Nicklas Laine Overgaard - 10 - Feb 5, 2015

Hi there,
I’m writing in the hope of getting some hints and guidance on the matter of implementing a custom auth provider, here goes:

For a customer I’m supposed to hook an API up with an already existing authentication provider - it works a bit like OAuth, however, it’s not OAuth at all. You can redirect the user to their web-page for login, and give it a “callback url”, to which it will post the information about the user that just logged in (like username, rights, etc). Via some shared secrets I can validate that it’s the service calling me back, and not an impostor.

How would I go about implementing this? Would the google/other OAuth providers already embedded in servicestack provide a good starting base?

Thanks in advance :) 

I would look at inheriting from AuthProvider, then override the Authenticate() API which is the entry point and IsAuthorized() to return whether a users session is authenticated or not. There’s also OnAuthenticated() to save the session and merge the UserAuth data, but you may be able to re-use the default impl for that.

You can look at OAuthProvider for an example of what API’s to implement:

You can return any response in the Authenticate() and OnAuthenticated() API’s including Redirects, you can have a look at the OAuthProvider for examples of how it handles success/failed redirects:

CredentialsAuthProvider may also be worth looking it as it shows an example of implementing a custom non-OAuth provider:

Nicklas Laine Overgaard:

Thanks Demis, I’ll start digging around!