External Authentication in ASP.NET Core 3.1 ie Google social login

Update 21st Oct 2020

I ended up not implementing this opting for Cookie based Authentication only. Implemented well, this is much better for my use case.

Intro

Lets patch in Google social login into an ASP.NET Core 3.1 Web Application. This follows on from my previous article on straight up Authentication and Authorisation using username and password and I’ve found it harder that it should be IMHO.

External Authentication Provider - Google

Overview from MS Docs and Google Specific

# install the NuGet package for Google auth
dotnet add package Microsoft.AspNetCore.Authentication.Google --version 3.1.1

Go to project page on google to setup the project essentially getting: a clientID and clientSecret associated with a callback url eg https://webapplication2dmtest.azurewebsites.net/signin-google

SQL Delete from all tables

To aid in resetting the system, I found connecting to the remote DB locally via SSMS to be good with the following commands (be careful).

select * from [dbo].[AspNetRoleClaims]
select * from [dbo].[AspNetRoles]
select * from  [dbo].[AspNetUserClaims]

-- Google userID here
select * from [dbo].[AspNetUserLogins]

select * from  [dbo].[AspNetUserRoles]

-- stuff in here
select * from  [dbo].[AspNetUsers]

select * from  [dbo].[AspNetUserTokens]

--delete from [AspNetUserLogins]
--delete from [AspNetUsers]

Bugs

Strange bug and SO answer and the GitHub bug tracker

I found using the following for test was useful

services.Configure<IdentityOptions>(options =>
{
    // Password settings.
    options.Password.RequireDigit = false;
    options.Password.RequireLowercase = false;
    options.Password.RequireNonAlphanumeric = false;
    options.Password.RequireUppercase = false;
    options.Password.RequiredLength = 6;
    options.Password.RequiredUniqueChars = 0;

    // Lockout settings.
    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
    options.Lockout.MaxFailedAccessAttempts = 5;
    options.Lockout.AllowedForNewUsers = true;

    // User settings.
    options.User.AllowedUserNameCharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+";
    options.User.RequireUniqueEmail = true;

    // note this! I'm trusting that the google account is coming back is good
    // am only authenticating through google so this is fine (facebook is a different story) 
    options.SignIn.RequireConfirmedAccount = false;
    options.SignIn.RequireConfirmedEmail = false;
});

Below is trying to sign in using debug mode on localhost

alt text

Conclusion

I didn’t end up going any further with this, but have published the article for reference.