External Identity Providers in ASP.NET Core

Back to: ASP.NET Core Identity Tutorials

External Identity Providers in ASP.NET Core

In this article, I will discuss External Identity Providers in ASP.NET Core Identity. Please read our previous article discussing Role-Based Claims Authorization in ASP.NET Core Identity.

What are External Identity Providers in ASP.NET Core Identity?

External Identity Providers in ASP.NET Core Identity allow users to authenticate with your web application using credentials they already have with trusted third-party services like Google, Facebook, Twitter, Microsoft, GitHub, and more. That means instead of creating and managing an account directly in your application, the user can sign in using their credentials from one of these trusted services, reducing the need for users to create and remember a separate username and password for your application.

By integrating with external identity providers, authentication is handled externally, and our application delegates user authentication to these trusted providers, which avoids handling sensitive data like passwords, ensuring security and a better user experience.

Different External Identity Providers in ASP.NET Core Identity

ASP.NET Core Identity provides built-in support for integrating with various external identity providers. These providers handle authentication using OAuth or OpenID Connect protocols. Each provider requires specific configuration steps and packages for seamless integration. Below are some of the most popular providers we can integrate:

Google:

• Why Use It? Google is widely recognized and frequently used for authentication across various applications, and many users already have Google accounts, making it easy for them to sign in.
• How to Set Up? You need to register your application in the Google API Console. Afterward, you’ll receive a Client Id and Client Secret to configure your ASP.NET Core application.
• Package: Microsoft.AspNetCore.Authentication.Google is used to integrate Google authentication in your application.

Facebook:

• Why Use It? Facebook has a vast user base and is a widely trusted social network.
• How to Set Up? You have to create a Facebook App on the Facebook Developer Console, which will give you an App ID and App Secret to integrate with your ASP.NET Core application.
• Package: Microsoft.AspNetCore.Authentication.Facebook is used to integrate Facebook authentication.

Twitter (Currently X):

• Why Use It? Popular among social media users, especially those interested in real-time updates and short-form content.
• How to Set Up? You need to create a developer account at Twitter Developer Platform and Obtain the API Key and API Secret Key to enable Twitter authentication.
• Package: Microsoft.AspNetCore.Authentication.Twitter integrates Twitter login into your application.

Microsoft Account:

• Why Use It? Ideal for apps targeting users within the Microsoft ecosystem or Windows users (Windows, Xbox, Outlook, etc.).
• How to Set Up? Register your application on the Microsoft identity platform, get your credentials (Client Id and Client Secret), and configure them in your ASP.NET Core app.
• Package: Microsoft.AspNetCore.Authentication.MicrosoftAccount provides integration for Microsoft Account authentication.

GitHub:

• Why Use It? Useful for applications targeting developers and those in the open-source community.
• How to Set Up? You need to register your application on the GitHub Developer Portal and Obtain Client ID and Client Secret.
• Package: Microsoft.AspNetCore.Authentication.GitHub integrates GitHub login.

LinkedIn:

• Why Use It? Ideal for professional and enterprise applications.
• How to Set Up? Register your application via the LinkedIn Developer Portal to obtain the Client ID and Client Secret.
• Package: Use third-party packages like AspNet.Security.OAuth.LinkedIn for LinkedIn Account authentication.

Note: ASP.NET Core has built-in support for integrating these external authentication providers. Integrating these external authentication providers follows a similar pattern. If we understand how to integrate one of the external authentication providers, implementing others is not that different.

Why External Identity Providers in ASP.NET Core?

Users usually register with our application by providing their email, username, and password. We then use this local username and password to authenticate who the user is and sign him/her into our application. However, we do not have to always rely on a local username and password registered with our application.

Most people these days have accounts already created with third-party applications like Microsoft, Google, Facebook, Twitter, etc. Why do these users have to create yet another account with our application? It’s not a great user experience to ask the user to create another user account to log in to our application. We want to reuse their existing user accounts with Facebook, Google, Microsoft, Twitter, LinkedIn, GitHub, Amazon, etc.

We trust these third-party applications and use them to authenticate and identify who the user is. For this reason, these third-party applications are commonly called trusted identity providers. These third-party applications are external to our own application.

Allowing users to reuse their existing accounts to log into our application benefits users from having to remember yet another username and password. It also benefits us as application developers as we no longer have to store and maintain highly sensitive information such as the username and password in our application database. This results in several benefits as follows:

• Improved User Experience: Users don’t have to remember another set of login credentials. They can use accounts they already use for other services.
• Security: Authentication is handled by a trusted third party that likely has more robust security measures than your application could offer, reducing the risk of password management issues.
• Less Work for Developers: You don’t have to store and manage sensitive data like passwords, reducing the potential impact of security breaches.
• Faster Onboarding: Users can quickly log in with their existing accounts without a lengthy registration process.

How External Identity Providers Work in ASP.NET Core Identity?

The authentication flow using external identity providers typically involves the following steps:

User Clicks “Sign in with [Provider]”:

Your application shows different social login buttons (e.g., “Login with Google”, “Login with Facebook”, etc). For example, if a user wants to use his/her Google account to Sign in to our application, they click the Google button as shown in the below image.

Redirect to External Provider:

When the user clicks a button, our application redirects the user to the external provider’s login page (Google, Facebook, etc.). For example, when the user clicks the Login with Google button, our application redirects the user to the Google Sign-in page.

User Authenticates with Provider:

The user enters their login credentials (e.g., Gmail address and password, Facebook address and password, etc) at the provider’s site. For example, on the Google sign-in page, the user has to provide his/her Google login credentials, as shown in the below image.

Redirect Back to Your Application:

Upon successful login, the external provider redirects the user back to your application callback URL, typically via a URL defined in your application’s authentication configuration. This uses the OAuth 2.0 or OpenID Connect protocol under the hood.

In the callback URL, the identity provider sends an identity token (and sometimes an access token) to your application in the query string or HTTP POST. This token contains the user’s details (e.g., name, email, and profile information).

Application Validates and Signs User In:

ASP.NET Core Identity processes this token and uses the information to sign the user into your application. The system may create a new local user account if one does not already exist.

Note: You must first register your application with the external identity provider to obtain a Client Id and Client Secret, which are then used to configure authentication within your app. This ensures that only your application can access the user information sent by the identity provider.

What are OAuth 2.0 and OpenID Connect?

OAuth 2.0 is an open standard for authorization that allows third-party applications to access a user’s basic data using an access token, like their profile, repositories, or email, without getting their password.

OpenID Connect allows external providers to give not only an access token (to access basic user data) but also an ID token or JWT token (which contains identity information like email, profile picture, and user ID). This makes OpenID Connect useful for both authentication (knowing who the user is) and authorization (accessing user data).

Google and Microsoft support both OAuth 2.0 and OpenID Connect. Other providers like Facebook, Twitter, LinkedIn, and GitHub support OAuth 2.0, but they do not provide OpenID Connect, meaning you will need to retrieve user identity information via their APIs using the access token instead of relying on an ID token. For a better understanding, please have a look at the following image.

In the next article, I will discuss How to Create Google OAuth Credentials. In this article, I explain External Identity Providers in ASP.NET Core Identity. I hope you enjoy this article, External Identity Providers in ASP.NET Core Identity.