Custom OAuth - Email not saved

lucuma · June 5, 2018, 3:47pm

I have a requirement to integrate a SSO type situation into a wordpress site (no comment). So, I setup a plugin that provides an oAuth server on wordpress and am able to authenticate across it. The OAuth2Provider code is pretty basic but what isn’t happening is the user’s email/full name are not being saved back into the UserAuth table. The CreateAuthInfo method was modeled after some of the other ones I saw (google/msft). I’m missing something on, how do I get these values into the db?

 public class SomethingOAuthProvider : OAuth2Provider
 {
    public const string Name = "something";
    public static string Realm = "http://something.com/oauth/authorize";

    public SomethingOAuthProvider (IAppSettings appSettings)
        : base(appSettings, Realm, "something") {}

    protected override Dictionary<string, string> CreateAuthInfo(string accessToken)
    {
        Dictionary<string, string> p = new Dictionary<string, string>();
     
        var url = $$"{UserProfileUrl}?access_token={accessToken}";
        var json = url.GetJsonFromUrl();
        var obj = JsonObject.Parse(json);
        var authInfo = new Dictionary<string, string>
        {
            { "user_id", obj["ID"].ToString() },
            { "username", obj["user_login"].ToString() },
            { "email", obj["user_email"].ToString() },
            { "name", obj["user_nicename"].ToString() }
        };
        return authInfo;
    }
}

mythz · June 5, 2018, 6:34pm

I’m assuming you’ve registered an OrmLiteAuthRepository and the Dictionary is populated with data? Also are you using AuthUserSession for your Typed UserSession or something that inherits from it?

lucuma · June 5, 2018, 6:44pm

The CreateAuthInfo returns an object that is populated with the correct values. This is what is registered.

 container.Register<IDbConnectionFactory>(
                new OrmLiteConnectionFactory(
                    connectionString,
                    SqlServer2016Dialect.Provider
                )
            );

            Plugins.Add(new AuthFeature(() => new AuthUserSession(),
                new IAuthProvider[] {
                    new CredentialsAuthProvider(),
                    
                //    new JwtAuthProvider(), 
                    new SomethingOAuthProvider(AppSettings) {
                        AuthorizeUrl = "http://something.com/oauth/authorize/",
                        RedirectUrl = "https://localhost:44319/auth/something",
                        ConsumerKey = "key",
                        ConsumerSecret = "secret",
                        //RequestTokenUrl = "http://something.com/oauth/token/",
                        AccessTokenUrl = "http://something.com/oauth/token/",
                        UserProfileUrl = "http://something.com/oauth/me/"
                    },
                })
                
        );


            //Store User Data into the referenced SqlServer database
            container.Register<IAuthRepository>(c =>
                new OrmLiteAuthRepository(c.Resolve<IDbConnectionFactory>()));

mythz · June 5, 2018, 6:55pm

That looks fine, can you use a custom AuthRepo that overrides OrmLiteAuthRepository so you can put a breakpoint on CreateOrMergeAuthSession to see if tokens is populated with your data, e.g:

public class MyAuthRepo : OrmLiteAuthRepository
{
    public MyAuthRepo(IDbConnectionFactory dbFactory) : base(dbFactory) { }
    public MyAuthRepo(IDbConnectionFactory dbFactory, string namedConn=null) 
        : base(dbFactory, namedConn) { }

    public override IUserAuthDetails CreateOrMergeAuthSession(IAuthSession authSession, IAuthTokens tokens)
    {
        return base.CreateOrMergeAuthSession(authSession, tokens);
    }
}

container.Register<IAuthRepository>(c => 
    new MyAuthRepo(c.Resolve<IDbConnectionFactory>()));

The LoadUserAuthInfo() in your AuthProvider should be called which populates the typed IAuthTokens from your Dictionary. If you don’t override it, it will use OAuth2Provider’s default impl which populates the email/name from your Dictionary, e.g:

github.com

ServiceStack/ServiceStack/blob/e272b5f438cd0ee725f5ee7024505510c9fe3b55/src/ServiceStack.Authentication.OAuth2/OAuth2Provider.cs#L203


    userSession.UserName = tokens.UserName ?? userSession.UserName;
    userSession.DisplayName = tokens.DisplayName ?? userSession.DisplayName;
    userSession.FirstName = tokens.FirstName ?? userSession.FirstName;
    userSession.LastName = tokens.LastName ?? userSession.LastName;
    userSession.PrimaryEmail = tokens.Email ?? userSession.PrimaryEmail ?? userSession.Email;
    userSession.Email = tokens.Email ?? userSession.PrimaryEmail ?? userSession.Email;
}


protected abstract Dictionary<string, string> CreateAuthInfo(string accessToken);


protected override void LoadUserAuthInfo(AuthUserSession userSession, IAuthTokens tokens, Dictionary<string, string> authInfo)
{
    try
    {
        tokens.UserId = authInfo["user_id"];
        tokens.UserName = authInfo["username"];
        tokens.DisplayName = authInfo["name"];
        tokens.FirstName = authInfo["first_name"];
        tokens.LastName = authInfo["last_name"];
        tokens.Email = authInfo["email"];
        userSession.UserAuthName = tokens.Email;

lucuma · June 6, 2018, 6:30pm

After deleting all the existing users, this seems to be working now without the custom session.