Self Host Authentication with Google Provider

Mar 6, 2014 at 12:29 AM
Dear, I created a self host API and would allow access via the same external authentication (google and facebook). My Startup.cs file looks like this:

public void Configuration(IAppBuilder appBuilder)

        // Configure Web API for self-host. 
        HttpConfiguration config = new HttpConfiguration();
            name: "DefaultApi",
            routeTemplate: "api/{controller}/{action}/{id}",
            defaults: new { id = RouteParameter.Optional }

        // basic authentication
        appBuilder.UseBasicAuthentication("teste", ValidateUser);

        // token generation
        appBuilder.UseOAuthAuthorizationServer(new OAuthAuthorizationServerOptions
            // for demo purposes
            AllowInsecureHttp = true,

            TokenEndpointPath = new PathString("/token"),
            AccessTokenExpireTimeSpan = TimeSpan.FromHours(1),

            Provider = new AuthorizationServerProvider(),
            RefreshTokenProvider = new RefreshTokenProvider()

        // token consumption
        appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

        appBuilder.UseGoogleAuthentication(new Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationOptions()
            ClientId = "",
            ClientSecret = "HKJDHSAHDKJASHDkjAHk",
            SignInAsAuthenticationType = "External",
            Provider = new Microsoft.Owin.Security.Google.GoogleOAuth2AuthenticationProvider()
                OnAuthenticated = (context) =>
                        return Task.FromResult(0);

however, do not know how to call google provider. Does anyone know how to do this so self host?
Mar 6, 2014 at 5:37 PM
There's nothing different for the auth providers between self-host and web-host.

You're trying to make your WebApi resource restricted, correct? Then you need to add an [Authorize] attribute on that resource/controller. You will also need to ether set google's AuthenticationMode to Active, or have a dedicated login page where the user can select which type of auth they want. The VS templates should give you a few examples for the login page.
Mar 6, 2014 at 5:43 PM
Tratcher, thanks for the reply. Actually I do not have a page to login. I'm just exposing the API, so when a customer is consuming my API, it should send the access token you received from Google and al'll need to validate this token.

I do not understand how this process will work without a login page.

Is it possible?
Mar 6, 2014 at 5:50 PM
Just set the google middleware AuthenticationMode to Active and add an [Authorize] attribute to your WebApi controller. The Authorize attribute will send a 401 for any un-authorized request, and the Active google middleware will intercept this and redirect the user to a google login page. After they log in the google middleware will redirect them back to your controller.
Mar 6, 2014 at 5:51 PM
Oh, you're also missing a UseCookieAuthentication middleware to preserve the login state between requests. Again, look at the VS templates for examples.