OWIN External OAuth providers - get user consent for new scopes

Question

In our application we have following setup:

Web Application (Angular JS) + Web API

We support external logins Google & Facebook.

We have setup necessary infrastructure with default scopes and wired-up during the Startup. This works fine for login.

For additional features, say user wants to import his/her contacts from Google, we need to get consent again with new scopes. Can someone let me know how to do this?

One way is - to include all necessary scopes during login phase but we want to get consents only for required stuff at required time.

I googled but couldn't get any information on this.

In our specific case of importing contacts from Google a/c, I thought of specifically creating a new controller and start fresh authentication mechanism using GoogleAuthorizationCodeFlow (without OWIN middleware) as explained here https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth but it is in the context of MVC but we need support for Web API. So any pointer is highly appreciated.

Answer 1

Finally got the solution.

Below links helped a lot; my solution is a combination of ideas from below links:

http://www.yogihosting.com/implementing-google-contacts-api-version-3-0-oauth-2-0-in-csharp-and-asp-net/ (note: Google OAuth links mentioned in this article, especially for token generation, have changed. For correct URLs, please see https://developers.google.com/identity/protocols/OAuth2WebServer)

https://www.themarketingtechnologist.co/google-oauth-2-enable-your-application-to-access-data-from-a-google-user/

Above links explain how to get access_token and authorization_code. Once we have those values, we can create UserCredentials that can be used for accessing specific Google APIs as mentioned in the below link:

Upload video to youtube with mvc application (all code behind)

Things to remember:

1. One ends up contacting Google authorization server twice (once for access token and once for authorization code). In both the cases, redirect_uri must be specified and IT IS IMPORTANT for that redirect_uri to be SAME in both the cases; otherwise it won't work. Also, it is important for that redirect_uri to be mentioned in the Google console where the project/application is defined and registered. I faced issues because of mismatched redirect_uri values and below link helped me in solving it:

Google API token endpoint POST returns Bad Request 400

2. While accessing Google API we need to include filters. In my case for People API, I needed to get email addresses and without required filters, it was always null/empty. So, below is the code for that:

   var peopleService = new PeopleService(new BaseClientService.Initializer() { HttpClientInitializer = credentials, ApplicationName = "MyApp", }); var connList = peopleService.People.Me.Connections.List(); connList.RequestMaskIncludeField = "person.emailAddresses"; connList.PageSize = 500; ListConnectionsResponse connectionsResponse = connList.Execute(); IList<Person> connections = connectionsResponse.Connections;

Without connList.RequestMaskIncludeField = "person.emailAddresses"; email address is always empty.

Hope this helps someone.