0

I am using ASP.NET Core Identity with social login providers in my ASP.NET Core 3.1 API. I can login with the configured providers successfully. After logging in, I have a controller that needs access to the access_token that was provided by the social authentication provider to query for additional data (Facebook in this case).

Does ASP.NET Core Identity store the access token from the social login provider anywhere by default or is that my responsibility to write it to a cookie or session in the ExternalLogin callback page of the scaffolded identity code after calling GetExternalLoginInfoAsync()?

It seems GetExternalLoginInfoAsync() only returns information in the ExternalLogin callback as calling this same method from my controller always returns NULL. So maybe the cookie is removed after successfully logging in. This seems a bit strange as I would expect it to be able to return the related record stored stored in the AspNetUserLogin table as the user is signed in when calling that method from the controller.

I've also tried using the following code to store all the tokens, but can't seem to find them anywhere. Where does it store them?

        services.AddAuthentication()
        .AddFacebook(fb =>
        {
            fb.AppId = Configuration["FacebookAppId"];
            fb.AppSecret = Configuration["FacebookAppSecret"];
            fb.SaveTokens = true;
            fb.Scope.Add("user_birthday");
            fb.Scope.Add("user_friends");
            fb.Events.OnCreatingTicket = ctx =>
            {
                List<AuthenticationToken> tokens = ctx.Properties.GetTokens().ToList();
                tokens.Add(new AuthenticationToken()
                {
                    Name = "TicketCreated",
                    Value = DateTime.UtcNow.ToString()
                });
                ctx.Properties.StoreTokens(tokens);                  
                return Task.CompletedTask;
            };
        })
Geekn
  • 2,650
  • 5
  • 40
  • 80
  • About this issue, there is a related discussion [here](https://stackoverflow.com/questions/29048122/token-based-authentication-in-asp-net-core) for your reference. – LouraQ Jul 23 '20 at 09:20
  • Have you tried calling [ExternalLoginSigninAsync](https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Core/src/SignInManager.cs#L606) from your ExternalLoginCallback? I think this should create an `Identity` cookie and attach it to your response, making you actually logged in with Identity. Then you'd be able to call `userManager.GetUserAsync([controller].User)` from anywhere to find out the IdentityUser... – Pieterjan Jul 23 '20 at 09:24
  • I have identity cookie as this is generated from the default AddDefaultIdentity() within configure services and user authenticates with every request. My question relates to access_token that was returned when performing the ExternalLogin (with Facebook in this case). I only see that token when external callback is made after which that access_token from facebook doesn't seem to be found anywhere (or stored in token table). I assume I have to store this myself, but that is the question. Does identity store the access_token from external login (and refresh for that matter)? – Geekn Jul 23 '20 at 16:53
  • Well this Facebook OAuth token is only necessary to query the "Facebook OAuth UserInfo endpoint" in order to retrieve the email address, first name, last name, user name, ... I've put a breakpoint in one of my demo applications' ExternalLoginCallback and I can see that I'm getting a Identity.External cookie in my request. I assume that's where Identity stores the encoded facebook token. You should check what happens in the [SignInManager.GetExternalLoginInfoAsync](https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Core/src/SignInManager.cs#L638) method – Pieterjan Jul 23 '20 at 18:56
  • `GetExternalLoginInfoAsync` in the end calls [Microsoft.AspNetCore.Http.DefaultHttpContext.AuthenticateAsync("Identity.External")](https://github.com/dotnet/aspnetcore/blob/master/src/Identity/Core/src/SignInManager.cs#L640) but I'm currently unable to find out what this does. – Pieterjan Jul 23 '20 at 19:33
  • Do you really want to know about the internals of Identity, or do you just want a working Identity demo with external logins? I have a demo project – Pieterjan Jul 23 '20 at 19:34
  • 1
    Correct. I have identity working correctly, but I also have a need to use the Facebook API to look up things like the profile picture. When the external login is performed, the access_token for Facebook is accessible so my question is if identity stores this social login token somewhere for me or if this token must be manually managed through a custom process for when I need to access the Facebook API? In the sample code I provided, the facebook access token is in that list when I call "StoreTokens" so where does it store it when that call is made? – Geekn Jul 24 '20 at 19:34

0 Answers0