Get Token by loging in with External Providers using OpenIddict

I have an API with ASP.NET Core which will be consumed by native mobile apps(currently UWP, Android) and I'm trying to implement a way that clients can sign up and log in with both username/password and external providers such as Google and Facebook. now I'm using openIddict and my ExternalProviderCallback must return local tokens which I assume currently returns cookie! (I've Copied most of the codes from somewhere) and also it seems it's not the AuthorizationCodeFlow which I assume that is the correct way!

now here is my Startup class

public class Startup
    public Startup(IHostingEnvironment env)
        var builder = new ConfigurationBuilder()
            .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
            .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

        if (env.IsDevelopment())
        Configuration = builder.Build();

    public IConfigurationRoot Configuration { get; }

    // This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
        services.AddSingleton<IConfiguration>(c => Configuration);
        services.AddIdentity<ApplicationUser, IdentityRole>(config =>
            //Setting some configurations
            config.User.RequireUniqueEmail = true;
            config.Password.RequireNonAlphanumeric = false;
            config.Cookies.ApplicationCookie.AutomaticChallenge = false;
            config.Cookies.ApplicationCookie.Events = new CookieAuthenticationEvents()
                OnRedirectToLogin = context =>
                    if (context.Request.Path.StartsWithSegments("/api") && 
                    context.Response.StatusCode == 200)
                        context.Response.StatusCode = 401;
                    return Task.CompletedTask;
                OnRedirectToAccessDenied = context =>
                    if (context.Request.Path.StartsWithSegments("/api") && 
                    context.Response.StatusCode == 200)
                        context.Response.StatusCode = 403;
                    return Task.CompletedTask;
        services.AddDbContext<ApplicationDbContext>(options =>

        services.AddMvc(options =>
            options.SslPort = 44380;
            options.Filters.Add(new RequireHttpsAttribute());

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env,
        ILoggerFactory loggerFactory, DbSeeder dbSeeder)


        app.UseGoogleAuthentication(new GoogleOptions()
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            ClientId = Configuration["Authentication:Google:ClientId"],
            ClientSecret = Configuration["Authentication:Google:ClientSecret"],
            CallbackPath = "/signin-google",
            Scope = { "email" }
        app.UseFacebookAuthentication(new FacebookOptions()
            AutomaticAuthenticate = true,
            AutomaticChallenge = true,
            AppId = Configuration["Authentication:Facebook:AppId"],
            AppSecret = Configuration["Authentication:Facebook:AppSecret"],
            CallbackPath = "/signin-facebook",
            Scope = { "email" }


        catch (AggregateException ex)
            throw new Exception(ex.ToString());

and here is AccountController Which is Doing External Providers Job:

public class AccountsController : BaseController
    private readonly IConfiguration _configuration;

    #region Constructor

    public AccountsController(ApplicationDbContext context,
        SignInManager<ApplicationUser> signInManager,
        UserManager<ApplicationUser> userManager,
        IConfiguration configuration)
        : base(context, signInManager, userManager)
        _configuration = configuration;

    #endregion Constructor

    #region External Authentication Providers 

    // GET: /api/Accounts/ExternalLogin 
    public IActionResult ExternalLogin(string provider, string returnUrl = null)
        switch (provider.ToLower())
            case "facebook":
            case "google":
            case "twitter":
                // Request a redirect to the external login provider.
                var redirectUrl = Url.Action("ExternalLoginCallback",
                    "Accounts", new { ReturnUrl = returnUrl });
                var properties =
                    SignInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
                return Challenge(properties, provider);
                return BadRequest(new
                    Error = $"Provider '{provider}' is not supported."

    public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null,
        string remoteError = null)
            if (remoteError != null)
                throw new Exception(remoteError);
            var info = await SignInManager.GetExternalLoginInfoAsync();
            if (info == null)
                throw new Exception("ERROR: No login info available.");
            var user = await UserManager.FindByLoginAsync(info.LoginProvider, info.ProviderKey);
            if (user == null)
                var emailKey =
                var email = info.Principal.FindFirst(emailKey).Value;
                user = await UserManager.FindByEmailAsync(email);
                if (user == null)
                    var now = DateTime.Now;
                    var idKey =
                    var username = string.Format("{0}{1}", info.LoginProvider,
                    user = new ApplicationUser
                        UserName = username,
                        Email = email,
                        CreatedDate = now,
                        LastModifiedDate = now
                    await UserManager.CreateAsync(user, "SomePass4ExProvider123+-");
                    await UserManager.AddToRoleAsync(user, "Registered");
                    user.EmailConfirmed = true;
                    user.LockoutEnabled = false;
                await UserManager.AddLoginAsync(user, info);
                await DbContext.SaveChangesAsync();
            // create the auth JSON object 
            var auth = new
                type = "External",
                providerName = info.LoginProvider

            // output a <SCRIPT> tag to call a JS function registered into the parent window global scope
            return Content("<script type=\"text / javascript\">" +
                           "window.opener.externalProviderLogin(" +
                           JsonConvert.SerializeObject(auth) + ");" +
                           "window.close();" + "</script>", "text/html");

        catch (Exception ex)
            return BadRequest(new {Error = ex.Message});

    public IActionResult Logout()
        if (HttpContext.User.Identity.IsAuthenticated)
        return Ok();

    #endregion External Authentication Providers 

and Lastly ConnectController Which will Generate Tokens :

public class ConnectController : Controller
    private readonly UserManager<ApplicationUser> _userManager;
    private readonly SignInManager<ApplicationUser> _signInManager;
    private readonly IConfiguration _configuration;

    public ConnectController(
        UserManager<ApplicationUser> userManager,
        SignInManager<ApplicationUser> signInManager,
        IConfiguration configuration)
        _userManager = userManager;
        _signInManager = signInManager;
        _configuration = configuration;

    [HttpPost("token"), Produces("application/json")]
    public async Task<IActionResult> Token(OpenIdConnectRequest request)
        if (request.IsPasswordGrantType())
            var user = await _userManager.FindByNameAsync(request.Username);

            #region Authenticate User

            if (user == null)
                // Return bad request if the user doesn't exist
                return BadRequest(new OpenIdConnectResponse
                    Error = OpenIdConnectConstants.Errors.InvalidGrant,
                    ErrorDescription = "Invalid username or password"
            if (!await _signInManager.CanSignInAsync(user) ||
                (_userManager.SupportsUserLockout && await _userManager.IsLockedOutAsync(user)))

                return BadRequest(new OpenIdConnectResponse
                    Error = OpenIdConnectConstants.Errors.InvalidGrant,
                    ErrorDescription = "The specified user cannot sign in."

            if (!await _userManager.CheckPasswordAsync(user, request.Password))
                // Return bad request if the password is invalid
                return BadRequest(new OpenIdConnectResponse
                    Error = OpenIdConnectConstants.Errors.InvalidGrant,
                    ErrorDescription = "Invalid username or password"

            // The user is now validated, so reset lockout counts, if necessary
            if (_userManager.SupportsUserLockout)
                await _userManager.ResetAccessFailedCountAsync(user);


            var identity = new ClaimsIdentity(
                OpenIdConnectConstants.Claims.Name, null);



            var principal = new ClaimsPrincipal(identity);

            var ticket = await CreateTicketAsync(principal, request, new AuthenticationProperties());

            return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);
        if (request.IsRefreshTokenGrantType())
            var info = await HttpContext.Authentication.GetAuthenticateInfoAsync(

            var id = info.Principal.FindFirst(OpenIdConnectConstants.Claims.Subject)?.Value;
            var user = await _userManager.FindByIdAsync(id);

            if (user == null)
                return BadRequest(new OpenIdConnectResponse
                    Error = OpenIdConnectConstants.Errors.InvalidGrant,
                    ErrorDescription = "The refresh token is no longer valid."

            if (!await _signInManager.CanSignInAsync(user))
                return BadRequest(new OpenIdConnectResponse
                    Error = OpenIdConnectConstants.Errors.InvalidGrant,
                    ErrorDescription = "The user is no longer allowed to sign in."
            var identity = new ClaimsIdentity(
                OpenIdConnectConstants.Claims.Name, null);


                user.DisplayName ?? user.UserName,

            // ... add other claims, if necessary.

            var principal = new ClaimsPrincipal(identity);
            var ticket = await CreateTicketAsync(principal,request, info.Properties);

            // Ask OpenIddict to generate a new token and return an OAuth2 token response.
            return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);

        // Return bad request if the request is not for password grant type
        return BadRequest(new OpenIdConnectResponse
            Error = OpenIdConnectConstants.Errors.UnsupportedGrantType,
            ErrorDescription = "The specified grant type is not supported."
    private async Task<AuthenticationTicket> CreateTicketAsync(ClaimsPrincipal principal,
        OpenIdConnectRequest request,
       AuthenticationProperties properties = null)

        // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal, properties,

        if (!request.IsRefreshTokenGrantType())
            //TODO : // Include resources and scopes, **as APPROPRIATE**
            // Set the list of scopes granted to the client application.
            // Note: the offline_access scope must be granted
            // to allow OpenIddict to return a refresh token.
                /* openid: */ OpenIdConnectConstants.Scopes.OpenId,
                /* email: */ OpenIdConnectConstants.Scopes.Email,
                /* profile: */ OpenIdConnectConstants.Scopes.Profile,
                /* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess,
                /* roles: */ OpenIddictConstants.Scopes.Roles
        return ticket;

    #region Authorization code, implicit and implicit flows

    // Note: to support interactive flows like the code flow,
    // you must provide your own authorization endpoint action:

    [Authorize, HttpGet("authorize")]
    public IActionResult Authorize(OpenIdConnectRequest request)
        return Ok();


and this is how I send request :


which returns successfully to my ExternalLoginCallback Action in AccountsController but no JWT tokens are sent back to user as normal PasswordGrantFlow.

Please if it's possible send me code here and don't redirect me somewhere else cause I'm totally new to server side and also I've done my searches before.


  • Try the Velusia sample - authorization code flow.

    You can tweak your authorization endpoint if you want to immediately redirect your users to a specified social provider instead of returning them to the login page:

    public async Task<IActionResult> Authorize(OpenIdConnectRequest request)
            "The OpenIddict binder for ASP.NET Core MVC is not registered. " +
            "Make sure services.AddOpenIddict().AddMvcBinders() is correctly called.");
        if (!User.Identity.IsAuthenticated)
            // Resolve the optional provider name from the authorization request.
            // If no provider is specified, call Challenge() to redirect the user
            // to the login page defined in the ASP.NET Core Identity options.
            var provider = (string) request.GetParameter("identity_provider");
            if (string.IsNullOrEmpty(provider))
                return Challenge();
            // Ensure the specified provider is supported.
            if (!HttpContext.Authentication.GetAuthenticationSchemes()
                .Where(description => !string.IsNullOrEmpty(description.DisplayName))
                .Any(description => description.AuthenticationScheme == provider))
                return Challenge();
            // When using ASP.NET Core Identity and its default AccountController,
            // the user must be redirected to the ExternalLoginCallback action
            // before being redirected back to the authorization endpoint.
            var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider,
                Url.Action("ExternalLoginCallback", "Account", new
                    ReturnUrl = Request.PathBase + Request.Path + Request.QueryString
            return Challenge(properties, provider);
        // Retrieve the application details from the database.
        var application = await _applicationManager.FindByClientIdAsync(request.ClientId, HttpContext.RequestAborted);
        if (application == null)
            return View("Error", new ErrorViewModel
                Error = OpenIdConnectConstants.Errors.InvalidClient,
                ErrorDescription = "Details concerning the calling client application cannot be found in the database"
        // Flow the request_id to allow OpenIddict to restore
        // the original authorization request from the cache.
        return View(new AuthorizeViewModel
            ApplicationName = application.DisplayName,
            RequestId = request.RequestId,
            Scope = request.Scope