I need a user to login to a website using out of the box authentication to Facebook. I now need to link to the users drive in Google (and other services). I want to use ASP.Net Identity OAuth Identity providers to handle the token exchange, BUT I don't want it to touch an existing UserCredential or use it for SignIn
of the UserPrincipal
My goal is to prevent
AuthenticateCoreAsync
from returning aAuthenticationTicket
that results in modifications to the current logged in user identity- A user shortcutting the authentication system using claims obtained from Google. (I should already have the user logged in via other means)
- Prevent an unexpected token/cookie from being used to create a valid session, creating a privilege escalation scenario?
Question
What effect does setting a custom grantIdentity have on
IOwinContext.Authentication.SignIn()
?Does SignInAsAuthenticationType solve my need?
If not, when would this be used?
Theoretical code using Google provider
// The cookie needs to be First in the chain.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "CustomExternal",
AuthenticationMode = AuthenticationMode.Passive,
CookieName = "MyAwesomeCookie",
ExpireTimeSpan = TimeSpan.FromMinutes(5),
//Additional custom cookie options....
});
//Note that SignInAsAuthenticationType == AuthenticationType
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
AuthenticationType = "GoogleBackOffice",
ClientId = "abcdef...",
ClientSecret = "zyxwv....",
SignInAsAuthenticationType = "CustomExternal"
});