ASP.NET Core 2.x google authentication get id_token

Question

I'm using Google authentication for my asp.net mvc application. I added Google to my Startup.cs class:

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = GoogleDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = GoogleDefaults.AuthenticationScheme;
})
.AddGoogle(googleOptions =>
{
    googleOptions.ClientId = _configuration["Authentication:Google:ClientId"];
    googleOptions.ClientSecret = _configuration["Authentication:Google:ClientSecret"];
    googleOptions.SaveTokens = true;
});

I can get access_token from controller using this:

var token = await HttpContext.GetTokenAsync("access_token").ConfigureAwait(false);

I need id_token to authenticate to my custom backend application like this. I tried using this code but I get null.

var token = await HttpContext.GetTokenAsync("id_token").ConfigureAwait(false);

Is it possible to get id_token somehow?

BTW, [you don't need to use `.ConfigureAwait(false)`](https://stackoverflow.com/q/42053135) — Set, Aug 08 '18 at 18:38

score 0 · Answer 1 · answered Aug 08 '18 at 19:04

By default, Google authentication implementation uses response_type=code. With this flow, you don't have id_token in response. To have it, response_type should be response_type=code id_token (from here).

You may override that BuildChallengeUrl method in derived YourGoogleHandler class, and change DI registration from .AddGoogle() to

.AddOAuth<GoogleOptions, YourGoogleHandler>
  (GoogleDefaults.AuthenticationScheme, GoogleDefaults.DisplayName, googleOptions)

(code was taken from Microsoft.AspNetCore.Authentication.Google/GoogleExtensions.cs

I tried your solution but i was getting an error from google that nonce was missing so added this: `queryStrings.Add("nonce", Guid.NewGuid().ToString("N"));` . Now i'm getting an exception: `Exception: The oauth state was missing or invalid.` — Aleknik, Aug 09 '18 at 12:05

score 0 · Answer 2 · answered Jun 18 '19 at 15:19

The solution that worked for me..

 services.AddAuthentication()
           .AddOpenIdConnect(GoogleDefaults.AuthenticationScheme,
               GoogleDefaults.DisplayName,
               options =>
               {
                   options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                   options.Authority =  "https://accounts.google.com";
                   options.ClientId = googleOAuthSettings.ClientId;
                   options.ClientSecret = googleOAuthSettings.ClientSecret;
                   options.ResponseType = OpenIdConnectResponseType.IdToken;
                   options.CallbackPath =  "signin-google";
                   options.SaveTokens = true; //this has to be true to get the token value
                   options.Scope.Add("email");
               });

OpenIdConnect provider for Google OAuth allow us to customise the ResponseType.

As per the link , OpenIdConnectHandler which appears to implement IAuthenticationSignOutHandler. So that's why regardless of what is in the discovery document (end session endpoint supported or not), if you use the AddOpenIdConnect(...), it will always register a handler which seemingly supports sign out. If you are using any IdentityServer4 quick start, then you can get rid of that error by checking with a condition in AccountService.cs --> BuildLoggedOutViewModelAsync method.

var providerSupportsSignOut = await _httpContextAccessor.HttpContext.GetSchemeSupportsSignOutAsync(idp)

Here, we can add additional check like : idp != Google.

ASP.NET Core 2.x google authentication get id_token

2 Answers2