Web API and social sign-in provider authentication (Google) #29187

TanukiSharp · 2021-01-10T07:43:32Z

TanukiSharp
Jan 10, 2021

The short version

I'm trying to use Google social authentication in a simple Web API project (roughly dotnet new webapi --no-openapi), and I get an exception with message "The oauth state was missing or invalid." when accessing the sign-in endpoint (/signin-google).

The long version

Context

I need to integrate Google login in an existing web application.

The web application is made with plain old HTML / CSS / JS for the frontend (no React, no Angular, no Vue, no <insert your super fancy 10GB of client-side code web frontend framework here>), and the backend is just an ASP.NET Core Web API (migrated to .NET 5) with controllers (no Web Application with MVC or RazorPages or whatever).

I've tried so many approaches that I've lost track of what I tried and how. Lately I decided to restart over my painful experiments with ASP.NET Core and track everything.

I started by following this link: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/social-without-identity?view=aspnetcore-5.0
So I created a new ASP.NET Core project (.NET 5) choosing Web API, and No Authentication, since with the Web API template, this requires to "connect to an existing user store in the cloud".

So the code of my sample is exactly the same as on this documentation I followed, except that the ConfigureServices method of the Startup class ends with

services.AddControllers();

instead of

services.AddRazorPages();

And the Configure method of the Startup class ends with

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
});

instead of

app.UseEndpoints(endpoints =>
{
    endpoints.MapRazorPages();
});

The problem

After I started the application, when I navigate to the https://localhost:5001/signin-google endpoint, I get an exception with message "The oauth state was missing or invalid".

Here is the raw exception details:

System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: The oauth state was missing or invalid.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Precisions

I've setup the ClientId and ClientSecret, and I know they are correct because it works in my own implementation of a custom Google authentication middleware.

I'm including Microsoft.AspNetCore.Authentication.Google version 5.0.1 in the .csproj.

The frontend is made of plain old HTML / CSS / JS but is actually massive, and I don't own it, so there is no way I migrate it to Angular or whatever other web frontend framework, nor ask my customer to do so.

The Web API project is also massive, and I do not want to migrate it to MVC or RazorPages or else.

The Google project is correctly configured (again, it works with my custom authentication middleware), and I run the sample without IIS Express to avoid random port and use port 5001 instead, to match the Google project configuration.

I do not want to use EntityFramework nor need any database to store info about users, allowed users will just be stored in a simple JSON file, such as:

{
    "allowed": [
        "alice@gmail.com",
        "bob@gmail.com"
    ]
}

The question

What am I missing ?

Having the frontend in plain HTML / CSS / JS is a requirement, and keeping the backend as a Web API project is also a requirement, so please avoid answers like "why don't you use Angular ?" or "why don't you use RazorPages ?".

I know this is technically possible because it works with my custom authentication middleware. However, if Microsoft.AspNetCore.Authentication.Google only supports MVC or RazorPages, then fine and in this case I will use my custom implementation, but I'd prefer to use the Microsoft one if possible.

Thank you for your help.

Further precisions

> dotnet --info
.NET SDK (reflecting any global.json):
 Version:   5.0.101
 Commit:    d05174dc5a

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19041
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\5.0.101\

Host (useful for support):
  Version: 5.0.1
  Commit:  b02e13abab

.NET SDKs installed:
  2.1.801 [C:\Program Files\dotnet\sdk]
  2.2.300 [C:\Program Files\dotnet\sdk]
  3.1.201 [C:\Program Files\dotnet\sdk]
  5.0.101 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.All 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.4 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.0-preview7.19365.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.10 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.1.23 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.0-preview7-27912-14 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.0.0-preview7-27912-14 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.3 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 3.1.10 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

Answered by TanukiSharp

Jan 10, 2021

I got the problem, manually going to /signin-google is completely wrong.

View full answer

TanukiSharp · 2021-01-10T16:21:57Z

TanukiSharp
Jan 10, 2021
Author

I got the problem, manually going to /signin-google is completely wrong.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Web API and social sign-in provider authentication (Google) #29187

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Web API and social sign-in provider authentication (Google) #29187

Uh oh!

Uh oh!

TanukiSharp Jan 10, 2021

The short version

The long version

Context

The problem

Precisions

The question

Further precisions

Replies: 1 comment

Uh oh!

TanukiSharp Jan 10, 2021 Author

TanukiSharp
Jan 10, 2021

TanukiSharp
Jan 10, 2021
Author