This project has moved. For the latest updates, please go here.

OpenID Connect middleware for SPA + WebAPI

Nov 12, 2014 at 10:08 AM
We are in the process of upgrading our SPA (angular) app with a WebAPI back end to authenticate with OpenID Connect through Google. Ideally we would like to use the hybrid flow.

We have gotten to the point where after clicking the Google Sign In button, the browser redirects to google, takes you through the consent screen and sends the response back to our app with code and id token. Most of the scenarios published out there show how you configure an MVC app with notifications that fire when authorization code is returned:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                ClientId = "",
                MetadataAddress = "",
                RedirectUri = "https://localhost:44300/authentication",
                Scope = "openid profile",

                Notifications = new OpenIdConnectAuthenticationNotifications
                    AuthorizationCodeReceived = async n =>
That never fires in our case and I think the reason for that is because the response is sent back to our SPA, not to the server side end point of our app. What would be the next steps here?
  • Do we receive the code on the client and send an ajax request to our web api layer that then exchanges it for an access token? Once we have an access token, how do we communicate that the user is signed in so the tokens are recognized as valid when we make the api calls from js.
  • Do we tell google to send the response to our web api layer, let that exchange the code for an access token and send a redirect response with a hash fragment containing the access token at the end?
In either case, can we leverage anything in the OpenID middleware for exchanging the code? The post request doesn't seem terribly complicated, but still it would be nice leverage an existing library for that if possible.

Nov 13, 2014 at 4:37 PM
The OIDC middleware does not currently support the flows offered by Google. That's something we're working on for the next version.
Nov 13, 2014 at 5:56 PM
Edited Nov 17, 2014 at 10:31 AM
Thanks for clarifying Tratcher,
Could you please expand on what Google flows are unsupported and what you plan on adding a support for in the next release?
I have a parallel discussion on SO where the answer pointed me to this middleware v3. I was actually able to get that to work and it appears to be Google OpenID Connect hybrid flow, unless I am missing something. The scope that is being sent in is "openid profile email" and I have verified with fiddler that the server returns the authorization code that the middleware exchanges for an access token. Is this is not Google OpenId Connect, is it OAuth 2 for login (early version)?