use an external identity provider, other than implementing one? If it is possible, how this works in short? I mean, my app still needs to be able to manage the identities of users, in the sense that it needs to manage claims and so on.

In that case, if it is really possible, how the flow would be? The external identity provider should issue the tokens? But how my app would be able to verify those tokens and manage users identities?

EDIT: One of the reasons I feel unsure about that is that when we use the UseOAuthAuthentication extension method, we set up one callback path which is described as

The request path within the application's base path where the user-agent will be returned. The middleware will process this request when it arrives.

Now, if we are developing a site, then this really does make sense. The person goes there, click a button to login with a provider like Facebook. The user is redirected to Facebook's page and then after he logs in, he is redirected to some page of the site.

On the other hand, with a RESTful API this is meaningless. There is no notion of being redirected.

This makes it seems that the usage of external providers is only for sites and not for RESTful API's. This is the main point of my question.

Community
  • 1
  • 1
user1620696
  • 10,825
  • 13
  • 60
  • 81
  • But 3rd partin login involves opening a 3rd party authorisation webpage, Like "Do you want to allow app xyz to have access to your account information?". How do you want to overcome this? You need to be in browser context afaik – mbudnik Oct 10 '15 at 09:39

1 Answers1

7

My doubt is the following: is it possible to use an external identity provider when using OAuth to protect one RESTful API?

Yes, it's definitely possible. This is exactly what you do when you use Azure Active Directory to protect your API endpoints:

app.UseOAuthBearerAuthentication(options => {
    options.AutomaticAuthenticate = true;
    options.Authority = "https://login.windows.net/tushartest.onmicrosoft.com";
    options.Audience = "https://TusharTest.onmicrosoft.com/TodoListService-ManualJwt";
});

The next legitimate question is: if you can use the tokens issued by AAD to protect your API, why couldn't you do the same thing with Facebook or Google tokens?

Unlike Facebook or Google, AAD issues completely standardized tokens named JWT tokens that the OAuth2 bearer middleware can "read" and "verify" to determine whether the token is still valid and was really issued for your API (i.e if the audience attached with the token corresponds to your API. You can control this value using the resource parameter when making your authorization request).

You can't do something similar with FB or Google tokens, since they are totally opaque. Actually, it's not really surprising since these tokens have only one objective: allowing you to query FB or Google APIs, not your own ones (these social providers don't allow to set the audience of the access token).

Since you can't read the token yourself, the only option is to ask FB or Google whether it is still valid to make sure your API doesn't accept invalid tokens. That's something you can (easily) do with Facebook as they offer a "token inspection endpoint" you can query for that: https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow (see the Inspecting access tokens chapter). This way, you can ensure the token is not expired and determine the user corresponding to the token.

Sadly, this approach has two downsides:

  • You have to make an extra HTTP call to the Facebook endpoint to validate the access token, which implies caching received tokens to avoid flooding Facebook with too many requests.
  • As the access token is not issued for your own API, you MUST absolutely ensure that the access token was issued to a client application you fully trust, or it will allow any third party developer to use his own FB/Google tokens with your API without having to request user's consent. This is - obviously - a major security concern.

You can find more information in the last part of this SO answer (it's for Katana and about Dropbox, but you should get the idea): OWIN/OAuth2 3rd party login: Authentication from Client App, Authorization from Web API

So my question here is: when using OAuth and ASP.NET 5, is it possible to use an external identity provider, other than implementing one? If it is possible, how this works in short? I mean, my app still needs to be able to manage the identities of users, in the sense that it needs to manage claims and so on.

In that case, if it is really possible, how the flow would be? The external identity provider should issue the tokens? But how my app would be able to verify those tokens and manage users identities?

To work around the limitations mentioned in the previous part, the best option is - as you've already figured out - to create your own authorization/authentication server. This way, your API doesn't (directly) accept FB or Google tokens but the tokens issued by your own server, that can possibly redirect your users to FB or Google for authentication.

This is exactly what this sample does: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/vNext/samples/Mvc

  • The user is invited by the client application (Mvc.Client) to authenticate with your authorization server (Mvc.Server) so he can get an access token to later query the API (also in Mvc.Server). For that, the user is redirected to your authorization server, which itself offers you to authenticate with Google or Twitter.

  • When this external authentication step is done, the user is redirected back to your authorization server (Mvc.Server), where he's asked to give his consent for the client app (Mvc.Client) to access his personal data.

  • When the consent is given, the user is redirected back to the client application with the access token you can use to query the API endpoint.

Community
  • 1
  • 1
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • Thanks for the answer @Pinpoint. I've really seem that the new Azure API services offers a way to implement authentication on the API "automatically" and I believe it is in the way you said. When we do this, however, is it possible to manage users and claims with something like Identity? Also, thanks again for working on the Authorization Server middleware! I'm no expert in security, so that using OAuth properly in ASP.NET 5 became something quite confusing. – user1620696 Oct 15 '15 at 13:29
  • In theory, it should be possible to use the `claims transformation middleware` to bind the access token to a user contained in your own database. But in practice, it may be a bit hard to implement, since your users will also have to be registered in your own app (or Identity won't be able to find an account for them). So ideally, you'd have to use a MVC app with a classical registration flow and use `app.UseOpenIdConnectAuthentication()` with AAD to log your users in. This would be similar to the "Google" or "Facebook" process in the default Identity template. – Kévin Chalet Oct 15 '15 at 13:39