Files to look at:
- LogonAuthController.cs (VB: LogonAuthController.vb)
- CustomSecurityStrategyComplex.cs (VB: CustomSecurityStrategyComplex.vb)
- OAuthUser.cs (VB: OAuthUser.vb)
- IAuthenticationOAuthUser.cs (VB: IAuthenticationOAuthUser.vb)
- Global.asax.cs (VB: Global.asax.vb)
- LogonTemplateContent1.ascx (VB: LogonTemplateContent1.ascx)
- LogonTemplateContent1.ascx.cs (VB: LogonTemplateContent1.ascx)
- OAuthProvider.cs (VB: OAuthProvider.cs)
- Startup.cs (VB: Startup.vb)
- WebApplication.cs
This example demonstrates the use of OAuth2 authentication in a web application. Users can sign in to the application via Google, Facebook or Microsoft authentication providers.
You can try this demo "as is" to overview its capabilities, and then try the demonstrated functionality in your own XAF applications according to the instructions below.
How to Run this Demo
Before running this demo, register developer accounts at the services you are going to use
- https://console.developers.google.com/ (Make sure that 'Google+ API' is enabled. Read more here: Creating a Google app for OAuth 2 and connecting the app to the project)
- https://developers.facebook.com/
- https://portal.azure.com/
Open the Web.config file and specify your own client IDs and client secrets for each provider.
<appSettings>
<add key="GoogleClientID" value="YourGoogleClientID" />
<add key="GoogleClientSecret" value="YourGoogleClientSecret" />
<add key="FacebookClientID" value="YourFacebookClientID" />
<add key="FacebookClientSecret" value="YourFacebookClientSecret" />
<add key="MicrosoftClientID" value="YourMicrosoftClientID" />
<add key="MicrosoftClientSecret" value="YourMicrosoftClientSecret" />
You can remove keys corresponding to providers that you do not want to use.
Now you can run the application.
Overview of this Demo Capabilities
In the logon window, there are buttons for each provider specified in Web.config:
Standard XAF authentication with built-in username/password is also supported. When you log in via OAuth authentication, the email is used as a user name. By default, a user object is autocreated for each logon. You can disable autocreation, or specify the auto-assigned role for new users in the InitializeComponent method (see WebApplication.cs(vb)):
this.securityStrategyComplex1.NewUserRoleName = "Default";
((AuthenticationStandartWithOAuth)authenticationBase).CreateUserAutomatically = true;
Me.securityStrategyComplex1.NewUserRoleName = "Default"
CType(authenticationBase, AuthenticationStandartWithOAuth).CreateUserAutomatically = True
When CreateUserAutomatically is false, the logon is allowed if a user with the email returned by the external service exists in the application database. To grant access to a user with a specific e-mail, use the built-in Admin account, create a user object and set the UserName to this e-mail.
If you set the EnableStandardAuthentication property to true for an auto-created user, this user will be able to login directly, with a user name and password. Note that the password is empty by default, so do not forget to specify it when enabling standard authentication.
Each user can have several associated email addresses. To add or remove email addresses, use the OAuth Authorization Emails list in the user's Detail View.
How to Implement the Demonstrated Functionality in your XAF Application
1. In your solution, open Package Manager Console.
1.1. Choose the YourSolutionName.Web project in the Default project combo box, and execute the following commands to add Owin packages:
Install-Package Microsoft.Owin -Version 3.1.0
Install-Package Microsoft.Owin.Security -Version 3.1.0
Install-Package Microsoft.Owin.Security.Cookies -Version 3.1.0
Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.1.0
Install-Package Microsoft.Owin.Security.Google -Version 3.1.0
Install-Package Microsoft.Owin.Security.Facebook -Version 3.1.0
Install-Package Microsoft.Owin.Security.MicrosoftAccount -Version 3.1.0
1.2. Switch to the YourSolutionName.Module.Web project and install these two packages:
Install-Package Microsoft.Owin -Version 3.1.0
Install-Package Microsoft.Owin.Host.SystemWeb -Version 3.1.0
2. Open the Web.config file and specify your own client IDs and client secrets for each provider you are going to use. Refer to the AuthenticationOwin.Web\Web.config file in the demo solution to see the example. Then, set the authentication mode to "None" and comment or remove settings related to the default XAF authentication:
<authentication mode="None" />
<!--<forms name="Login" loginUrl="Login.aspx" path="/" timeout="10" />-->
</authentication>
<!--<authorization>
<deny users="?" />
<allow users="*" />
</authorization>-->
3. Copy the following files from the demo solution to the corresponding locations within your solution:
- AuthenticationOwin.Module\AuthenticationStandartWithOAuth.cs(vb)
- AuthenticationOwin.Module\IAuthenticationOAuthUser.cs(vb)
- AuthenticationOwin.Module.Web\Controllers\LogonAuthController.cs(vb)
- AuthenticationOwin.Module.Web\Security\CustomSecurityStrategyComplex.cs(vb)
- AuthenticationOwin.Module.Web\Controllers\LogonAuthController.cs(vb)
- AuthenticationOwin.Module.Web\Images\Facebook.svg
- AuthenticationOwin.Module.Web\Images\Google.svg
- AuthenticationOwin.Module.Web\Images\Microsoft.png
- AuthenticationOwin.Web\Startup.cs(vb)
- AuthenticationOwin.Web\LogonTemplateContent1.ascx
- AuthenticationOwin.Web\LogonTemplateContent1.ascx.cs(vb)
- AuthenticationOwin.Web\LogonTemplateContent1.ascx.designer.cs(vb)
- AuthenticationOwin.Web\Login.aspx
Include the copied files to your solution (Add | Existing Item...). Update the namespace names in the copied code files to match namespaces you use in your solution. For image files, set the Build Action property to Embedded Resource.
4. Edit the YourSolutionName.Module\Module.cs file. In the overridden Setup method, handle the XafApplication.CreateCustomLogonWindowControllers event and add the LogonAuthController to the e.Controllers collection passed to this event. Refer to the AuthenticationOwin.Module.Web\Module.cs(vb) file to see an example.
5. Edit the YourSolutionName.Web\WebApplication.cs(vb) code and register this custom security strategy:
this.securityStrategyComplex1 = new AuthenticationOwin.Module.Web.Security.CustomSecurityStrategyComplex();
Me.securityStrategyComplex1 = New AuthenticationOwin.Module.Web.Security.CustomSecurityStrategyComplex()
6. Implement the IAuthenticationOAuthUser interface in your custom user class. You can see an example in the AuthenticationOwin.Module\BusinessObjects\OAuthUser.cs file. If you use the built-in user, you can copy the OAuthUser class to your project from the demo and set the SecurityStrategy.UserType property to OAuthUser in the Application Designer.
7. Change the code that creates your predefined users in YourSolutionName.Module\DatabaseUpdate\Updater.cs. Set EnableStandardAuthentication to true for users who can login with standard authentication (username and password). See the example in the AuthenticationOwin.Module\DatabaseUpdate\Updater.cs file.
8. Register the LogonTemplateContent1.ascx template in the YourSolutionName.Web\Global.asax.cs file:
WebApplication.Instance.Settings.LogonTemplateContentPath = "LogonTemplateContent1.ascx";
WebApplication.Instance.Settings.LogonTemplateContentPath = "LogonTemplateContent1.ascx"
9. Copy the LoginWith* actions customizations and the AuthenticationStandardLogonParameters_DetailView layout settings from the AuthenticationOwin.Module.Web\Model.xafml file to the same file in the YourSolutionName.Web project. If you have no model customizations in Model.xafml, you can just overwrite it with the file from demo. Ensure that the IsPostBackRequired property of each LoginWith* action is set to true.
10. Configure OAuth2 services accordingly to their documentations.
Important note
This example shows how XAF can work with OAuth2, in particular, how XAF can get a user's email from a service that uses this framework, and create (or authenticate) a user based on it (the AuthenticationStandartWithOAuth.Authenticate method). The API and settings of services (Google, Facebook, and Microsoft) that we use in this example often change and we can't always keep this example up to date with them. Moreover, we often can't handle these changes in our example.
For example:
-
Microsoft requires the '/signin-microsoft' string to the Redirect URI (true at 13-mar-20);
-
Google requires to enable the Google+ API.
If you face difficulties with the authenticate process in this example, refer to the used OAuth2 service's documentation and make sure that all settings are correct. Feel free to create merge requests to this example if needed.
Tip: You can refer to the OWIN OAuth 2.0 Authorization Server documentation to learn how to add more authentication providers.
For an example of integrating OAuth2 authentication in a WinForms XAF application, refer to the XAF - OAuth2 Authentication for WinForms ticket.
===================================================== User cases:
Added by nrpieper: The assembly: Microsoft.Owin.Security.MicrosoftAccount support authenticating to both Microsoft user accounts, and Azure AD (School/Orgnizational) user accounts. For this demo project to successfully authenticate an Azure AD user account, ensure to configure the Azure AD registered application as multi-tenanted = yes. (Manifest entry: "availableToOtherTenants": true).