✅ oauth in asp net framework?
hi all, i have created a redirect url for oauth clients
how can i redirect my deployed asp net project in iis to redirect to do the authentication?
this is then authentication controller
public class AuthController : Controller
{
public ActionResult Index()
{
return View();
}
[Route("auth/redirect")]
[HttpGet]
public ActionResult Redirect()
{
string redirectScript = "<html><script>window.location.href=window.location.href.Replace('#', '?').Replace('redirect', 'AuthRedirect')</script></html>";
return Content(redirectScript, "text/html");
}
[HttpGet]
public ActionResult AuthRedirect(string access_token)
{
// Get the full URL from the request
var url = Request.Url.ToString();
// Extract the fragment identifier
var fragment = url.Substring(url.IndexOf('#') + 1);
// Parse the fragment to extract the access_token parameter value
var queryString = HttpUtility.ParseQueryString(fragment);
var accessToken = queryString["access_token"];
var cookie = new HttpCookie("otsession", accessToken)
{
Path = "/",
HttpOnly = true,
};
Response.Cookies.Add(cookie);
return RedirectToAction("Index", "Home");
}
}
this is the oauth link http://localhost:8080/otdsws/login?response_type=token&client_id=<oauth client ID>&redirect_uri=<successful authentication redirect url>&state=none
i have never created an implementation of oauth before.. so any assistance will be appreciated
17 Replies
are you asking how to do a redirect, or how OAuth works?
i think need to do redirect for the oauth to works? i actually havent implemented oauth before.. so i thought it ishould redirect first? like when i access my web index homepage then we will redirect user and authenticate that user using oauth so determine if they're allowed to access the homepage..
this is an MVC app?
or RazorPages?
or something else?
yes asp net framework with mvc..
who is your OAuth provider?
so i created the redirect url already using oauth clients..
its an opentext content server..
its deployed internally
so i access my webpage from this link http://192.168.1.86/otcsnas
so, a separate app of your own?
yes.. a separate one..
the http://192.168.1.86/otcsnas is asp net framework mvc project deployed with iis..
when i access http://localhost:8080/otdsws/login?response_type=token&client_id=otcsnas&redirect_uri=https://localhost:7040/redirect&state=none
im able to get a token from link..
otcsnas is your main app and otdsws is the OAuth provider?
yes otcsnas is my main app
and otdsws is the OAuth provider..
alrighty, so the first step is to have your main app redirect to the provider for login
which reveals the first problem
your main app has to know what URL to redirect to
that could range from you just hard-coding it, to retrieving it automatically from
.well-known/openid-configuration on the provider domain
up to you how flexible you want to be
so, you'll setup a "Login" link or whatever in your main app which either
A) calls a controller method, which calculates a login URL and issues a redirect for it
or
B) just already has the calculated login URL in itredirect to provider, meaning when user access homepage (in this case is HomeController) to redirect to the OAuth link ? http://localhost:8080/otdsws/login?response_type=token&client_id=otcsnas&redirect_uri=https://localhost:7040/redirect&state=none -> (the OAuth link that will return token in the link)
yup
that URL takes the user to the OAuth provider's login page, where they actually put in their credentials
and tells the provider which app is asking for authentication, and what its needs are
I'll assume that URL is correct, cause you're the only one who's gonna know
what parameters are required or not depends on the provider
except for
client_id and redirect_uri those are kinda required
assuming the user correctly enters their credentials, the OAuth provider then redirects them back to the redirect_uri you provided
with the access token you asked for
at this point, it's up to you and the provider what needs to happen with that token
most of the time, the token is only temporary and doesn't actually do anything
it has to be securely exchanged for a REAL token
I.E. your server sends another request behind the scenes to the OAuth provider, with the token, and the client_secret to confirm that "yes, when you received a request with my client_id it really was me
this flow prevents the client_secret from ever being shared beyond your server and the OAuth provider
so, whether you run an exchange to get it or not, once you have a proper access token, you need to use it for...whatever you need it for
in this case, if all you're trying to do is login the user, you probably need to use the access token to make another behind-the-scenes call to the OAuth provider to actually GET the user's info
maybe something like GET ~/users/@me or GET ~/users/current or whatever
alternatively, maybe the token you retrieved is a JWT that has that info encoded directly in it
now, you know who the user is, and you can establish a "session" for that user within your own app, and don't need the OAuth provider anymore
maybe you hang on to that access token, maybe you throw it away, maybe you actually instruct the OAuth provider to revoke it, to prevent it from being leaked
your /redirect controller method within your app does all this, and then finally issues a redirect to the user, to "Index" or whateverthank you so much for your explanation 🙏 🙏 im still trying to understand your explanation and explore more... thanks so much ... hope i can get back to you on some questions if i have any doubt on this if is okay 🙏 ..
absolutely
bottom line, you've got 2 things to implement in your main app
A) you need to be able to calculate the URL to send users to the OAuth provider
B) you need to write your redirect method that the OAuth sends the user back to
okay can 🙏 i will try to implement it first and update you the results..
hi @V.EINA Jaken , i wanted to update you im able to get the access_token from the link now.. and i only need to validate the user in asp net project now.. i wanted to thank you for your detailed explanation on OAuth , if not i dont even understand how to implement it in my asp net project, ive tried to search for tutorials but it implementation was complicated without first understanding the concept..
thanks so much for your help!! 🙏 @V.EINA Jaken