Identityserver4: What does IdentityServer do with tokens from external providers (i.e. Facebook , Google)

Created on 1 Feb 2017 · 14Comments · Source: IdentityServer/IdentityServer4

I am curious to know that whether IdentityServer generates its own token in exchange for external tokens?

I am using ResourceOwner flow for accessing my APIs, But for incorporating external logins I will have to go for Implicit flow, If we talk about Facebook then it we will have an access token from facebook , but the question is what IdentityServer does with that access token.

What I was trying to do is that I wrote a middleware to recieve facebook access token and verify it then get the user details from facebook (like email , name etc) and create a user on my identityserver and generate a new access token for the user. is it a good approach? .. because some guys said that it isn't a good approach because we already have middlewares to do this exact task.. for instance microsoft's facebook authentication middleware...

what is the best approach in such scenarios , because I am using ResourceOwner flow so any communication with the API has to be through the exchange of some sort of tokens?

question

Source

waqaskhan540

👍2

Most helpful comment

@stt106 I achieved it through this Exchange Auth tokens with IdentityServer token

waqaskhan540 on 1 Jan 2018

👍3 🎉1

All 14 comments

first of all - resource owner is a dead end. I think we mentioned that multiple times. done.

to answer your question - identityserver itself does nothing with external access tokens. It's all up to you. You add the facebook middleware - you handle the callback. you decide what to do.

Ultimately you will sign in the user and preserve whatever data you want.

leastprivilege on 1 Feb 2017

👍1

@leastprivilege thanks for your answer... just want to clear my concepts regarding identityserver.. so lets take an example which I am actually playing with right now..

I have a JS Application , An API , and IdentityServer configured.

I click the "Login" button on my JS client which redirects me to IdentityServer's login page
From the login page I select "Facebook" as my login provider
I am redirected to facebook where I give my credentials and allow the app
I am redirected back to my callback.html (on JS client)
the URL now contains id_token and access_token

now what I don't understand is that where this access token and id_token came from..is it from facebook? or my identityserver..?

secondly, I am able to acess my API if I set the access_token into my authorization header of HTTP Request. the API is a .net core application wrapped with the following middleware

` app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "https://localhost:44348/",
ScopeName = "api1",

            RequireHttpsMetadata = true
        });`

but I have an API built with WebAPI 2 ,,, is this middleware available for that as well? because right now I am using Microsoft's JWT Bearer authentication middleware at webapi 2..?

waqaskhan540 on 1 Feb 2017

between step 3 and 4 - you are actually redirected back to IdentityServer.

There is an "external callback" method on the account controller. This is where you get the results from Facebook and can inject code before IdentityServer creates its own tokens.

leastprivilege on 1 Feb 2017

Yeah I have seen this method..actually I have two versions of IdentityServer, one is configured with EntityFramework and users are managed by the asp.net identity and the other is from the QuickStart samples which uses InMemoryusers, the behavior of this method is different in case of asp.net identity i.e. it redirects you back to the identityserver and I don't know where the token goes,, and the other from quickstart samples which uses Inmemoryusers redirects me back to the SPA with access token concatenated in the URL..this is exactly what I want.. Now How can I achieve that if I am using asp.net identity..I want to get redirected back to the SPA with access token...

waqaskhan540 on 1 Feb 2017

Will I have a response from you in the near future?

waqaskhan540 on 2 Feb 2017

I don't follow. You will - in any case - get back to the account controller after Facebook.

If you need faster response times - I recommend opening an issue on StackOverflow.

leastprivilege on 2 Feb 2017

Any update on the issue? closing for now - feel free to re-open if it needs further discussion.

leastprivilege on 22 Feb 2017

@leastprivilege To use external authentication, it has to use implicit flow?
@waqaskhan540 Did you get it working in the end? If so, how?

stt106 on 31 Dec 2017

@stt106 I achieved it through this Exchange Auth tokens with IdentityServer token

waqaskhan540 on 1 Jan 2018

👍3 🎉1

@waqaskhan540 thanks for getting back to me. I am slightly confused; did you write a new library to handle the external provider and IdentityServer4?

stt106 on 1 Jan 2018

@stt106 Its not a library , infact its just a way to exchange the external tokens with identity server token..

waqaskhan540 on 1 Jan 2018

@waqaskhan540 thanks for sharing this; can I ask is there any official doc you used as a reference? Or you just figure out the whole process by yourself? I did a lot of search but couldn't find anything from the official docs.

stt106 on 4 Jan 2018

@stt106 There is no mention of the exact technique I have used here , but you will surely find in docs about the ExtensionGrants which actually allow you to write your own logic before generating an auth token. I have used the same ...

you can read more about it here.. ExtensionGrants for IdentityServer

waqaskhan540 on 5 Jan 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.