ASP.NET Web API and Identity with Facebook login

Question

In the Facebook authentication flow for ASP.NET Identity, the Facebook OAuth dialog appends a code rather than an access token to the redirect_url so that the s

Answer 1

Yes, you can use an external access token to securely login.

I highly recommend you follow this tutorial, which shows you how to do token based authentication with Web API 2 from scratch (using Angular JS as the front-end). In particular, step 4 includes two methods that allow you to authenticate using an external access token, e.g. as returned from a native SDK:

[AllowAnonymous, HttpGet]
async Task ObtainLocalAccessToken(string provider, string externalAccessToken)

[AllowAnonymous, HttpPost]
async Task RegisterExternal(RegisterExternalBindingModel model)

In a nutshell:

1. Use native SDK to get external access token.

2. Call ObtainLocalAccessToken("Facebook", "[fb-access-token]") to determine whether the user already has an account (200 response), in which case a new local token will be generated for you. It also verifies that the external access token is legitimate.

3. If the call in step 2 failed (400 response), you need to register a new account by calling RegisterExternal, passing the external token. The tutorial above has a good example of this (see associateController.js).