oAuth ASP.NET Membership Provider

26,557

Solution 1

I'm not sure what you're looking for is OAuth.

OAuth is for delegating authorization, through the use of tokens. Depending on what you're doing you have two scenarios either:

  1. Your application wants to use some of the users data, hosted by a provider (say twitter or google). In which case your application would be a consumer - in short, the user would need to log-in and agree to authorizing your application to have access to the their data on the provider, and you would be given an access token which can be used to gain access to those protected resources.
  2. Alternatively, you have an application, with users who have log-ins etc. And you want to provide (i.e. you're the provider) access to some restricted information of your users to 3rd party applications (consumers) without exposing your users credentials to those services.

For more info on OAuth - check out the OAuth.Net website. There are currently 3 implementations of OAuth available for .Net.

Because of the way OAuth works, I can't really imagine how you could have an "OAuth" membership provider - It's really intended for securing API's, and often the goal is to delegate authorization at a more granular level i.e. giving a consumer application access to just a users address book data, without letting them access email archives, their calendar etc. - which doesn't fit well with a membership / role based security model.

I'm guessing what you're really looking for is OpenId i.e. the way you authenticate yourself with Stackoverflow itself. I would suggest reading the Stackoverflow OpenId case study here and probably the best OpenId implementation for .Net is currently part of DotNetOpenAuth project (this was formally called DotNetOpenId, the google code site for the project is here).

Solution 2

I think you might be looking for DotNetOpenAuth. I haven't used it, so I can't tell you for sure if it includes a membership provider, but I would expect that it does. If not, it's open source, so should help you with what you're trying to do anyway.

Solution 3

you should take a look https://github.com/rustd/ASPNETTemplates which has the default project templates for asp.net which demonstrate logging in using OAUth and then extending the universal providers(webforms template but you can do the same for mvc) to do roles etc

Solution 4

Libraries have come the long way since you posted this question... I've started using this library for Oauth - it already has implemented Facebook, Twitter, PayPal and Google+ integration:

OAuth2 Social Logins - Facebook, Google, Twitter, PayPal - ASP.NET MVC C# open source library

Also, if backwards compatibility is not issue for you, Microsoft has started supporting popular OAuth providers... see this article:

Microsoft OAuth2 OWIN/Katana integration with Facebook and Google+

Share:
26,557
Jack W
Author by

Jack W

Updated on July 11, 2020

Comments

  • Jack W
    Jack W over 3 years

    Are there any recommended resources for implementing a custom membership provider that uses oAuth? The goal would be to have users to log into my ASP.NET MVC application using their existing oAuth credentials. After the user is authenticated, I'd then like to leverage the built-in ASP.NET authorization features.

    Thanks.

  • Peder Rice
    Peder Rice over 11 years
    Just dropping in a comment that DotNetOpenAuth can now be found here: dotnetopenauth.net
  • jenson-button-event
    jenson-button-event almost 11 years
    @bittercoder i think you put people off with this answer. Whilst it is true mostly people are using oAuth for authorization of 3rd party APIs, it is not unreasonable to consider a SSO custom membership asp.net solution with e.g. Google Apps domain where the authorisation token is used as the asp.net authentication (cookie) token so that it can be used for subsequent call backs to the Google API. I have exactly this scenario where my MVC app is calling apis in my google apps.domain. oAuth is both Authentication AND Authorization.
  • Bittercoder
    Bittercoder almost 11 years
    This response was created prior to OAuth 2 existing in it's current form (3+ years ago!) - I would say at that point in time it was correct. These days I think the world has flipped, and most people are ignorant of OpenID, consider OAuth as an authentication mechanism, and are not necessarily even aware of many of the core ideas behind OAuth (delegated authentication/way to secure API access).
  • Bittercoder
    Bittercoder almost 11 years
    I would also point out that the advice is generally irrelevant these days as Microsoft ship support for OAuth and OpenID "in the box" for v4.5 of ASP.Net - as per their spiel "OAuth and OpenID let you create sites that permit users to sign in with credentials from other sites, including Google, Yahoo, Facebook, Twitter, and Windows Live." - I feel this undermines/poorly communicates that using OAuth in this way is only a very small part of what OAuth is... though pretty useful in some situations :)