Search code examples
oauthservicestackservicestack-auth

Servicestack Auth - authenticate with an already issued Access Token


This questions is related to ServiceStack OAuth authentication flow. Debuging the FacebookAuthProvider i see that if the code parameter isn't null (obtained from a redirection to Facebook dialog url), it uses it to obtain an Access Token. The AuthProvider does the same with OAuthAuthorizer.

How about using the Javascript SDK to obtain an Access Token (with the modal in a popup, without the redirection) for Single Page Applications. Is there any endpoint to authenticate an user with the Access Token issued?

Also, do you consider this an security flaw? I believe that if a user first sign with Credentials Provider, and then with an OAuth Provider the ServiceStack creates two separated accounts. If the server validates the Access Token with Facebook API and returns an valid response i think that should be okay to sign an already existing user in application (i guess looking for any AuthUserDetails with the provider equals to facebook should be enough to trust).


Solution

  • The FacebookAuthProvider follows the same OAuth Provider flow that every other OAuth provider follows which redirects to the remote OAuth site to capture the users authorization before redirecting back with the code the AuthProvider uses to retrieve the access_token for the user. None of the built-in AuthProviders have any dependency to any JavaScript SDK.

    ServiceStack doesn't create 2 separate User Accounts, it creates 1 User Account which is linked with each AuthProvider they've Authenticated with whilst they were authenticated. The user can then authenticate using any of the Auth Providers they've previously Authenticated with, to sign into their account.

    Only if the User wasn't already authenticated when they authenticated with Facebook would it create a separate User Account. But it would only create the new account if there wasn't an existing UserAccount registered with the same Email, otherwise it will fail with an EmailAlreadyExists error. If separate User Accounts were created, these are treated as 2 separate accounts which aren't linked (i.e have different UserAuthId's), in which case authenticating using either Auth Provider would be signing into 2 different User Accounts.