Thursday, November 27, 2014

Simple OAuth2 Federated Authentication using DotNetOpenAuth

In my previous entry I’ve blogged on how to implement federated authentication to an external identity provider using the System.IdentityModel subsystem and the WS-Federation. This entry shows how to implement OAuth2 federated authentication (Google, Facebook) with the DotNetOpenAuth library.

Let’s start as usual – a simple web app with two pages, the Default page and the LoginPage. Add an authorization rule and forms authentication redirect to the LoginPage for requests that are not authenticated:

<authentication mode="Forms">
    <forms loginUrl="LoginPage.aspx" />
</authentication>
<authorization>
    <deny users="?" />
</authorization>

From the NuGet package manager, install the DotNetOpenAuth.Ultimate package (a standalone complete DotNetOpenAuth).

The passive OAuth2 (the authorization_code flow) requires the client_id and client_secret parameters (these two kind of authenticate the application at the identity provider side) as well as three Uris: the authentication uri (this is where the browse is redirected to authenticate  users), the token uri (this is where the one-time code returned from the login page is exchanged for an access_token) and the profile uri (which is a part of a graph API and allows the application to retrieve user profile information).

Let’s take Google for example. They have the OpenID Connect Discovery uri where a current information on authentication uris is published. This is where you get the information on all three required uris.

{
 "issuer": "accounts.google.com",
 "authorization_endpoint": "https://accounts.google.com/o/oauth2/auth",
 "token_endpoint": "https://accounts.google.com/o/oauth2/token",
 "userinfo_endpoint": "https://www.googleapis.com/plus/v1/people/me/openIdConnect",
 "revocation_endpoint": "https://accounts.google.com/o/oauth2/revoke",
 "jwks_uri": "https://www.googleapis.com/oauth2/v2/certs",
 "response_types_supported": [
  "code",
  "token",
  "id_token",
  "code token",
  "code id_token",
  "token id_token",
  "code token id_token",
  "none"
 ],
 "subject_types_supported": [
  "public"
 ],
 "id_token_alg_values_supported": [
  "RS256"
 ],
 "token_endpoint_auth_methods_supported": [
  "client_secret_post"
 ]
}

To get client_id and client_secret you need to register your application at the Google Console projects page. You need to create a new project, go to APIs&auth/Credentials, register a redirect uri (a uri in your app Google should redirect back to) and they generate both the client_id and client_secret.

Also remember to go to APIs&auth/APIs and switch Google+ API to ON (or your profile API calls will end up with 403)!

Be warned that some details of OAuth2 Google authentication have changed lately and are subjects for further changes.

When you are ready, go back to Visual Studio.

We are going to use the WebServerClient class which is designed to handle the OAuth2 authorization_code flow. We inherit from it to provide all Google endpoints:

public class GoogleClient : WebServerClient
{
    private static readonly AuthorizationServerDescription GoogleDescription =
        new AuthorizationServerDescription
        {
            TokenEndpoint         = new Uri( "https://accounts.google.com/o/oauth2/token" ),
            AuthorizationEndpoint = new Uri( "https://accounts.google.com/o/oauth2/auth" ),
            ProtocolVersion       = ProtocolVersion.V20,                
        };
 
    public const string ProfileEndpoint = "https://www.googleapis.com/plus/v1/people/me/openIdConnect";
 
    public const string OpenId       = "openid";
    public const string ProfileScope = "profile";
    public const string EmailScope   = "email";
 
    public GoogleClient()
        : base( GoogleDescription )
    {
    }
}

We also need a helper class to deserialize JSON profile information

public class GoogleProfileAPI
{
    public string email { get; set; }
    public string given_name { get; set; }
    public string family_name { get; set; }
 
    private static DataContractJsonSerializer jsonSerializer =
        new DataContractJsonSerializer( typeof( GoogleProfileAPI ) );
 
    public static GoogleProfileAPI Deserialize( Stream jsonStream )
    {
        try
        {
            if ( jsonStream == null )
            {
                throw new ArgumentNullException( "jsonStream" );
            }
 
            return (GoogleProfileAPI)jsonSerializer.ReadObject( jsonStream );
        }
        catch ( Exception ex )
        {
            return new GoogleProfileAPI();
        }
    }
}

and a technical helper class to strip off unnecessary query string parameters from the web API calls

public class MyAuthorizationTracker : IClientAuthorizationTracker
{
 
    public IAuthorizationState GetAuthorizationState( 
        Uri callbackUrl, 
        string clientState )
    {
        return new AuthorizationState
        {
            Callback = new Uri( callbackUrl.GetLeftPart( UriPartial.Path ) ) 
        };
    }
 
}

Actual OAuth2 flow code is straightforward now

protected void Page_Load( object sender, EventArgs e )
 {
     IAuthorizationState authorization = gClient.ProcessUserAuthorization();
     // Is this a response from the Identity Provider
     if ( authorization == null )
     {
         // no
         
         // Google will redirect back here
         Uri uri = new Uri( "http://localhost:62889/LoginPage.aspx" );
         // Kick off authorization request with OAuth2 scopes
         gClient.RequestUserAuthorization( returnTo: uri, 
             scope: new[] { GoogleClient.OpenId, GoogleClient.ProfileScope, GoogleClient.EmailScope } );
     }
     else
     {
         // yes
 
         var request = WebRequest.Create( GoogleClient.ProfileEndpoint );
         // add an OAuth2 authorization header
         // if you get 403 here, turn ON Google+ API on your app settings page
         request.Headers.Add( 
              HttpRequestHeader.Authorization, 
              string.Format( "Bearer {0}", Uri.EscapeDataString( authorization.AccessToken ) ) );
         // Go to the profile API
         using ( var response = request.GetResponse() )
         {
             using ( var responseStream = response.GetResponseStream() )
             {
                 var profile = GoogleProfileAPI.Deserialize( responseStream );
                 if ( profile != null &&
                     !string.IsNullOrEmpty( profile.email ) )
                     FormsAuthentication.RedirectFromLoginPage( profile.email, false );
             }
         }
     }
 }

The Google Client is just

// replace with actual values!
public readonly GoogleClient gClient = new GoogleClient
{
    AuthorizationTracker       = new MyAuthorizationTracker(),
    ClientIdentifier           = "my client id",
    ClientCredentialApplicator = ClientCredentialApplicator.PostParameter( "my client secret" )
};

No comments: