8

I am using this github project https://github.com/openiddict/openiddict-core which is great. But I am stuck as to what the procedures should be, or how to implement them, when the user uses an external identity provider, for this example, I will use google.

I have an angular2 app running, with an aspnet core webAPI. All my local logins work perfectly, I call connect/token with a username and password, and an accessToken is returned.

Now I need to implement google as an external identity provider. I have followed all the steps here to implement a google login button. This opens a popup when the user logins in. This is the code I have created for my google button.

// Angular hook that allows for interaction with elements inserted by the
// rendering of a view.
ngAfterViewInit() {
    // check if the google client id is in the pages meta tags
    if (document.querySelector("meta[name='google-signin-client_id']")) {
        // Converts the Google login button stub to an actual button.
        gapi.signin2.render(
            'google-login-button',
            {
                "onSuccess": this.onGoogleLoginSuccess,
                "scope": "profile",
                "theme": "dark"
            });
    }
}

onGoogleLoginSuccess(loggedInUser) {
    let idToken = loggedInUser.getAuthResponse().id_token;

    // here i can pass the idToken up to my server and validate it
}

Now I have an idToken from google. The next step on the google pages found here says that I need to validate the google accessToken, which I can do, but how do I exchange the accessToken that I have from google, and create local accessToken which can be used on my application?

ono2012
  • 4,967
  • 2
  • 33
  • 42
Gillardo
  • 9,518
  • 18
  • 73
  • 141
  • Just i wondered why do you need google client library to get id token, Did you consider to use google authentication like https://github.com/openiddict/openiddict-core/blob/dev/samples/Mvc.Server/Startup.cs#L119 ? – adem caglin Oct 26 '16 at 09:09
  • Only because i have a client side app, and i need the accessToken client side for my application to work as i store it in localStorage on the client. I did try using that method, but again, i do not know how to exchange the token for a clientside token?? – Gillardo Oct 26 '16 at 09:15

1 Answers1

17

Edit: this answer was updated to use OpenIddict 3.x.

The next step on the google pages found here says that i need to validate the google accessToken, which i can do, but how do i exchange the accessToken that i have from google, and create local accessToken which can be used on my application?

The flow you're trying to implement is known as assertion grant. You can read this other SO post for more information about it.

OpenIddict fully supports custom grants, so this is something you can easily implement in your token endpoint action:

[HttpPost("~/connect/token"), Produces("application/json")]
public IActionResult Exchange()
{
    var request = HttpContext.GetOpenIddictServerRequest();
    if (request.GrantType == "urn:ietf:params:oauth:grant-type:google_identity_token")
    {
        // Reject the request if the "assertion" parameter is missing.
        if (string.IsNullOrEmpty(request.Assertion))
        {
            return Forbid(
                authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                properties: new AuthenticationProperties(new Dictionary<string, string>
                {
                    [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidRequest,
                    [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
                        "The mandatory 'assertion' parameter was missing."
                }));
        }

        // Create a new ClaimsIdentity containing the claims that
        // will be used to create an id_token and/or an access token.
        var identity = new ClaimsIdentity(TokenValidationParameters.DefaultAuthenticationType);

        // Manually validate the identity token issued by Google, including the
        // issuer, the signature and the audience. Then, copy the claims you need
        // to the "identity" instance and call SetDestinations on each claim to
        // allow them to be persisted to either access or identity tokens (or both).
        //
        // Note: the identity MUST contain a "sub" claim containing the user ID.

        var principal = new ClaimsPrincipal(identity);

        foreach (var claim in principal.Claims)
        {
            claim.SetDestinations(claim.Type switch
            {
                "name" => new[]
                {
                    Destinations.AccessToken,
                    Destinations.IdentityToken
                },

                _ => new[] { Destinations.AccessToken },
            });
        }

        return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
    }

    throw new InvalidOperationException("The specified grant type is not supported.");
}

Note that you'll also have to enable it in the OpenIddict server options:

services.AddOpenIddict()
    // ...

    .AddServer(options =>
    {
        // ...

        options.AllowCustomFlow("urn:ietf:params:oauth:grant-type:google_identity_token");
    });

When sending a token request, make sure to use the right grant_type and to send your id_token as the assertion parameter, and it should work. Here's an example with Postman (for Facebook access tokens, but it works exactly the same way):

enter image description here

That said, you have to be extremely careful when implementing the token validation routine, as this step is particularly error-prone. It's really important to validate everything, including the audience (otherwise, your server would be vulnerable to confused deputy attacks).

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • 3
    your answers amaze me everytime! Thank you so much – Gillardo Oct 26 '16 at 15:14
  • Is this still valid answer? In first link in your answer you write: "A new OAuth2 draft will likely help change that in the future, but it will probably take a while before major services start implementing it." Did anything change in past months? I have Angular2 app and I want to use Google sign in button. Of course my password flow works with OpenIddict. – Makla Feb 10 '17 at 11:45
  • 3
    @Makla this answer is still valid, and OpenIddict still supports this scenario. The "OAuth2 token exchange" draft has not been standardized yet, [but a new version was published last month](https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07), so it's definitely on the right track. That said, it will likely take many years before major providers like Google or Facebook start implementing it (FWIW, Facebook is still using an older OAuth2 draft, that doesn't comply with the final RFC). – Kévin Chalet Feb 10 '17 at 11:59
  • 2
    It is a proposed standard now, just to follow up: https://tools.ietf.org/html/rfc8693, I guess it does not change anything regards to the validity of the answer, does it? – Daniel Leiszen Nov 15 '20 at 22:52
  • @kévin-chalet can I reuse existing validation logic from https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers without any modifications to that logic? – Andrii May 12 '22 at 14:32
  • I did that but Identity Token is null. How to make it returned? – Andrii Jun 23 '22 at 19:19