Hi there,
I’m writing in the hope of getting some hints and guidance on the matter of implementing a custom auth provider, here goes:
For a customer I’m supposed to hook an API up with an already existing authentication provider - it works a bit like OAuth, however, it’s not OAuth at all. You can redirect the user to their web-page for login, and give it a “callback url”, to which it will post the information about the user that just logged in (like username, rights, etc). Via some shared secrets I can validate that it’s the service calling me back, and not an impostor.
How would I go about implementing this? Would the google/other OAuth providers already embedded in servicestack provide a good starting base?
Thanks in advance :)
I would look at inheriting from AuthProvider, then override the Authenticate() API which is the entry point and IsAuthorized() to return whether a users session is authenticated or not. There’s also OnAuthenticated() to save the session and merge the UserAuth data, but you may be able to re-use the default impl for that.
You can look at OAuthProvider for an example of what API’s to implement: https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/OAuthProvider.cs
You can return any response in the Authenticate() and OnAuthenticated() API’s including Redirects, you can have a look at the OAuthProvider for examples of how it handles success/failed redirects:
CredentialsAuthProvider may also be worth looking it as it shows an example of implementing a custom non-OAuth provider:
https://github.com/ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/CredentialsAuthProvider.cs
Nicklas Laine Overgaard:
Thanks Demis, I’ll start digging around!