UmbracoIdentity usage clarification/further explanation #109
Comments
|
Nothing is simple with authentication/authorization ;) especially when it comes to OAuth. OAuth comes is tons of flavors and they are all different unfortunately. Which is why most are now 'streamlined' to use OpenIdConnect to at least provide consistent APIs. The FB one is not this however. FormsAuthentication is obsolete/legacy. ASP.Net Identity replaces it but as you have noted still uses cookie based authentication if you want - which your implementation does.
Can you explain what you are doing for this?
Once the OAuth process is complete then authentication is done via cookie authentication and there's no longer any communication with the OAuth provider. However, this is entirely customizable with the OAuth implementation. This library ships with the most basic implementation but you can override this implementation in your owin class and provider all sorts of options to your OAuth provider. Here are the FB OAuth options https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationOptions.cs . As i said, each provider is slightly different and I'm no expert in all of them so I'll have to leave it up to you to explore this code and APIs to figure out exactly what you are wanting to achieve.
I dunno - but you can ask the FB OAuth provider for different OAuth scopes (Permissions) https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationOptions.cs#L133 which is a typically OAuth thing to do but you'll need to look into the FB APIs directly to determine what the name of the scopes you want are. You can also setup event handlers for all OAuth providers, in the FB case it looks like it's this one https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationOptions.cs#L123 , with those events you can probably handle all sorts of things. As for when/how the OAuth provider communicates back to FB i think that's this setting https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.Facebook/FacebookAuthenticationOptions.cs#L90 however i have no idea what is sent. To find out you'll need to look through this source code - that is literally what I have done for years to figure out OAuth providers since documentation more or less sucks and source code is your best option. |
This isn't an issue per say, but a request for clarification/explanation... (due to my shortcoming with understanding how this should work, sorry...)
So I have umbracoIdentity and Micosoft.Owin.Security.Facebook, all playing nicely with members created via facebook authentication. (umb 8.5.2)
Setting the authentication cookie as persistent I assumed that returning to the site after closing the browser I should see that I'm automatically logged in without having to reauthenticate? I'm not seeing that, I have to use login with facebook each session and hit the continue (app already has access) button.
Also I am correct in thinking that once logged in I'm then an umbraco member with its timeout setting, and at that point, I wouldn't get asp.net identity checking for expired tokens and getting one reissued automatically? Or is that not what asp.net identity does eg replace forms authentication and check on each request I still have access at the provider? Or have I completely misunderstood the infrastructure here?
Also if I wanted to use the permission to fetch posts from facebook for the logged in member would I then need to also store the access_token against the member profile?
Sorry for the prob simplistic questions, but I can't see much documentation for how this is used in anger once past the initial sync external authentication to an umbraco member?
Cheers.
The text was updated successfully, but these errors were encountered: