9

I have implemented simple Angular 2 application which uses ASP.NET Core WebApi as backend. For authentication I added '/login' route that generates JWT access and refresh tokens that in turn stored by SPA in localStorage and used in HTTP requests.

Now I want to integrate social registration function so users can login using ie Facebook button. From users's point of view I want to perform it into 3 steps:

  1. Click Register by Facebook button and redirected to Facebook website (to login and confirm my app request).
  2. Clicked confirm and redirected to my SPA where /registration page where his name already filled from Facebook profile
  3. Fills the remaining fields (like his favorite toy) and clicks "Finish registration"

After this registration if user clicks register via facebook again he will be redirected to facebook (if he already logged in) he automatically redirected to server route that checks if such a user has been already registered and if it is then redirect him to SPA homepage

How to correctly integrate such a workflow in my app? Note: I want to perform authentication and registration inside my Angular2 app, not on different auth server.

Shaun Luttin
  • 133,272
  • 81
  • 405
  • 467
Roman Kolesnikov
  • 11,777
  • 11
  • 44
  • 67

2 Answers2

6

I want to perform authentication and registration inside my Angular2 app.

What you're looking for is the Implicit Grant, with Facebook as the authorization server and as the resource server. The Implicit Grant supports authorization for single page applications (such as your Angular2 App), and the Facebook Graph API supports requests for user info.

How to correctly integrate such a workflow in my app?

Since Facebook does not support OpenID Connect, you will need to use OAuth2 pseudo-authentication (which has traps to avoid). This will involve a four step process:

  1. redirect the user to Facebook for login,
  2. validate the redirect back from Facebook's login page and store the access token,
  3. call Facebook's Graph API to request user info for the associated access token, and
  4. use that user info to fill the fields in your app.

Calling the API in step three could look something like this:

FB.api('/me', (user) => { 
    console.log(user.id); // 101540562372987329832845483
    console.log(user.email); // example@example.com
    console.log(user.first_name); // Bob
});

/me is a special Graph API endpoint that "translates to the user_id of the person whose access token is currently being used to make the API calls." The endpoint then returns related user info.

Your app can use that Facebook user info to populate its client-side fields and/or its server-side database. The id is unique to your app and is NOT equivalent to the Facebook user_id; the id is a reasonable way to uniquely identify users of your app.

Four options for correctly integrating this flow into your app.

Aside: What do you mean by OAuth2 pseudo-authentication?

OAuth2 is a pseudo-authentication scheme, because OAuth2 is NOT an authentication protocol. That is, after the user logs in, your client app receives an access token, which it uses to make a request of a protected API. In order to avoid the pitfalls, it's good to be aware of them:

  1. Access tokens are NOT proof of authentication.
  2. Access to a protected API is NOT proof of authentication.
  3. Attackers can inject access tokens.
  4. Access tokens do NOT have an audience restriction.
  5. Attackers can inject invalid user info.
  6. Each identity provider may have its own identity protocol.
Community
  • 1
  • 1
Shaun Luttin
  • 133,272
  • 81
  • 405
  • 467
  • Thank you very much for the answer! Can you say, should I use OpenIddict or ASOS to implement this strategy or it is better to avoid them and DIY? Can I use ROPC to login customers registered without Facebook after that? – Roman Kolesnikov Oct 12 '16 at 13:31
  • Access tokens are NOT proof of authentication - so what is a prof of authentication? – Roman Kolesnikov Oct 12 '16 at 13:34
  • @Rem The OAuth protocol can be an ingredient in an authentication protocol. That is what Facebook has done - it has built its own identity protocol on top of OAuth. It's up to the implementer, in this case Facebook, to implement this properly, because OAuth does not guarantee authentication. Generally, we can trust Facebook to have done this correctly, and in this case, the proof of authentication is the access to Facebook's protected resource. – Shaun Luttin Oct 12 '16 at 15:58
  • If you were to use OpenIddict to implement this strategy, then you would use the Code Grant instead of the Implicit Grant. From your question, it sounds like you would prefer to use the Implicit Grant, and that seems reasonable, because Facebook supports it. If it were my site, I would probably use the Implicit Flow and Facebook's best practices (i.e. the Login with Facebook button + their SDK). – Shaun Luttin Oct 12 '16 at 16:01
  • @pinpoint might have something to say about this, and he knows more that I do. – Shaun Luttin Oct 12 '16 at 16:02
  • 1
    ok! Thank you, Shaun, for the answer and for the great Aurelia sample:) – Roman Kolesnikov Oct 12 '16 at 19:40
-3

I would simply suggest this tut on auth0 + A2 .

Jon
  • 143
  • 12