Can I use External Logins with JWT approach but without Identity stack?

[blowdart]

From @alexsandro-xpt on August 22, 2018 13:14

I'm would like to setup my JWT ASPNet Core with Facebook External Login but a don't like to install all Identity stack dependence at my project.

Can I do that? How?

Copied from original issue: aspnet/Identity#1935

[Eilon]

@alexsandro-xpt can you provide more info on the scenario? A solution such as Identity Server can help process the Facebook auth and provide the JWT token. There shouldn't be an actual direct connection between the Facebook auth and the JWT.

[blowdart]

Are you just wanting to login with facebook and have no other dependency? Do you plan to support other logins?

[alexsandro-xpt]

@Eilon I know Identity Server but I can't refactor all my project to work together with Identity Server right now.

Westerday I found this project https://github.com/mmacneil/VueASPNETCore2WebApiAuth and I guess it maybe could help me same with Identity dependece.

@blowdart Truly, I will need support to Google OpenID too.

I'm making a evaluation to do minimal refactor impact at my project right now.

[blowdart]

If you use multiple identities do you need to tie them together, i.e. I am Facebook user 1 and also Google user 2?

[alexsandro-xpt]

Yes @blowdart both should tie them together, support to external login with Facebook or Google was only a user's options login.

I'm seeing, I have no choose, I guess I should make my own stack of aggregate IdentityDbContext class to give support my legacy users and permissions SQL Tables.

[blowdart]

What you want is possible. You'd use cookie auth to persist the user, then oauth/oidc to trigger the external logins (remembering to protect against CSRF), and then have a link table of external identities to local identities, then on return from the oauth/oidc logins lookup the user, if one doesn't exist, create it (now you have to ask for usernames, and passwords etc), then write the local user out via cookie middleware. Don't forget you'll need to support edit, delete and view my information for GDPR.

And ... that's all built into Identity :D

[alexsandro-xpt]

:P alright @blowdart thank you! all of this simply because about my legacy tables structure.

[blowdart]

:) Why not import the tables? You could use a custom hashing algorithm so people wouldn't even have to update their passwords.

[alexsandro-xpt]

I can't for incredible as it may sound, those table is shared with another web app. We need replace all that for a SSO like Identity Server ASAP.

And talking about hashing algorithm, I should find one like Django password algorithm implementation to C# because one of those another web app is in Django Python. :expressionless:

[blowdart]

Oh lord. Well it's possible, see https://stackoverflow.com/questions/46753437/external-login-without-using-identity-asp-net-core-2-0, that gets you to the without identity point. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.1&tabs=aspnetcore2x will guide you in how to use the cookie middleware without identity, it's just wiring together that's left, and I feel that is probably specific enough to your tables etc. I can't make a reasonably generic explanation.

[alexsandro-xpt]

No problem @blowdart thank you so much!!!! You was amazing!!!