Search code examples
authenticationasp.net-coreoauthauthorizationasp.net-identity-3

Understanding oauth external login authentication flow in ASP.NET Core Identity

I'm implementing Identity in ASP.NET Core 3 and having a bit of a problem understanding the flow of external login authentication, as are my users.

Things start clearly enough:

External login

As expected I'm prompted to pick a Google identity:

Google login dialog

Now at this point I'd expect to see a dialog such as the following, asking for permission to grant my app access to various pieces of the Google identity:

Grant access dialog

But that dialog never happens.

What does happen next is:

Confirm email address

The above process step seems completely non-standard to any oauth flow I've ever seen. I've already given it which Google identity I'm using; the email address is unambigious. So this dialog seems extraneous and just confuses my users. Is there a reason for this step that I am not understanding?

...And back to the permission dialog above that I would have expected to get there, this never occurs. Why is the app able to accept a Google login without granting access via that dialog?

Solution

  • Why is the app able to accept a Google login without granting access via that dialog?

    That seems Google will automatically grant OpenID Connect Scopes(openid profile email) after creating application . You can verify the scopes in console -->OAuth consent screen :

    enter image description here

    But if you want to also require additional sensitive scopes , you still need to grant permission dynamically during authentication :

    services.AddAuthentication()
.AddGoogle(options =>
{
    options.Scope.Add("https://www.googleapis.com/auth/gmail.modify");
    options.Scope.Add("https://www.googleapis.com/auth/gmail.settings.basic");
    options.ClientId = "xxxx";
    options.ClientSecret = "xxxx";
});

    Is there a reason for this step that I am not understanding?

    That is because you enable the ASP.NET Core Identity. In asp.net core identity ,for external login ,after authentication , identity will help create a local user associated with external login user .After scaffolding Identity in ASP.NET Core projects , you could check the ExternalLogin.cshtml.cs file inside Areas/Identity/Pages/Account folder . In function OnGetCallbackAsync you will find identity will check the external login user information and confirm a local user is associated with external user , if yes , sign in user ; If no, it will redirect user to another page to ask the user to create an account in local database .

    If you don't need that feature , just remove asp.net core identity or customize OnGetCallbackAsync function to skip the process .