使用OpenIdConnectServer并尝试通过API服务连接到Facebook [英] Use OpenIdConnectServer and try to connect to Facebook through API service
问题描述
应用程序上下文中,我正在设法使我的API能够从Facebook与我的身份用户关联。
我正在开发一个移动应用程序(在Xamarin),需要使用用户名/密码和Facebook登录。我已经设置了 app.UseOpenIdConnectServer 配置,并创建了自定义的 Provider ,所以我的应用程序已经在使用用户名/密码
现在我正在试图与Facebook进行整合,而不是找到一种方法,我可以实现这一点。
我正在考虑在API中创建一个服务,例如 / api / auth / login-facebook / 传递访问令牌从Facebook,但我需要返回我的API应用程序的访问令牌到移动应用程序,所以移动应用程序可以调用所有其他需要授权的服务。 / p>
有什么帮助吗?
我想要获得的可视化方式:
- 用户在移动应用中按使用Facebook登录
- 移动应用程序调用
/ api / auth / login-facebook /从Facebook传递访问令牌 - 在API应用程序我会c使用
Facebook包 c $ c> access-token - 如果用户没有不存在,我将使用Facebook返回的数据创建他,之后我将生成
访问令牌以授予对我的API应用程序的访问权限 - 如果用户存在,我将生成
访问令牌以授予对我的API应用程序的访问权限。 - 返回
访问令牌移动应用程序,以便它可以调用其他服务
如果我的知识是错误的,我应该以另一种方式进行这种整合/登录,请随便告诉我!
你描述的流程非常类似于断言授权,去年
I'm trying to figure out a way of making my API being able to associate a user from Facebook to my Identity users.
The application context
I'm developing a mobile application (In Xamarin) that needs to make login with Username/Password and with Facebook. I have already set the app.UseOpenIdConnectServer configuration and created the custom Provider so my application is already working with Username/Password.
Now I'm trying to make this integration with Facebook and not finding a way I can achieve this.
I was thinking in creating a service in the API like /api/auth/login-facebook/ passing the access-token from Facebook but I need to return the access-token of my API application to the mobile application so the mobile app could call all the other services that needs authorization.
Any help about that?
A visual way of what I'm trying to get:
- User press "Login with Facebook" in Mobile Application
- Mobile Application call the
/api/auth/login-facebook/passing theaccess-tokenfrom Facebook - In the API Application, I will check the
access-tokenwith theFacebookpackage - If the user doesn't exists, I will create him with the data that Facebook returned me and after that I will generate the
access-tokento grant access to my API Application - If the user exists, I will generate the
access-tokento grant access to my API Application - Return the
access-tokento the Mobile Application so it can call the other services
If my knowledge is wrong and I should do this integration/login in another way, please fell free to tell me!
The flow you describe is very similar to "assertion grants", a flow that was standardized last year.
To use this flow, you usually have to retrieve a standard token from the external provider (e.g a JWT or a SAML assertion) so your own authorization server can validate it and extract the claims it exposes. Unfortunately, this is not something you can do with Facebook or with most social providers in general.
A new OAuth2 draft will likely help change that in the future, but it will probably take a while before major services start implementing it.
The good news is that nothing prevents you from creating your own "Facebook access token" grant type in the meantime. Here's how you could implement the assertion grant with ASOS beta6:
public override Task ValidateTokenRequest(ValidateTokenRequestContext context)
{
// Reject the token request if it doesn't use grant_type=password, refresh_token
// or urn:ietf:params:oauth:grant-type:facebook_access_token.
if (!context.Request.IsPasswordGrantType() &&
!context.Request.IsRefreshTokenGrantType() &&
context.Request.GrantType != "urn:ietf:params:oauth:grant-type:facebook_access_token")
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "The specified grant type is not supported by this server.");
return Task.FromResult(0);
}
// Reject the token request if the assertion parameter is missing.
if (context.Request.GrantType == "urn:ietf:params:oauth:grant-type:facebook_access_token" &&
string.IsNullOrEmpty(context.Request.Assertion))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The assertion is missing.");
return Task.FromResult(0);
}
// Since there's only one application and since it's a public client
// (i.e a client that cannot keep its credentials private), call Skip()
// to inform the server the request should be accepted without
// enforcing client authentication.
context.Skip();
return Task.FromResult(0);
}
public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
// Only handle grant_type=password and urn:ietf:params:oauth:grant-type:facebook_access_token
// requests and let the OpenID Connect server middleware handle the refresh token requests.
if (context.Request.IsPasswordGrantType())
{
// Skipped for brevity.
}
else if (context.Request.GrantType == "urn:ietf:params:oauth:grant-type:facebook_access_token")
{
// The assertion corresponds to the Facebook access token.
var assertion = context.Request.Assertion;
// Create a new ClaimsIdentity containing the claims that
// will be used to create an id_token and/or an access token.
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
// Validate the access token using Facebook's token validation
// endpoint and add the user claims you retrieved here.
identity.AddClaim(ClaimTypes.NameIdentifier, "FB user identifier");
// Create a new authentication ticket holding the user identity.
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
// Set the list of scopes granted to the client application.
ticket.SetScopes(new[]
{
/* openid: */ OpenIdConnectConstants.Scopes.OpenId,
/* email: */ OpenIdConnectConstants.Scopes.Email,
/* profile: */ OpenIdConnectConstants.Scopes.Profile,
/* offline_access: */ OpenIdConnectConstants.Scopes.OfflineAccess
}.Intersect(context.Request.GetScopes()));
context.Validate(ticket);
}
return Task.FromResult(0);
}
这篇关于使用OpenIdConnectServer并尝试通过API服务连接到Facebook的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
