Facebook, Google, and external provider authentication in ASP.NET Core

By Valeriy Novytskyy and Rick Anderson

This tutorial demonstrates how to build an ASP.NET Core 2.x app that enables users to log in using OAuth 2.0 with credentials from external authentication providers.

Facebook, Twitter, Google, and Microsoft providers are covered in the following sections. Other providers are available in third-party packages such as AspNet.Security.OAuth.Providers and AspNet.Security.OpenId.Providers.

Social media icons for Facebook, Twitter, Google plus, and Windows

Enabling users to sign in with their existing credentials is convenient for the users and shifts many of the complexities of managing the sign-in process onto a third party. For examples of how social logins can drive traffic and customer conversions, see case studies by Facebook and Twitter.

Note: Packages presented here abstract a great deal of complexity of the OAuth authentication flow, but understanding the details may become necessary when troubleshooting. Many resources are available; for example, see Introduction to OAuth 2 or Understanding OAuth 2. Some issues can be resolved by looking at the ASP.NET Core source code for the provider packages.

Create a New ASP.NET Core Project

  • In Visual Studio 2017, create a new project from the Start Page, or via File > New > Project.

  • Select the ASP.NET Core Web Application template available in the Visual C# > .NET Core category:

New Project dialog

  • Tap Web Application and verify Authentication is set to Individual User Accounts:

New Web Application dialog

Note: This tutorial applies to ASP.NET Core 2.0 SDK version which can be selected at the top of the wizard.

Apply migrations

  • Run the app and select the Log in link.
  • Select the Register as a new user link.
  • Enter the email and password for the new account, and then select Register.
  • Follow the instructions to apply migrations.

Require SSL

OAuth 2.0 requires the use of SSL for authentication over the HTTPS protocol.

Projects created using the Web Application or Web API project templates with ASP.NET Core 2.1 or later are automatically configured to enable SSL. The app launches with a secure default endpoint if the Individual User Accounts option is selected in the Change Authentication dialog of the project wizard.

For more information, see Enforce HTTPS in ASP.NET Core.

Forward request information with a proxy or load balancer

If the app is deployed behind a proxy server or load balancer, some of the original request information might be forwarded to the app in request headers. This information usually includes the secure request scheme (https), host, and client IP address. Apps don't automatically read these request headers to discover and use the original request information.

The scheme is used in link generation that affects the authentication flow with external providers. Losing the secure scheme (https) results in the app generating incorrect insecure redirect URLs.

Use Forwarded Headers Middleware to make the original request information available to the app for request processing.

For more information, see Configure ASP.NET Core to work with proxy servers and load balancers.

Use SecretManager to store tokens assigned by login providers

Social login providers assign Application Id and Application Secret tokens during the registration process. The exact token names vary by provider. These tokens represent the credentials your app uses to access their API. The tokens constitute the "secrets" that can be linked to your app configuration with the help of Secret Manager. Secret Manager is a more secure alternative to storing the tokens in a configuration file, such as appsettings.json.

Important

Secret Manager is for development purposes only. You can store and protect Azure test and production secrets with the Azure Key Vault configuration provider.

Follow the steps in Safe storage of app secrets in development in ASP.NET Core topic to store tokens assigned by each login provider below.

Setup login providers required by your application

Use the following topics to configure your application to use the respective providers:

Multiple authentication providers

When the app requires multiple providers, chain the provider extension methods behind AddAuthentication:

services.AddAuthentication()
    .AddMicrosoftAccount(microsoftOptions => { ... })
    .AddGoogle(googleOptions => { ... })
    .AddTwitter(twitterOptions => { ... })
    .AddFacebook(facebookOptions => { ... });

Optionally set password

When you register with an external login provider, you don't have a password registered with the app. This alleviates you from creating and remembering a password for the site, but it also makes you dependent on the external login provider. If the external login provider is unavailable, you won't be able to log in to the web site.

To create a password and sign in using your email that you set during the sign in process with external providers:

  • Tap the Hello <email alias> link at the top right corner to navigate to the Manage view.

Web application Manage view

  • Tap Create

Set your password page

  • Set a valid password and you can use this to sign in with your email.

Next steps

  • This article introduced external authentication and explained the prerequisites required to add external logins to your ASP.NET Core app.

  • Reference provider-specific pages to configure logins for the providers required by your app.

  • You may want to persist additional data about the user and their access and refresh tokens. For more information, see Persist additional claims and tokens from external providers in ASP.NET Core.