0

I have been looking at using Open ID Connect as a third party authentication provider for a Web API application. The flow is as follows:

  • Users log in through UIWebView with iPhone application to the provider URL from https://daehwa.azurewebsites.net/api/Account/ExternalLogins?returnUrl=%2F&generateState=true
  • This redirects to my third party site which supports Open ID Connect authentication.
  • User logs in through this site and redirects back to my site with a token in the fragment of the URL in the form of #id_token=xxxxx

Looking at the following SO article: asp.net web api 2: how to login with external authentication services?

I then should be able to call /api/Account/UserInfo however this always returns 401 Unauthorized. Setting the Authorization: Bearer token doesn't seem to help either and always return unauthorized even when trying to call /api/Account/RegisterExternal.

Just to give you some more information about what I am trying to do I would like to either create an account or at least make subsequent OAuth calls to retrieve their email address and their display name ideally avoiding requesting this information from the user again. However for now I just want the authentication to actually work!

I would really appreciate any help anyone can provide. I'm new to third party auth and I feel as though I am missing something key. I think that my return url is the issue and my server needs to process this token and issue me with another one but not too sure.

Thanks, Gerard

Community
  • 1
  • 1
Gerard Wilkinson
  • 1,512
  • 14
  • 33
  • How does the reponse URL of third site look like? What is his token_type? – T N Oct 16 '15 at 13:34
  • Here is a sample output from the fragment: '#access_token=12docj5pfvzzeugjq7xbdnjytetqczjuan7bk2hr&expires_in=3600&token_type=Bearer&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%xxx&id_token=xxx – Gerard Wilkinson Oct 16 '15 at 15:16
  • I have changed the response type set in Startup.Auth.cs from 'id_token' which produced the response as in the question without at 'token_type', to 'token id_token' which produced the response in my comment above with the 'token_type' set to 'bearer'. Neither of which work for me at the moment. – Gerard Wilkinson Oct 16 '15 at 15:19
  • I think you should you access_token (not id_token) as following post http://hintdesk.com/c-use-asp-net-identity-external-authentication-with-desktop-application/ . It uses Google as External Authentication. – T N Oct 16 '15 at 18:14

0 Answers0