11

Once again I am stuck! I am trying to implement a secure WebApi service with ASP.NET Identity using Individual Account. The WebApi service will be consumed by a mobile app developed with phonegap. My phonegap app uses facebook and twitter for login and I have implemented that on the client perfectly.

I have created a SPA project form the visual studio template and I have tested the login process monitoring the HTTP requests with fiddler and chrome dev tools. I have tried the following requests using postman

GET: http://localhost:49577/api/Account/ExternalLogins?returnUrl=/&generateState=true

RESPONSE: 

[{
        "Name": "Facebook",
        "Url": "/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01",
        "State": "jpePf27F3ufkCCEldFdoOVHSGBGTEO1CrRdUQ3bHEP01"
}]

and then I call GET: http://localhost:49577/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01 which calls GetExternalLogin method of AccountsController. This then returns an instance of ChallengeResult when the user isn't authenticated.

This is where I an stuck. Q1: ChallengeResult forces a 301 redirect to facebook login page with some querystring parameters. I don't want this, I want it to give me the parameters but let me handle the logging in my ajax request. I have tried commenting out this line of code

Request.GetOwinContext().Authentication.Challenge(LoginProvider);

but I end up getting a 401 with nothing else, how can I control what the response from ChallegeResult?

Q2. Also, I cannot quite figure out what next from here, after I get an access token from facebook, what webapi end point should I call for instance if I have already obtained the access token, what should I be passing to it?

I have googled all day but I cannot find anything that answers my question. Any help would be appreciated. Thanks

UPDATE:

Regarding Q2; I have figured out the next step and that's GET: http://localhost:49164/signin-facebook?code=...&state=...

This returns another 302 which redirects to 

http://localhost:49164/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49164%2F&state=7oGPd37EA-nmtXPtYEQ40qnretDeKjbPEM1gNkb2DuM1

which in turn returns another 302 which then redirects to 

http://localhost:49164/#access_token=...

So how do I handle all there redirects from a mobile non browser client?

UPDATE

I am trying to find the controller action that handles http://localhost:49164/signin-facebook?code=...&state=... Can anyone help?

UPDATE I have since posting this question learned alot about the facebool login flow, which maybe I should have done before! I still have one question but I have created a different question for that here to keep down the clutter

Community
  • 1
  • 1
Obi
  • 3,091
  • 4
  • 34
  • 56
  • I'm struggling with this too... I have an angularJs app and I tried to do FB login without WebApi, using only FB JS SDK. But again, I'm stuck at where to pass authentication data received from Facebook. Here is my question for reference: http://stackoverflow.com/questions/22846510/handling-server-redirect-to-facebook-login-page-in-angularjs – wojciech_rak Apr 04 '14 at 13:48

1 Answers1

2

The answer to this question is a very detailed one. So to make it easier, I am going to point you to a sample which shows you how you can have a SPA app and connect different clients (phone, tablets etc) and login with Social logins such as Facebook etc https://aspnet.codeplex.com/SourceControl/latest#Samples/WebApi/Todo/ReadMe.txt

pranav rastogi
  • 4,124
  • 23
  • 23