ASP.NET Web API External authentication, Bearer and External bearer

  • Article

After Enabling External Authentication in ASP.NET Web API by enabling Facebook authentication for example, and after implementing account controller to login and register, you will ended up with two types of bearer:

  • Bearer
  • External Bearer

Actually there is no difference in the way of sending the them and generating them, but you can't authenticate with external bearer to a method that require bearer or vise versa, and i didn't find any documentation about the real difference between them and i spend a lot of time to discover the difference, that's why I'm writing this article.

Difference Between Bearer and External Bearer

After investigating in the source code of Microsoft dll's i found that the only difference is of how the ticket is validated, and i found that external bearer is not valid if the issuer of all the claims of the identity is  LOCAL AUTHORITY, and bearer is not valid if the issuer of one of the claim is not LOCAL AUTHORITY.

That's all !

​Additional Parameters after Login from External Authority

After implementing external authentication you will find that after login you will be redirected to a page that contains some parameters in the URL (e.g. access token), and you need to add some custom parameters to the URL (e.g. first time login), i didn't find any clear article in the internet that describe the process of doing this.

To add some parameters to the URL you need to override AuthorizationEndpointResponse method in ApplicationOAuthProvider (or your custom provider), and use AdditionalResponseParameters property(dictionary property) of OAuthAuthorizationEndpointResponseContext context and it will be added to the URL.

You might need to pass some data from your controller to this method to add it, this can be happen by adding an item to AuthenticationProperties dictionary and read it from OAuthAuthorizationEndpointResponseContext.Properties property.

Following is an example of adding custom parameters to authentication properties:

AuthenticationProperties properties = ApplicationOAuthProvider.CreateProperties(user);
properties.Dictionary.Add("NewUser", (!userRegistered).ToString());

Following is an example of implementing AuthorizationEndpointResponse  method:

public override async Task AuthorizationEndpointResponse(OAuthAuthorizationEndpointResponseContext context)
        {
            if (context.Properties.Dictionary.ContainsKey("NewUser"))
            {
                context.AdditionalResponseParameters.Add("NewUser", context.Properties.Dictionary["NewUser"]);
            }
 
            await base.AuthorizationEndpointResponse(context);
        }

After this you will find your custom property in the URL that you set it as return URL of authentication.