Authenticate from an external website using the API

Hi,

I’m still fighting the authentication process and I think I read everything about authentication in the Wiki, but I still need a little help wrapping my head into the flow…

I have a SS 4 API with CustomCredentials and Facebook and LinkedIn…

I have a new website (frontend) that is our main website and I want the users to login there (but it’s the API that will handle everything, including authentication).

I took some view code from the HttpBenchmarks project and pointing to the http://<api site>/auth/twitter for example, works fine and Twitter credentials are actually pointing to the API Website… and I actually end up in the website with #S=1 in the querystring (or whatever I put in oauth.twitter.RedirectUrl)

But how do I send back the correct user with more information (normally set with the CustomAuthSession) back to the website that is consuming the API?

My Authentication plug in registration is as fallows:

        //Register all Authentication methods you want to enable for this web app.            
        Plugins.Add(new AuthFeature(
            () => new CustomApiAuthSession(), //Use your own typed Custom UserSession type
            new IAuthProvider[] {
                new CredentialsAuthProvider(),              //HTML Form post of UserName/Password credentials
                new TwitterAuthProvider(appSettings),       //Sign-in with Twitter
                new FacebookAuthProvider(appSettings),      //Sign-in with Facebook
                new DigestAuthProvider(appSettings),        //Sign-in with Digest Auth
                new BasicAuthProvider(),                    //Sign-in with Basic Auth

                new GoogleOAuth2Provider(appSettings),      //Sign-in with Google
                new LinkedInOAuth2Provider(appSettings),    //Sign-in with LinkedIn
            }));

I can swap the CredentialsAuthProvider and use a custom one that on TryAuthenticate I can also fill up the CustomApiAuthSession, but how do I do the same in the oAuth providers?

With OAuth providers all the client can get back initially is a successful url redirect. There’s an opportunity to modify the Url with the AuthProvider.SuccessRedirectUrlFilter which lets you return an alternate successful url.

But if you want anything more than a url you would need to make another call, e.g. calling /auth when authenticated returns a populated AuthenticateResponse with basic session information. If you need more data than this you’d just call your own custom Authenticated Service that returns the info the client needs.