This project has moved. For the latest updates, please go here.

Google OAuth2 Callback Path - Allow pipeline to continue and render an HTML page

Dec 9, 2014 at 11:03 PM

I am using GoogleOAuth2AuthenticationMiddleware (version 3.0.0) with a call back path of '/login/google'. When google redirects to that path (with all the correct query params), the middleware works its magic and then redirects to the original referring URI (or what ever is set in the AuthenticationProperties.RedirectUri).

In my case, I don't want it to redirect to the AuthenticationProperties.RedirectUri. I want the pipeline to continue processing. I have a route for '/login/google' set up to point to a MVC controller action so after the google middleware does its stuff, I want it to return an HTML page in the response. This is because I have a custom cookie middleware component that issues a cookie containing only some of the claims returned from google. And I want the web page to display the claims that are not in my cookie.

To achieve this I've added the following properties to the authentication options:
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions()
ClientId = "myclientid",
ClientSecret = "mysecret",
CallbackPath = new PathString("/login/google"),
Provider = new GoogleOAuth2AuthenticationProvider()
               OnReturnEndpoint = (context) =>
                   // Remove RedirectUri so it doesn't redirect. I want processing to continue and the MCV controller action to be called.
                    context.RedirectUri = null;
                    return Task.FromResult((object)null);
This works fine, although it seems like a hack. And I am worried that future releases wont allow me to do this.

Is there a better way I could be doing this?

Also, is there any reason I shouldn't be doing this? (e.g. some security risk)
Dec 12, 2014 at 4:29 PM
That's not supported and I don't recommend trying to make it work. It's best for only one component to 'handle' a request/response. Why do you want to display the claims? That sounds like a development/debugging tool that you wouldn't use in a real application.

Also, you shouldn't need to customize the cookie middleware to filter the claims, you can do that directly in the GoogleOAuth2AuthenticationProvider.
Dec 13, 2014 at 11:18 PM
Thanks for you reply.

I don't actually display the claims on the page, they are put in a JavaScript object and passed via the postMessage API to the client app. There are multiple client apps that use the service. Depending on what claims are present the client can ask the user for more information if needed.

I have a custom cookie because I have WCF services that need to authenticate the user as well. My middleware allows me to use common code to encode and decode the cookie. I have existing login functionality being deprecated (it uses ACS) - ideally the new login using OWIN can issue the same cookie so my WCF services don't need to start checking two different cookies while all clients are migrating. But maybe that is the better approach?

Maybe I should be looking at getting the WCF services to work with the katana cookie middleware. Is that possible?

Thanks for your help
Dec 14, 2014 at 7:26 PM
I guess I just need to issue a temporary cookie with all claims in it, redirect to my MVC view, then issue my own cookie. It involves another redirect but will fit more into how the middleware components work.
Dec 15, 2014 at 2:56 PM
Yeah, that's how all the VS templates work.
Dec 15, 2014 at 7:07 PM
Is there anyway to avoid the additional redirect? (Other than my original way)