C#•17mo ago

Authenticate with AspNet.Security.OAuth.Spotify

I have the following code with the

AspNet.Security.OAuth.Spotify

AspNet.Security.OAuth.Spotify

-Package but I have no idea where the user should authenticate in the end - what is the endpoint for that?

c#
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRazorPages();
builder.Services.AddAuthentication().AddSpotify(options =>
{
    options.ClientId = "";
    options.ClientSecret = "";
    options.SaveTokens = true;
    options.CallbackPath = "/auth/callback";

    var scopes = new List<string>
    {
        "user-library-read",
        "playlist-read-private",
        "playlist-read-collaborative",
        "playlist-modify-private",
        "playlist-modify-public"
    };
    options.Scope.Add(String.Join(",", scopes));
});

var app = builder.Build();
app.MapRazorPages();
app.UseAuthentication();
app.UseAuthorization();

app.Run();

c#
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRazorPages();
builder.Services.AddAuthentication().AddSpotify(options =>
{
    options.ClientId = "";
    options.ClientSecret = "";
    options.SaveTokens = true;
    options.CallbackPath = "/auth/callback";

    var scopes = new List<string>
    {
        "user-library-read",
        "playlist-read-private",
        "playlist-read-collaborative",
        "playlist-modify-private",
        "playlist-modify-public"
    };
    options.Scope.Add(String.Join(",", scopes));
});

var app = builder.Build();
app.MapRazorPages();
app.UseAuthentication();
app.UseAuthorization();

app.Run();

TTim I have the following code with the ``AspNet.Security.OAuth.Spotify``-Package but...

TeBeCo•8/18/24, 6:37 PM

did you tried to add an endpoint (or a page) that it requring Authentication ?

TeBeCo•8/18/24, 6:37 PM

and then try to reach that endpoint from a browser

TimOP•8/29/24, 5:24 PM

I did a second attempt today, but now with another OAuth Provider.
I have the following code:

TimOP•8/29/24, 5:24 PM

But it still does not work when I try to access the root page

TeBeCo•8/29/24, 5:37 PM

normal

TeBeCo•8/29/24, 5:38 PM

that code is just adding AuthN

TeBeCo•8/29/24, 5:38 PM

nothing more

TimOP•8/29/24, 6:58 PM

What should I do more?

TTim What should I do more?

TeBeCo•8/29/24, 8:01 PM

yes
but just to hint you
what is AuthN for you ?

TimOP•8/30/24, 4:48 AM

You answer with yes to a what-question??
Authentication is a way for me to send the user to a auth provider which tells me if the user hast access to my app when the login is successful

TeBeCo•8/30/24, 5:35 AM

You answer with yes to a what-question??

yes because you're missing an important part of understanding it all
so i'm trying to ask you question to that it become clear what you need to check docs about / learn if you wish

TeBeCo•8/30/24, 5:35 AM

Authentication is a way for me to send the user to a auth provider

no that's just a side effect depending on how you do AuthN
you can do AuthN without sending someone to an IDP (Identity Provider)

TeBeCo•8/30/24, 5:36 AM

which tells me if the user hast access to my app

absolutly not, that's the biggest mistake here of why you're having this issue
that sentence is 100% unrelated to AuthN

TeBeCo•8/30/24, 5:36 AM

when the login is successful

yes that's the only part that AuthN does

TeBeCo•8/30/24, 5:37 AM

AuthN is just here to ensure you're "known" and assign an identity, which is generally done by verifying and/or asking for credential

TeBeCo•8/30/24, 5:37 AM

there's many way to ask for credentials, some might redirect to a login page, some might not, some are native, some are embed, some are just TPM

TeBeCo•8/30/24, 5:38 AM

==========
so basically your code just do AuthN => so assuming XXX ... then maybe based on that you're gonna need their identity

TeBeCo•8/30/24, 5:38 AM

that's the huge caveat of your code

TeBeCo•8/30/24, 5:39 AM

you have code that deals with "i assign an identity to a user"

TeBeCo•8/30/24, 5:39 AM

but why would the code even go there if you don't tell the code that you need their identity ?

TeBeCo•8/30/24, 5:39 AM

the code above show no trace of "I need to assert you're allowed"

TeBeCo•8/30/24, 5:39 AM

that part is AuthZ not AuthN

TeBeCo•8/30/24, 5:40 AM

thats where this sentence is wrong:

which tells me if the user hast access to my app

TeBeCo•8/30/24, 5:40 AM

you described AuthZ here, not AuthN

TeBeCo•8/30/24, 5:41 AM

AuthN is triggered when AuthZ require identity/user info

TimOP•8/30/24, 11:56 AM

My identity provider only redirects if the user has access to the application so I know, that the user has access to my app when the user gets to the fallback
So you mean I need Autorization too? How do I do that?

TeBeCo•8/30/24, 1:52 PM

depends

TeBeCo•8/30/24, 1:52 PM

can you give me the url of the msft docs you followed so far @Tim

TeBeCo•8/30/24, 1:53 PM

the official one

TeBeCo•8/30/24, 1:53 PM

IIRC there's a line named

TeBeCo•8/30/24, 1:53 PM

and literally the line bellow is

Authorization

Authorization

TeBeCo•8/30/24, 1:53 PM

My identity provider only redirects if the user has access to the application so I know, that the user has access to my app when the user gets to the fallback

TeBeCo•8/30/24, 1:53 PM

that's not how it works

TeBeCo•8/30/24, 1:56 PM

your app ask for the user identity only if the route is protected by AuthZ
your app ask for AuthN only if the current request doens't holds the
```
User
```
```
User
```
property
your app run the AuthN Handler associated with that scheme defined with AuthZ
your AuthN handler then MIGHT HAVE a
and then your app redirect the user to the Url of that
and only then the IDP redirect to your app, which then call the rest of the AuthN handler
and then your app AuthN set the User Idp => back to

TTeBeCo can you give me the url of the msft docs you followed so far @Tim

TimOP•8/31/24, 10:11 AM

I got most from https://developer.okta.com/blog/2019/07/12/secure-your-aspnet-core-app-with-oauth but I also used various other ressources

TeBeCo•8/31/24, 10:12 AM

why not following aspnetcore docs when doing aspnetcore and have question about aspnetcore

TeBeCo•8/31/24, 10:12 AM

that's puzzling

TeBeCo•8/31/24, 10:12 AM

okta have good docs for their product though

TTeBeCo why not following aspnetcore docs when doing aspnetcore and have question about ...

TimOP•8/31/24, 10:12 AM

Because I found nothing good in the official docs

TimOP•8/31/24, 10:12 AM

I followed the official docs in my first attempt

TTim Because I found nothing good in the official docs

TeBeCo•8/31/24, 10:13 AM

type "aspnetcore fundamental" in a search engine

TeBeCo•8/31/24, 10:13 AM

look at the table of contents on the left

TeBeCo•8/31/24, 10:13 AM

TeBeCo•8/31/24, 10:13 AM

first result

TeBeCo•8/31/24, 10:14 AM

TeBeCo•8/31/24, 10:15 AM

TeBeCo•8/31/24, 10:15 AM

that's the first overview page

TeBeCo•8/31/24, 10:15 AM

the 2nd chapter

TeBeCo•8/31/24, 10:16 AM

going through these give actual detailed answers

TimOP•8/31/24, 10:18 AM

From that I still think that I don't need autorization as the user has access to my whole app when the user has an account which is checked with authentication already