2

I'm setting up OAuth using the Owin libraries including Google and Facebook.

The Owin startup class is registering fine by the looks of it. What I'm finding is that rather than being redirected to the appropriate sign in page at Facebook or Google, I'm being redirected to a default 'login.aspx' page. There is no login.aspx page in my solution.

The flow is triggered in a view like so:

@{
        // Get list of configured external authentication middleware

        var loginProviders = Context.GetOwinContext().Authentication.GetExternalAuthenticationTypes();

        if (!loginProviders.Any())
        {
            <div>
                <p>There are no external authentication services configured</p>
            </div>
        }
        else
        {
            using (Html.BeginForm("ExternalLogin", "OAuth"))
            {
                @Html.AntiForgeryToken()

                <div>
                    <p>
                        @foreach (AuthenticationDescription p in loginProviders)
                        {
                            <button type="submit" class="btn btn-default" id="@p.AuthenticationType" name="provider" value="@p.AuthenticationType" title="Log in using your @p.Caption account">@p.AuthenticationType</button>
                        }
                    </p>
                </div>
            }
        }
    }

This triggers the challenge result, however the challenge result simply causes a redirect to login.aspx (which again does not exist)

[HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult ExternalLogin(string provider)
        {
            string redirectUri = Url.Action("ExternalLoginCallback");

            // Request a redirect to the external login provider
            return new ChallengeResult(provider, redirectUri);
        }

What could I be missing?

I've included the Startup.cs class for good measure:

public void Configuration(IAppBuilder app)
        {

            app.UseCookieAuthentication(

               new CookieAuthenticationOptions
               {
                   AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
               });

            app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

            app.UseFacebookAuthentication(new FacebookAuthenticationOptions
            {
                AppId = Config.OAuthFacebookAppId,
                AppSecret = Config.OAuthFacebookAppSecret,
                Scope = { "email" }, // "email", also "publish_actions" can be included if post to facebook authorization is required
                Provider = new FacebookAuthenticationProvider
                {
                    OnAuthenticated = context =>
                    {
                        context.Identity.AddClaim(new System.Security.Claims.Claim("FacebookAccessToken", context.AccessToken));
                        return Task.FromResult(true);
                    }
                }
            });

            app.UseGoogleAuthentication(
                 clientId: Config.OAuthGoogleClientId,
                 clientSecret: Config.OAuthGoogleClientSecret
            );
        }
gbro3n
  • 6,729
  • 9
  • 59
  • 100

2 Answers2

3

The key modification was to add the code:

// Stop execution of the current page/method - the 401 forces OWIN to kick-in and do its thing

Response.StatusCode = 401;
Response.End();

AuthenticationProperties.RedirectUri is not passed to Google in Challenge()

Other issues were that the Google+ API was not enabled

OWIN's GetExternalLoginInfoAsync Always Returns null

... and for Facebook, an upgrade of the Owin libs to 3.1.0 was required

MVC5 Null Reference with facebook login

So full ExternalLogin method:

[HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public void ExternalLogin(string provider)
        {
            string redirectUri = Url.Action("ExternalLoginCallback");

            var properties = new AuthenticationProperties() { RedirectUri = redirectUri };
            HttpContext.GetOwinContext().Authentication.Challenge(properties, provider);

            // Stop execution of the current page/method - the 401 forces OWIN to kick-in and do its thing

            Response.StatusCode = 401;
            Response.End();
        }
gbro3n
  • 6,729
  • 9
  • 59
  • 100
  • I hade the same issue and this helped. On a new MVC 5 project there is no need to add the response redirect and everything works. On a project which was upgraded from MVC 4 to MVC 5 and now I am changing the FormsAuthentication to owin this issue arose. So this must be just a workaround for something wrong in the config or used packages, right? Can anyone provide some more insight into this? I don't feel comofrtable with a workaround solution. – filipv Feb 05 '18 at 14:20
0

The root cause of this issue (redirecting to login.aspx) is that during the process of migrating to OWIN authentication, FormsAuthentication has not actually been fully switched off so it is the result of a conflict between the two.

To fully de-activate forms authentication module and resolve this issue, you can add the following to modules section of the web.config file:

soupy1976
  • 2,787
  • 2
  • 26
  • 34