15

I need a user to login to a website using out of the box authentication to Facebook. I now need to link to the users drive in Google (and other services). I want to use ASP.Net Identity OAuth Identity providers to handle the token exchange, BUT I don't want it to touch an existing UserCredential or use it for SignIn of the UserPrincipal

My goal is to prevent

  • AuthenticateCoreAsync from returning a AuthenticationTicket that results in modifications to the current logged in user identity
  • A user shortcutting the authentication system using claims obtained from Google. (I should already have the user logged in via other means)
  • Prevent an unexpected token/cookie from being used to create a valid session, creating a privilege escalation scenario?

Question

  1. What effect does setting a custom grantIdentity have on IOwinContext.Authentication.SignIn()?

  2. Does SignInAsAuthenticationType solve my need?

  3. If not, when would this be used?

Theoretical code using Google provider

// The cookie needs to be First in the chain.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = "CustomExternal",
    AuthenticationMode = AuthenticationMode.Passive,
    CookieName = "MyAwesomeCookie",
    ExpireTimeSpan = TimeSpan.FromMinutes(5),
    //Additional custom cookie options....
});

//Note that SignInAsAuthenticationType == AuthenticationType
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
    AuthenticationType = "GoogleBackOffice",
    ClientId = "abcdef...",
    ClientSecret = "zyxwv....",
    SignInAsAuthenticationType = "CustomExternal"
});
halfbit
  • 54,462
  • 46
  • 195
  • 426
  • To clarify, you want to sign in the user via their Facebook identity, and then you want to add other identities like Google so you can access their resources, but you don't want the user to be able to log in to your site via the other providers (e.g. Google)? – Tratcher Jan 27 '17 at 19:28
  • @Tratcher exactly correct. Although I'm using Facebook identity as a "core ID" I will in reality be creating my own identity middleware as a fork off the existing OpenIDConnect middleware. (referring to Katana Sourcecode) – halfbit Jan 27 '17 at 19:35
  • See also the ability to add multiple authentication types... might be relevant http://stackoverflow.com/q/41985478/328397 – halfbit Feb 01 '17 at 17:04

2 Answers2

3

The Visual Studio 2015 MVC Individual User Accounts template does something like this. You create your first account (with a local username and password or a remote provider), and then you can link other identities to that one. It does this linking by maintaining two cookies during the login, one for the app and one for the external identity.

If you look in the ManageController under LinkLoginCallback, you should be able to tweak the logic at that point to store the external identity tokens, but not grant it login access to your application.

In other words, logic like this should be managed at the authorization layer in your controller logic, not at the authentication layer in the auth middleware.

Tratcher
  • 5,371
  • 26
  • 42
  • Understood, but the OpenID Connect code that asks for the login, and has built in CSRF protection, automatically creates an ASP.NET identity when SignIn is called. I don't want any SignIn to be called. From what I can tell SignInAsAuthenticationType allows for this (with no tweaking of logic) but I want to make sure I implement it correctly. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/facebook-logins – halfbit Feb 01 '17 at 16:53
  • What's wrong with a SignIn for a secondary cookie? As long as it's not your app cookie it won't be used for authorization. – Tratcher Feb 02 '17 at 17:53
  • I'm not totally sure. I do want to prevent the situation where unrelated google user Mallory is added to either Alice's or Bob's regular Facebook account... among other threats – halfbit Feb 02 '17 at 18:29
0

If ClaimsPrincipal.Identity.IsAuthenticated is false then user will be challenged with login page.

Boopathy T
  • 447
  • 3
  • 7