search

aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 599 forks source link

Not getting email address back from Facebook #621

Closed eriksendc closed 8 years ago

eriksendc commented 8 years ago

Hi All,

After clicking Facebook on my application's /Account/Login page to register using Facebook, the Facebook OAuth page wasn't acknowledging that my app was asking for email:

myapplicationname will receive the following info: your public profile.

After reviewing this posting (http://stackoverflow.com/questions/20378043/getting-the-email-from-external-providers-google-and-facebook-during-account-ass) I added the following to my Startup.cs:

facebookOptions.Scope.Add("email");

When I click Facebook on /Account/Login I now get acknowledgement from Facebook that my app is asking for email:

myapplicationname will receive the following info: your public profile and email address.

The bummer is that the standard code that shipped with RC1 is not getting the email out of whatever is returned by Facebook. Here's the code I have for ExternalLoginCallback:

public async Task<IActionResult> ExternalLoginCallback(string returnUrl = null)
{
    var info = await _signInManager.GetExternalLoginInfoAsync();
    if (info == null)
    {
        return RedirectToAction(nameof(Login));
    }

    // Sign in the user with this external login provider if the user already has a login.
    var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, isPersistent: false);
    if (result.Succeeded)
    {
        _logger.LogInformation(5, "User logged in with {Name} provider.", info.LoginProvider);
        return RedirectToLocal(returnUrl);
    }
    if (result.RequiresTwoFactor)
    {
        return RedirectToAction(nameof(SendCode), new { ReturnUrl = returnUrl });
    }
    if (result.IsLockedOut)
    {
        return View("Lockout");
    }
    else
    {
        // If the user does not have an account, then ask the user to create an account.
        ViewData["ReturnUrl"] = returnUrl;
        ViewData["LoginProvider"] = info.LoginProvider;
        var email = info.ExternalPrincipal.FindFirstValue(ClaimTypes.Email);
        return View("ExternalLoginConfirmation", new ExternalLoginConfirmationViewModel { Email = email });
    }
}

In the case where I've not yet ever registered or signed in with Facebook, even though the Facebook OAuth page is acknowledging that my app has asked for email, email is null when I debug through the code (in this case I'm talking about 4th line from the bottom, within the last else, info.ExternalPrincipal.FindFirstValue(ClaimTypes.Email) is returning null). Note that all is well coming back from Google - email is populated.

In my App's settings on the Status & Review page on Facebook (https://developers.facebook.com/apps/myappid/review-status/) I have ensured that my app is live, so that the email login permission shows green under Approved Items.

So... what am I missing? Or is there a bug?

Thanks, -Brian Eriksen

Tratcher commented 8 years ago

The answer you got on the prior bug really was the right answer. https://github.com/aspnet/Security/issues/620#issuecomment-165464501

eriksendc commented 8 years ago

Sorry. Thanks for the help!