0

Consider the following scenario:

On MVC 5 (or higher), you have enabled 3rd party authentication (e.g. Facebook, Google).

As part of the authentication process, we want to perform an additional operation with the 3rd party authentication provider -- e.g. Facebook check if the logging-in user has liked a particular page, or if the user's email address is pre-approved/white-listed somewhere.

The cycle of events seems like it should be: 1. Authenticate user via external service (e.g. get user-id/email and 3rd party uniqueID) 2. Use 3rd party uniqueID (e.g. Facebook Id #) to perform queries to get some information about the user 3. If the user matches some criteria, sign-in user; if not return to login screen

To me, it seems like there should be a method we can override in the the authentication process like this that would do the trick:

(This hypothetical example of what I'm looking for covers checking the property of the user in the normal login-in cycle -- we'll get to doing additional 3rd party querying in a second).

override Boolean BeforeReturnSignedInUser(AppUser user){

if (whitelistedUsers.Email.Contains(user.email)){
    return true;
}

else {
     return false;
}

Similarly, it seems like there should be a way to access the 3rd party accessToken fairly easily to perform additional logic against the 3rd party social media graph, but it seems like, according to this, not: MVC 5 Web API with Facebook access token to RegisterExternal without need of Cookie

(On the other hand, this is more encouraging: How to access Facebook private information by using ASP.NET Identity (OWIN)? but still requires adding a lot of artifacts for what should be a pretty simple operation)

In any event, neither of these examples seem clean -- seems like adding a lot of complexity to do an additional check that is all of 5 lines of code!

Community
  • 1
  • 1
B.C.
  • 83
  • 1
  • 8

1 Answers1

0

The MVC way to do this is to configure the facebook middleware to grab the info you want in the ConfigureAuth method in Startup.Auth.cs (I'm looking at the MVC5 project template), then add any custom claims you want in IdentityModels.cs (it even has a comment // Add custom user claims here). This avoids clashes that would occur if you try to add claims elsewhere.

Matthew
  • 4,149
  • 2
  • 26
  • 53
  • Looks like one has to specify a custom IFacebookAuthenticationProvider. – B.C. Jan 14 '16 at 17:00
  • Okay, so I see how you get the access token from the FacebookAuthenticatedContext. – B.C. Jan 14 '16 at 17:07
  • However, I still don't see in the sign-in life-cycle where I could cancel the sign-in if additional criteria aren't met. (I do see how you could store such data by registering an object via app.CreatePerOwinContext, but I don't see where I would read the data and prevent sign-in if criteria isn't met). – B.C. Jan 14 '16 at 17:09
  • hmm. In the MVC template external logins are validated in `ExternalSignInAsync` method of the `ApplicationSignInManager` class. Unfortunately this is non-virtual so can't be overridden to add additional validation logic. – Matthew Jan 14 '16 at 17:51
  • So my thinking is it should be possible to configure it to get the info in Startup.Auth (see: http://www.oauthforaspnet.com/providers/facebook/) then in the `ExternalLoginCallback` of the `Account` controller, that info should be available in the `loginInfo` object so you could do the validation logic there. – Matthew Jan 14 '16 at 17:53