Geek Answers Handbook

How does OAuth with OWIN work in MVC5?

I'm trying to understand how OAuth works, but it seems like one big magic show, and I don't like it.

I created a new MVC5 project and enabled facebook authentication. It all works fine, however, I'm trying to figure out how it works.

Here is the part where I get lost. Imagine that the user wants to log in for the first time. This method is executed:

public async Task<ActionResult> ExternalLoginCallback(string returnUrl) { var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(); if (loginInfo == null) { return RedirectToAction("Login"); } // Sign in the user with this external login provider if the user already has a login var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false); switch (result) { case SignInStatus.Success: return RedirectToLocal(returnUrl); case SignInStatus.LockedOut: return View("Lockout"); case SignInStatus.RequiresVerification: return RedirectToAction("SendCode", new { ReturnUrl = returnUrl, RememberMe = false }); case SignInStatus.Failure: default: // If the user does not have an account, then prompt the user to create an account ViewBag.ReturnUrl = returnUrl; ViewBag.LoginProvider = loginInfo.Login.LoginProvider; return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = loginInfo.Email }); } }

This code shows the FB login page, and the FB takes care of the credentials. It all works great. But then this line is executed: var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false); . I can see in loginInfo that the name is set, but the result variable is Failure . Why is this? The user has just been authenticated by FB, so why is false ?

But then, according to my feelings, it becomes more strange. As I continue to run the sample application, it asks me to enter an email address. I enter the email address and voila, I logged in. Since I am learning all this logical thing, I am logging out and I want to log in again. So, I log out and immediately sign up again using FB. And this is where I hit my head against the wall. When the code falls into this line again: var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false); the result is set to true !!

Can someone please explain to me what is going on here?

+8
c # asp.net-mvc facebook-oauth oauth
source share
1 answer

When using an external input, SignInManager checks the user credentials with an external party (in this case, Facebook). If the outside party successfully verified the credentials, SignInManager checks for the user record. Since this is your first login, there is no user record available. This part will take care of this:

 case SignInStatus.Failure: default: // If the user does not have an account, then prompt the user to create an account ViewBag.ReturnUrl = returnUrl; ViewBag.LoginProvider = loginInfo.Login.LoginProvider; return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = loginInfo.Email });

This allows you to use a different email address. Most often the same email address is used!

Some examples: http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on .

+5
source share

More articles:


All Articles